And 45 days after I sent the worm to AVAST

1

1PW

Shadow said:
now recognizes it. Wow.
[]'s
But not on virustotal.

How strange

If you had sent a suspected malware file to VT and it was positive, or
positive with any other antimalware application, you can also upload
it to:

<http://www.uploadmalware.com/>

It will then get a bit of help from those who can move it along.
 
S

Shadow

Shadow said:
now recognizes it. Wow.
[]'s
But not on virustotal.

How strange

If you had sent a suspected malware file to VT and it was positive, or
positive with any other antimalware application, you can also upload
it to:

<http://www.uploadmalware.com/> OK, I will.

It will then get a bit of help from those who can move it along.
You didn't understand. Avast now plays all the sirens when I
tell it to scan the file,
"AutoIt:Balero-A [Wrm]" has been found in
"C:\Recycled\Dc1.exe\AutoIt.script" file

but when I upload same file to virustotal, the virus is not
recognized by avast.. They should give the same results.


http://www.virustotal.com/analisis/...dd318e0259b63be4e9d4287200797f6f7e-1250796304
 
D

David H. Lipman

From: "Shadow" <Sh@dow>

| Sorry, I lied, I won't. It requires an email address and
| identification.
| []'s

No it doesn't. You do NOT have to enter an email address nor ID as the are not required.
 
B

Buffalo

FromTheRafters said:
[...]
"AutoIt:Balero-A [Wrm]" has been found in
"C:\Recycled\Dc1.exe\AutoIt.script" file

but when I upload same file to virustotal, the virus is not
recognized by avast.. They should give the same results.

Why?

The one on your computer and one on their's may not be configured the
same - even if the engine versions are the same.
WTF?
 
D

David H. Lipman

From: "Buffalo" <[email protected]>



| FromTheRafters said:
[...]
"AutoIt:Balero-A [Wrm]" has been found in
"C:\Recycled\Dc1.exe\AutoIt.script" file
but when I upload same file to virustotal, the virus is not
recognized by avast.. They should give the same results.
Why?
The one on your computer and one on their's may not be configured the
same - even if the engine versions are the same.
| WTF?


Different signature revisions albeit VT should get multiple updates.
 
F

FromTheRafters

Buffalo said:
[...]
"AutoIt:Balero-A [Wrm]" has been found in
"C:\Recycled\Dc1.exe\AutoIt.script" file

but when I upload same file to virustotal, the virus is not
recognized by avast.. They should give the same results.

Why?

The one on your computer and one on their's may not be configured the
same - even if the engine versions are the same.
WTF?

What heuristic level does VT use with the Avast! scanning engine as
opposed to what a desktop machine might use?

Besides, VT doesn't have the luxury of possible (ancillary) context
scanning.
 
F

FromTheRafters

Buffalo said:
[...]
"AutoIt:Balero-A [Wrm]" has been found in
"C:\Recycled\Dc1.exe\AutoIt.script" file

but when I upload same file to virustotal, the virus is not
recognized by avast.. They should give the same results.

Why?

The one on your computer and one on their's may not be configured the
same - even if the engine versions are the same.
WTF?

Differences in definitions, the "engine" doesn't exist in a vacuum - it
is more like a "engine/definitions" set that may contain disparity
despite the engines being the same.

A submitted file scanner wouldn't have the luxury of context. I wouldn't
expect identical results from an installation of Avast! against an
Avast! file submission scanner.

Okay, so I don't know how Avast! works, but it would be possible that
the "program" does some preparatory work (such as unpacking archives )
prior to giving the "engine" a go at the results. If this is the case,
even more reason to expect variance.

Sometimes, a file's contents changes subtly during transmission - maybe
not that often anymore...
 
S

Shadow

From: "Shadow" <Sh@dow>

| Sorry, I lied, I won't. It requires an email address and
| identification.
| []'s

No it doesn't. You do NOT have to enter an email address nor ID as the are not required.

