reporting virii

[Englander]

Hi dudes

wondering, where are the best places to report virii, and..

If you receive an email with an attachment of the type=wave and actually
link is to an attached .exe file, but the virus scan thinks its clean,
should it be reported as a suspected variant.

I was wondering, what signatures do the checkers look for?

Does it (/they i.e. the latest crop of checkers (using f-prot for
linux)get down to as small a check as just seeing if the examined code
writes to the internet which would make it a suspect trojan attachment.

or even just looking for common (propogation) code between virii.

do virus checkers even claim to be trojan/hacker checkers?

 

[David H. Lipman]

Please read the following URL.

http://www.perl.com/language/misc/virus.html

Dave



| Hi dudes
|
| wondering, where are the best places to report virii, and..
|
| If you receive an email with an attachment of the type=wave and actually
| link is to an attached .exe file, but the virus scan thinks its clean,
| should it be reported as a suspected variant.
|
| I was wondering, what signatures do the checkers look for?
|
| Does it (/they i.e. the latest crop of checkers (using f-prot for
| linux)get down to as small a check as just seeing if the examined code
| writes to the internet which would make it a suspect trojan attachment.
|
| or even just looking for common (propogation) code between virii.
|
| do virus checkers even claim to be trojan/hacker checkers?
|

 

[James Egan]

Please read the following URL.

http://www.perl.com/language/misc/virus.html

Dave

I was wondering who it would be this time. My money was on blevins. I
forgot about you, Dave.


Jim.

 

[David H. Lipman]

You shouldn't gamble.

Dave



| On Tue, 27 Jan 2004 00:00:42 GMT, "David H. Lipman"
|
| >Please read the following URL.
| >
| >http://www.perl.com/language/misc/virus.html
| >
| >Dave
|
|
| I was wondering who it would be this time. My money was on blevins. I
| forgot about you, Dave.
|
|
| Jim.
|

 

[FromTheRafters]

Hi dudes

wondering, where are the best places to report virii, and..

Submissions:

Command Software <[email protected]>
Computer Associates (US) <[email protected]>
Computer Associates (Vet/EZ) <[email protected]>
DialogueScience (Dr. Web) <[email protected]>
Eset (NOD32) <[email protected]>
F-Secure Corp. <[email protected]>
Frisk Software (F-PROT) <[email protected]>
Grisoft (AVG) <[email protected]>
H+BEDV (AntiVir): <[email protected]>
Kaspersky Labs <[email protected]>
Network Associates (McAfee) <[email protected]>
Norman (NVC) <[email protected]>
Sophos Plc. <[email protected]>
Symantec (Norton) <[email protected]>

If you receive an email with an attachment of the type=wave and actually
link is to an attached .exe file, but the virus scan thinks its clean,
should it be reported as a suspected variant.

What you describe here is an exploit of a vulnerability. The attached
exefile would autorun on vulnerable machines. It might be *anything*
at all ~ not limited to viruses, worms, or even malware for that matter.

Yes, it should be reported.

I was wondering, what signatures do the checkers look for?

Some actually look for and can detect this exploit. Further than
that, most can decode the attachment and scan it for known
malware.

Does it (/they i.e. the latest crop of checkers (using f-prot for
linux)get down to as small a check as just seeing if the examined code
writes to the internet which would make it a suspect trojan attachment.

As far as I know, they look for specific things hopefully unique
to a given malware (else they get false positives). Some legitimate
programs "write to the internet" (if I understand you correctly).

or even just looking for common (propogation) code between virii.

Some do some level of "behavior checking", but I think it has
been found that signature based scanning attains better overall
results. There are alternatives to signature based scanning which
have better results at the task of detecting new (unknown) nasties.

do virus checkers even claim to be trojan/hacker checkers?

Many have now attempted to move into this area.

 

[Englander]

I was of course meaning the genitive singular (whatever that means...),
but mispelled it...

 

[Englander]

Thanks for that info.

 

[FromTheRafters]

Thanks for that info.

Submissions list obtained from posters in this newsgroup, notably
Nick FitzGerald. I merely "stole" it. ;o)