Very poor detection from MAJOR av on this trojan, whats up????

[ginkobelowya]

I found this file on a hacked server a few weeks ago.

A scan by all the major AV programs shows that less than 1/2 detected
this file.

The great Kaspersky and Mcafee do not see it. Makes you warm and
fuzzy dont it.

Whats the excuse for this?


AntiVir 7.3.1.38 02.22.2007 TR/Dldr.Banload.ZV.4
Authentium 4.93.8 02.23.2007 no virus found
Avast 4.7.936.0 02.22.2007 no virus found
AVG 386 02.22.2007 Downloader.Dadobra.EW
BitDefender 7.2 02.23.2007 Trojan.Downloader.Banload.ZV
CAT-QuickHeal 9.00 02.22.2007 (Suspicious) - DNAScan
ClamAV devel-20060426 02.22.2007 no virus found
DrWeb 4.33 02.23.2007 Trojan.DownLoader.18159
eSafe 7.0.14.0 02.23.2007 Suspicious Trojan/Worm
eTrust-Vet 30.4.3420 02.22.2007 no virus found
Ewido 4.0 02.22.2007 Downloader.Delf.acc
FileAdvisor 1 02.23.2007 no virus found
Fortinet 2.85.0.0 02.22.2007 W32/Dloader.FUQ!tr
F-Prot 4.3.1.45 02.22.2007 no virus found
F-Secure 6.70.13030.0 02.23.2007 no virus found
Ikarus T3.1.0.31 02.22.2007 Trojan-Downloader.Win32.Banload.btw
Kaspersky 4.0.2.24 02.23.2007 no virus found
McAfee 4969 02.22.2007 no virus found
Microsoft 1.2204 02.23.2007 no virus found
NOD32v2 2076 02.22.2007 a variant of Win32/TrojanDownloader.Dadobra.IA
Norman 5.80.02 02.22.2007 no virus found
Panda 9.0.0.4 02.23.2007 Trj/Downloader.MPX
Prevx1 V2 02.23.2007 no virus found
Sophos 4.14.0 02.21.2007 no virus found
Sunbelt 2.2.907.0 02.22.2007 Trojan-Downloader.Banload.ZV
Symantec 10 02.23.2007 no virus found
TheHacker 6.1.6.062 02.21.2007 no virus found
UNA 1.83 02.22.2007 no virus found
VBA32 3.11.2 02.22.2007 suspected of Worm.Viking.7 (paranoid
heuristics)
VirusBuster 4.3.19:9 02.22.2007 no virus found

 

[Art]

I found this file on a hacked server a few weeks ago.

A scan by all the major AV programs shows that less than 1/2 detected
this file.

The great Kaspersky and Mcafee do not see it.

And? What do the analysts at McAfee and Kaspersky have to say about
the file?

Art
http://home.epix.net/~artnpeg

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I found this file on a hacked server a few weeks ago.

A scan by all the major AV programs shows that less than 1/2 detected
this file.

The great Kaspersky and Mcafee do not see it. Makes you warm and
fuzzy dont it.

The big players don't detect a lot of what I come across, it's nothing new,
but Kaspersky don't often miss stuff, along with NOD32.

Whats the excuse for this?

Prioritisation, maybe they have not seen a sample before, or are still
working on it.
- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFF3t0M7uRVdtPsXDkRArV/AJ90ET/gQWcVqvcyBFgrQo6Ez/+XcQCgjzEp
/E1qXB6y+E+jTe7lu+1KRIA=
=j6ji
-----END PGP SIGNATURE-----

 

[ginkobelowya]

Well, this is in the wild for WEEKS now, and at the very least the
big names should be detecting it. I'm assuming the scanning service is
reliable in that they are running the latest versions.

If something EASY to find like this is getting past them, they are
doing a pretty lousy job.

 

[David H. Lipman]

From: <[email protected]>

| Well, this is in the wild for WEEKS now, and at the very least the
| big names should be detecting it. I'm assuming the scanning service is
| reliable in that they are running the latest versions.
|
| If something EASY to find like this is getting past them, they are
| doing a pretty lousy job.

The Banload Trojan has been in the wild for a long time but, has this variant ?