OK , so I lied the second time, not the first.

qpqdcj.virus.exe.zip

The name I uploaded it up as. Play around with it, but it is
certainly nasty.

Loved the site. Amazingly, did not need javascript. How did it
access a file deep down on my PC ?
[]'s
 
D

David H. Lipman

| Sorry, I lied, I won't. It requires an email address and
| identification.
| []'s
No it doesn't. You do NOT have to enter an email address nor ID as the are not
required.

| OK , so I lied the second time, not the first.

| qpqdcj.virus.exe.zip

| The name I uploaded it up as. Play around with it, but it is
| certainly nasty.

| Loved the site. Amazingly, did not need javascript. How did it
| access a file deep down on my PC ?
| []'s

Got it -- Thanx !
 
S

Shadow

| The name I uploaded it up as. Play around with it, but it is
| certainly nasty.

| Loved the site. Amazingly, did not need javascript. How did it
| access a file deep down on my PC ?
| []'s

Got it -- Thanx !
YW
Did you figure out why virustotal's avast does not detect it
while my desktop free version does ?
[]'s
 
1

1PW

Shadow said:
| The name I uploaded it up as. Play around with it, but it is
| certainly nasty.

| Loved the site. Amazingly, did not need javascript. How did it
| access a file deep down on my PC ?
| []'s

Got it -- Thanx !
YW
Did you figure out why virustotal's avast does not detect it
while my desktop free version does ?
[]'s

It's probably a question of context. VT's Avast looks at the file's
contents all alone. Avast in your system looks at the whole dynamics
of your OS.
 
D

David H. Lipman

From: "Shadow" <Sh@dow>

| On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"
| said:
| The name I uploaded it up as. Play around with it, but it is
| certainly nasty.
| Loved the site. Amazingly, did not need javascript. How did it
| access a file deep down on my PC ?
| []'s
Got it -- Thanx !
| YW
| Did you figure out why virustotal's avast does not detect it
| while my desktop free version does ?
| []'s

No but I will discuss with someone at Virus Total.
 
D

David H. Lipman

From: "Shadow" <Sh@dow>

| On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"
| said:
| The name I uploaded it up as. Play around with it, but it is
| certainly nasty.
| Loved the site. Amazingly, did not need javascript. How did it
| access a file deep down on my PC ?
| []'s
Got it -- Thanx !
| YW
| Did you figure out why virustotal's avast does not detect it
| while my desktop free version does ?
| []'s

I should ask...
Are you SURE the file C:\Recycled\Dc1.exe is what you posted to UploadMalware as;
csrcs.exe ?
 
S

Shadow

From: "Shadow" <Sh@dow>

| On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"
| said:
| The name I uploaded it up as. Play around with it, but it is
| certainly nasty.
| Loved the site. Amazingly, did not need javascript. How did it
| access a file deep down on my PC ?
| []'s
Got it -- Thanx !
| YW
| Did you figure out why virustotal's avast does not detect it
| while my desktop free version does ?
| []'s

I should ask...
Are you SURE the file C:\Recycled\Dc1.exe is what you posted to UploadMalware as;
csrcs.exe ?
I disabled my antivirus and I uploaded C:\Documents and
Settings\nemesis\Meus documentos\qpqdcj.virus.exe.zip. I used pathcopy
and pasted in the whole path. I don't follow your logic. It's exactly
the same file I posted to virustotal. Try and see.
The csrcs.exe file is what the virus becomes when it is
loaded in memory. It is written with that name to system32 folder. On
the pendrive it adopts at least 4 different names. The csrcs is a type
of memory-resident thingy that writes to any pendrive introduced into
the machine. It also tries to connect to the internet, messes around
with some share (registry) permissions, alters the explorers shell
command so you cannot see it in a browser, and dunno what else. The
virus csrcs.exe (inside the zip) has an md5 of:

3DE68324891964BDD2227141474797BB

and exactly 725.796 bytes.

