stivc.exe

[Steve Pope]

So after four days, clamav and NAV still have no detection. Neither
does NOD32 have a sig. It's still doing a heuristic type alert. I had
submitted to Kaspersky and I know that David Lipman had submitted to
Sophos (at least). Other than those, I don't know which vendors
received submissions from individuals. But Virus Total is supposed
to pass on the samples to vendors. Looks to me like that process
is not very swift and reliable. Neither is the alleged sample sharing
between vendors.

Yes, I only have NAV installed on the computer in question, and
they have not picked this up. My guess is Symantec needs to
see a threshold level of presence among its customer base before
they will add a virus definition.

Steve

 

[Art]

Yes, I only have NAV installed on the computer in question, and
they have not picked this up. My guess is Symantec needs to
see a threshold level of presence among its customer base before
they will add a virus definition.

Did you submit a sample to Symantec?

Art

http://home.epix.net/~artnpeg

 

[Steve Pope]

(Steve Pope) wrote:

Did you submit a sample to Symantec?

Nope. Not directly. Let me try that. It's gone into
virustotal several times now.

Steve

 

[David H. Lipman]

From: "Art" <[email protected]>

|
| Four days later here's the VT result:
|
| This is a report processed by VirusTotal on 12/15/2005
| at 18:29:00 (CET) after scanning the file "stivc.exe" file.
|
| AntiVir BDS/Agent.QN
| Avast Win32:Trojano-3095
| AVG BackDoor.Agent.VH
| Avira BDS/Agent.QN
| BitDefender Backdoor.Agent.QN
| CAT-QuickHeal Backdoor.Agent.qn
| ClamAV no virus found
| DrWeb DLOADER.Trojan
| eTrust-Iris Win32/StartPage.Vall.57856!Troja
| eTrust-Vet Win32/Startpage.SZ
| Fortinet W32/Agent.FN!tr
| F-Prot security risk named W32/Backdoor.HKT
| Ikarus Backdoor.Win32.Agent.QN
| Kaspersky Backdoor.Win32.Agent.qn
| McAfee StartPage-CL
| NOD32v2 probably unknown NewHeur_PE virus
| Norman W32/Agent.LFS
| Panda Bck/Agent.AXY
| Sophos Troj/Agent-FN
| Symantec no virus found
| TheHacker Backdoor/Agent.qn
| VBA32 Backdoor.Win32.Agent.qn
|
| So after four days, clamav and NAV still have no detection. Neither
| does NOD32 have a sig. It's still doing a heuristic type alert. I had
| submitted to Kaspersky and I know that David Lipman had submitted to
| Sophos (at least). Other than those, I don't know which vendors
| received submissions from individuals. But Virus Total is supposed
| to pass on the samples to vendors. Looks to me like that process
| is not very swift and reliable. Neither is the alleged sample sharing
| between vendors.
|
| Art
|
| http://home.epix.net/~artnpeg

That's interesting !

I submitted it to "all" AV vendors including Symantec. Even Microsoft.

It was submitted to Symantec on 12/11 and the ticket #6572331 was closed on 12/12.

Is was declared as; "Backdoor.Trojan"

 

[David H. Lipman]

From: "Steve Pope" <[email protected]>


| Nope. Not directly. Let me try that. It's gone into
| virustotal several times now.


Dear David Lipman,

We have analyzed your submission. The following is a report of our
findings for each file you have submitted:

filename: stivc.exe
machine: Machine
result: This file is infected with Backdoor.Trojan

Developer notes:
stivc.exe is non-repairable threat. NAV with the latest rapidrelease
definition detects this. Please delete this file and replace it if neccessary.
Please follow the instruction at the end of this email message to install the
latest rapidrelease definitions.



Symantec Security Response has determined that the sample(s) that you provided
are infected with a virus, worm, or Trojan. We have created RapidRelease
definitions that will detect this threat. Please follow the instruction at the
end of this email message to download and install the latest RapidRelease
definitions.
Symantec is now building a new set of definitions to include the threat you have
submitted. The approximate time to complete this process is one hour. We
recommend checking the ftp site periodically over the next 60 to 90 minutes to
download these definitions as soon as they are available.

Downloading and Installing RapidRelease Definitions:
1. Open your Web browser. If you are using a dial-up connection, connect to any
Web site, such as: http://securityresponse.symantec.com/
2. Copy and paste the address
ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_ant
ivirus/rapidrelease/sequence/ into the address bar of your Web browser and then
press Enter.(this could take a minute or so if you have a slow connection)
3. Now select 50406 folder or a higher. Open the folder.
4. Select the file symrapidreleasedefsx86.exe
5. When a download dialog box appears, save the file to the Windows desktop.
6. Double-click the downloaded file and follow the prompts.


Should you have any questions about your submission, please contact
your regional technical support from the Symantec website and give them
the tracking number in the subject of this message.

 

[Steve Pope]

That's interesting !

I submitted it to "all" AV vendors including Symantec. Even Microsoft.

It was submitted to Symantec on 12/11 and the ticket #6572331 was closed
on 12/12.

Is was declared as; "Backdoor.Trojan"

The "it" you submitted to Symantec may not be the same "it" that
was on my computer, although it had the same filename.

I'm awaiting a response from Symantec. I'm hoping they add
it so I can re-scan for it without having to install other tools.

Thanks for all your assistance.

Steve