Ikarus -- Trojan-Downloader.Win32.Banload.btw

NOD32v2 -- Win32/TrojanDownloader.Dadobra.IA

 

[ginkobelowya]

The point is, if it takes WEEKS for a variant to get into scanners,
not to mention NEW Virii, how is that going to protect anyone.

And if the other scanners already were detecting it WEEKS ago, what
is the excuse for the others, that charge good money to keep up to
date.

 

[juggler.1]

The point is, if it takes WEEKS for a variant to get into scanners,
not to mention NEW Virii, how is that going to protect anyone.

And if the other scanners already were detecting it WEEKS ago, what
is the excuse for the others, that charge good money to keep up to
date.

Considering how many viruses are released every min, we should be
congratulating them not berating them. Also, no matter how good a
company is at releasing updates for new viruses there is no substitute
for common sense.

 

[David H. Lipman]

From: <[email protected]>

| The point is, if it takes WEEKS for a variant to get into scanners,
| not to mention NEW Virii, how is that going to protect anyone.
|
| And if the other scanners already were detecting it WEEKS ago, what
| is the excuse for the others, that charge good money to keep up to
| date.

A company has to have a smaple to write a signature and detect the malware. Just becauase
other vendors recognize a sample for weeks doesn't mean ALL AV vendors will.

Did YOU actually submit this sample to the AV vendors weeks ago ?

BTW: There are no new "Virii" or "viri" as the plural of virus is viruses.
http://spl.haxial.net/viruses.html
http://homepages.tesco.net/~J.deBoynePollard/FGA/plural-of-virus.html
http://linuxmafia.com/~rick/faq/plural-of-virus.html

 

[ginkobelowya]

Thanks for the English lesson, I know I am in the company of giants
now.


Back to more important matters, maybe this is a good reason for
these guys to be cooperating with each other in this regard.

If you think I am going to submit something to 20 companies as an
unpaid volunteer, you are a badly overestimating my goodwill.

PS I did go so far as to directly contact by phone, the VICTIM
whose OPEN server hosted this virus, so I am not totally without the
spirit.

 

[David H. Lipman]

From: <[email protected]>

| Thanks for the English lesson, I know I am in the company of giants
| now.
|
| Back to more important matters, maybe this is a good reason for
| these guys to be cooperating with each other in this regard.
|
| If you think I am going to submit something to 20 companies as an
| unpaid volunteer, you are a badly overestimating my goodwill.
|
| PS I did go so far as to directly contact by phone, the VICTIM
| whose OPEN server hosted this virus, so I am not totally without the
| spirit.

Cooperate ?

Actuallty now that Microsoft is into AV, there is less. The was a recent case of a MS
Office Explotation file and Microsoft wrote signatures for their product but refused to
share the samples with the traditional AV vendors.

I want you to know I understand your POV but I also want you to understand this isn't a
Black & White situation and there are many variables as to why signatures aren't created
immediately.

I have a situation with McAfee concerning a Pakes sample. I submitted it in the beginning
of Feruary and I suplied to a direct contact at McAfee. Even Microsoft got this ample...

Complete scanning result of "SteveIrwin-DEATHVIDEO.exe", processed in VirusTotal at
02/04/2007 21:34:28 (CET).

[ file data ]
* name: SteveIrwin-DEATHVIDEO.exe
* size: 39697
* md5.: 7a68535ae7a1951456a532825098c9f5
* sha1: ea10c8e5f57848658f403d3d8cb24a27ad4c0f26