Ooops, was that dangerous ? I had to turn my AV off to give
you that ....
If your virus is NOT what I uploaded, I will upload again. Or
I'll post it to you, zip-password protected and with the extension
renamed to txt to allow my mail servers to pass it through.

PS you can see it on the pendrive with the old dos command dir
/a from a command prompt.

PPS I just picked the virus up again at the local library. It
is now called kejmii.exe. Funny thing is they are running Avira
there,(the one with the red icon). According to virustotal, avira sees
it, avast does not. Real life is exactly the opposite. Go figure.
 
D

David H. Lipman

From: "Shadow" <Sh@dow>

| I disabled my antivirus and I uploaded C:\Documents and
| Settings\nemesis\Meus documentos\qpqdcj.virus.exe.zip. I used pathcopy
| and pasted in the whole path. I don't follow your logic. It's exactly
| the same file I posted to virustotal. Try and see.
| The csrcs.exe file is what the virus becomes when it is
| loaded in memory. It is written with that name to system32 folder. On
| the pendrive it adopts at least 4 different names. The csrcs is a type
| of memory-resident thingy that writes to any pendrive introduced into
| the machine. It also tries to connect to the internet, messes around
| with some share (registry) permissions, alters the explorers shell
| command so you cannot see it in a browser, and dunno what else. The
| virus csrcs.exe (inside the zip) has an md5 of:

| 3DE68324891964BDD2227141474797BB

| and exactly 725.796 bytes.

| Ooops, was that dangerous ? I had to turn my AV off to give
| you that ....
| If your virus is NOT what I uploaded, I will upload again. Or
| I'll post it to you, zip-password protected and with the extension
| renamed to txt to allow my mail servers to pass it through.

| PS you can see it on the pendrive with the old dos command dir
| /a from a command prompt.

| PPS I just picked the virus up again at the local library. It
| is now called kejmii.exe. Funny thing is they are running Avira
| there,(the one with the red icon). According to virustotal, avira sees
| it, avast does not. Real life is exactly the opposite. Go figure.

Yes, I have;
MD5: 0x3DE68324891964BDD2227141474797BB
SHA-1: 0x5DAE0941F1818E6127729FC15897F12539ED6D5E
Filesize: 725,796 bytes
 
D

David H. Lipman

From: "Shadow" <Sh@dow>

| On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"
| said:
| The name I uploaded it up as. Play around with it, but it is
| certainly nasty.
| Loved the site. Amazingly, did not need javascript. How did it
| access a file deep down on my PC ?
| []'s
Got it -- Thanx !
| YW
| Did you figure out why virustotal's avast does not detect it
| while my desktop free version does ?
| []'s

The answer from VT...

"Well, it seems that there's something weird, as besides Avast, GData also doesn't detect
it here (using the Avast engine) so it could be a limitation of the command line scanner,
or maybe they detect it with an AV feature I don't have here :?"
 
F

FromTheRafters

I disabled my antivirus and I uploaded C:\Documents and
Settings\nemesis\Meus documentos\qpqdcj.virus.exe.zip. I used pathcopy
and pasted in the whole path. I don't follow your logic. It's exactly
the same file I posted to virustotal. Try and see.
The csrcs.exe file is what the virus becomes when it is
loaded in memory. It is written with that name to system32 folder. On
the pendrive it adopts at least 4 different names. The csrcs is a type
of memory-resident thingy that writes to any pendrive introduced into
the machine. It also tries to connect to the internet, messes around
with some share (registry) permissions, alters the explorers shell
command so you cannot see it in a browser, and dunno what else. The
virus csrcs.exe (inside the zip) has an md5 of:

3DE68324891964BDD2227141474797BB

and exactly 725.796 bytes.

Ooops, was that dangerous ? I had to turn my AV off to give
you that ....

Some on-access scanners will even alert when the file is accessed for
icon information for displaying in a filesystem browser. It is not
dangerous to open a file for other than execution, but if the AV scans
on "open" it will alert even though your action posed no real risk.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top