[ scan result ]
AntiVir 7.3.1.34/20070204 found [TR/Drop.Pakes.120]
Authentium 4.93.8/20070203 found [W32/Trojan.MDH]
Avast 4.7.936.0/20070204 found [Win32elf-CIV]
AVG 386/20070204 found [Generic2.IST]
BitDefender 7.2/20070204 found [Trojan.Pakes.CTL]
CAT-QuickHeal 9.00/20070203 found nothing
ClamAV devel-20060426/20070204 found nothing
DrWeb 4.33/20070204 found [Trojan.Dunz]
eSafe 7.0.14.0/20070203 found [suspicious Trojan/Worm]
eTrust-InoculateIT 30.4.3364/20070202 found nothing
eTrust-Vet 30.3.3366/20070203 found nothing
Ewido 4.0/20070204 found [Dropper.Pakes]
F-Prot 4.2.1.29/20070203 found [W32/Trojan.MDH]
Fortinet 2.85.0.0/20070204 found [W32/Agent.DBX!tr]
Ikarus T3.1.0.31/20070204 found [Trojan-Dropper.Win32.Pakes]
Kaspersky 4.0.2.24/20070204 found [Trojan-Dropper.Win32.Pakes]
McAfee 4955/20070202 found nothing
Microsoft 1.2101/20070204 found [TrojanSpy:Win32/Logsnif.gen]
NOD32v2 2036/20070204 found [a variant of Win32/Spy.Delf.JQ]
Norman 5.80.02/20070202 found [W32/Pakes.XY]
Panda 9.0.0.4/20070204 found [Trj/Agent.DBX]
Prevx1 V2/20070204 found nothing
Sophos 4.13.0/20070202 found nothing
Sunbelt 2.2.907.0/20070202 found nothing
Symantec 10/20070204 found [Trojan Horse]
TheHacker 6.0.3.162/20070202 found [Trojan/Dropper.Pakes]
UNA 1.83/20070203 found [TrojanDropper.Win32.Pakes.F22B]
VBA32 3.11.2/20070204 found [Trojan-Dropper.Win32.Pakes]
VirusBuster 4.3.19:9/20070204 found [Trojan.DR.Pakes.CZ]

[ notes ]
packers: UPX
packers: UPX
packers: UPX
packers: UPX


Tested again just now...

Complete scanning result of "SteveIrwin-DEATHVIDEO.exe", processed in VirusTotal at
02/25/2007 01:26:10 (CET).

[ file data ]
* name: SteveIrwin-DEATHVIDEO.exe
* size: 39697
* md5.: 7a68535ae7a1951456a532825098c9f5
* sha1: ea10c8e5f57848658f403d3d8cb24a27ad4c0f26

[ scan result ]
AntiVir 7.3.1.38/20070225 found [TR/Drop.Pakes.120]
Authentium 4.93.8/20070223 found [W32/Trojan.MDH]
Avast 4.7.936.0/20070223 found [Win32elf-CIV]
AVG 386/20070224 found [Generic2.IST]
BitDefender 7.2/20070224 found [Trojan.Pakes.CTL]
CAT-QuickHeal 9.00/20070224 found [TrojanDropper.Pakes]
ClamAV devel-20060426/20070225 found nothing
DrWeb 4.33/20070225 found [Trojan.Dunz]
eSafe 7.0.14.0/20070223 found [Win32.Pakes]
eTrust-Vet 30.4.3424/20070223 found nothing
Ewido 4.0/20070224 found [Dropper.Pakes]
F-Prot 4.3.1.45/20070222 found [W32/Trojan.MDH]
F-Secure 6.70.13030.0/20070224 found [Trojan-Dropper.Win32.Pakes]
FileAdvisor 1/20070225 found nothing
Fortinet 2.85.0.0/20070224 found [W32/Agent.DBX!tr]
Ikarus T3.1.0.31/20070224 found [Trojan-Dropper.Win32.Pakes]
Kaspersky 4.0.2.24/20070225 found [Trojan-Dropper.Win32.Pakes]
McAfee 4970/20070223 found nothing
Microsoft 1.2204/20070224 found [TrojanSpy:Win32/Logsnif.gen]
NOD32v2 2079/20070224 found [probably a variant of Win32/Spy.Delf.JG]
Norman 5.80.02/20070223 found [W32/Pakes.XY]
Panda 9.0.0.4/20070224 found [Trj/Agent.DBX]
Prevx1 V2/20070225 found nothing
Sophos 4.14.0/20070224 found [Troj/Delf-EAW]
Sunbelt 2.2.907.0/20070224 found [Trojan.Unclassified.gen]
Symantec 10/20070225 found [Trojan Horse]
TheHacker 6.1.6.063/20070223 found [Trojan/Dropper.Pakes]
UNA 1.83/20070223 found [TrojanDropper.Win32.Pakes.3FC4]
VBA32 3.11.2/20070224 found [Trojan-Dropper.Win32.Pakes]
VirusBuster 4.3.19:9/20070224 found [Trojan.DR.Pakes.CZ]

[ notes ]
packers: UPX
packers: UPX
packers: UPX
packers: UPX


One last statement...
Over the last 30 days or so I have submitted over 1200 samples to way more than just 20
vendors.

I am willing to do this for you.