And 45 days after I sent the worm to AVAST

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


    now recognizes it. Wow.
    []'s
    But not on virustotal.

    How strange

Re: And 45 days after I sent the worm to AVAST



Shadow wrote:
Quoted text here. Click to load it

If you had sent a suspected malware file to VT and it was positive, or
positive with any other antimalware application, you can also upload
it to:

             <http://www.uploadmalware.com/

It will then get a bit of help from those who can move it along.

--
1PW

Re: And 45 days after I sent the worm to AVAST




Quoted text here. Click to load it
    OK, I will.
Quoted text here. Click to load it
    You didn't understand. Avast now plays all the sirens when I
tell it to scan the file,
    "AutoIt:Balero-A [Wrm]" has been found in
"C:\Recycled\Dc1.exe\AutoIt.script" file

 but when I upload same file to virustotal, the virus is not
recognized by avast.. They should give the same results.


http://www.virustotal.com/analisis/af13e8a6b2aacea266e1c6899ada6fdd318e0259b63be4e9d4287200797f6f7e-1250796304



Re: And 45 days after I sent the worm to AVAST





Quoted text here. Click to load it
    Sorry, I lied, I won't. It requires an email address and
identification.
    []'s

Re: And 45 days after I sent the worm to AVAST






Quoted text here. Click to load it

| Sorry, I lied, I won't. It requires an email address and
| identification.
| []'s

No it doesn't.  You do NOT have to enter an email address nor ID as the are not
required.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: And 45 days after I sent the worm to AVAST



On Thu, 20 Aug 2009 16:43:39 -0400, "David H. Lipman"

Quoted text here. Click to load it

    OK , so I lied the second time, not the first.

    qpqdcj.virus.exe.zip

    The name I uploaded it up as. Play around with it, but it is
certainly nasty.

    Loved the site. Amazingly, did not need javascript. How did it
access a file deep down on my PC ?
    []'s

Re: And 45 days after I sent the worm to AVAST





Quoted text here. Click to load it


| OK , so I lied the second time, not the first.

| qpqdcj.virus.exe.zip

| The name I uploaded it up as. Play around with it, but it is
| certainly nasty.

| Loved the site. Amazingly, did not need javascript. How did it
| access a file deep down on my PC ?
| []'s

Got it -- Thanx !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: And 45 days after I sent the worm to AVAST



On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"
Quoted text here. Click to load it
    YW
    Did you figure out why virustotal's avast does not detect it
while my desktop free version does ?
    []'s

Re: And 45 days after I sent the worm to AVAST



Shadow wrote:
Quoted text here. Click to load it

It's probably a question of context.  VT's Avast looks at the file's
contents all alone.  Avast in your system looks at the whole dynamics
of your OS.

--
1PW

Re: And 45 days after I sent the worm to AVAST




| On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"

Quoted text here. Click to load it


| YW
| Did you figure out why virustotal's avast does not detect it
| while my desktop free version does ?
| []'s

No but I will discuss with someone at Virus Total.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: And 45 days after I sent the worm to AVAST




| On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"

Quoted text here. Click to load it


| YW
| Did you figure out why virustotal's avast does not detect it
| while my desktop free version does ?
| []'s

I should ask...
Are you SURE the file C:\Recycled\Dc1.exe is what you posted to UploadMalware
as;
csrcs.exe  ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: And 45 days after I sent the worm to AVAST



On Tue, 25 Aug 2009 17:26:50 -0400, "David H. Lipman"

Quoted text here. Click to load it
    I disabled my antivirus and I uploaded C:\Documents and
Settings\nemesis\Meus documentos\qpqdcj.virus.exe.zip. I used pathcopy
and pasted in the whole path. I don't follow your logic. It's exactly
the same file I posted to virustotal. Try and see.
     The csrcs.exe file is what the virus becomes when it is
loaded in memory. It is written with that name to system32 folder. On
the pendrive it adopts at least 4 different names. The csrcs is a type
of memory-resident thingy that writes to any pendrive introduced into
the machine. It also tries to connect to the internet, messes around
with some share (registry) permissions, alters the explorers shell
command so you cannot see it in a browser, and dunno what else. The
virus csrcs.exe (inside the zip) has an md5 of:

    3DE68324891964BDD2227141474797BB

    and exactly 725.796 bytes.

    Ooops, was that dangerous ?  I had to turn my AV off to give
you that ....
    If your virus is NOT what I uploaded, I will upload again. Or
I'll post it to you, zip-password protected and with the extension
renamed to txt to allow my mail servers to pass it through.

    PS you can see it on the pendrive with the old dos command dir
/a from a command prompt.

    PPS I just picked the virus up again at the local library. It
is now called kejmii.exe. Funny thing is they are running Avira
there,(the one with the red icon). According to virustotal, avira sees
it, avast does not. Real life is exactly the opposite. Go figure.

Re: And 45 days after I sent the worm to AVAST




| I disabled my antivirus and I uploaded C:\Documents and
| Settings\nemesis\Meus documentos\qpqdcj.virus.exe.zip. I used pathcopy
| and pasted in the whole path. I don't follow your logic. It's exactly
| the same file I posted to virustotal. Try and see.
| The csrcs.exe file is what the virus becomes when it is
| loaded in memory. It is written with that name to system32 folder. On
| the pendrive it adopts at least 4 different names. The csrcs is a type
| of memory-resident thingy that writes to any pendrive introduced into
| the machine. It also tries to connect to the internet, messes around
| with some share (registry) permissions, alters the explorers shell
| command so you cannot see it in a browser, and dunno what else. The
| virus csrcs.exe (inside the zip) has an md5 of:

| 3DE68324891964BDD2227141474797BB

| and exactly 725.796 bytes.

| Ooops, was that dangerous ?  I had to turn my AV off to give
| you that ....
| If your virus is NOT what I uploaded, I will upload again. Or
| I'll post it to you, zip-password protected and with the extension
| renamed to txt to allow my mail servers to pass it through.

| PS you can see it on the pendrive with the old dos command dir
| /a from a command prompt.

| PPS I just picked the virus up again at the local library. It
| is now called kejmii.exe. Funny thing is they are running Avira
| there,(the one with the red icon). According to virustotal, avira sees
| it, avast does not. Real life is exactly the opposite. Go figure.

Yes, I have;
MD5: 0x3DE68324891964BDD2227141474797BB
SHA-1: 0x5DAE0941F1818E6127729FC15897F12539ED6D5E
Filesize: 725,796 bytes

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: And 45 days after I sent the worm to AVAST




Quoted text here. Click to load it

Some on-access scanners will even alert when the file is accessed for
icon information for displaying in a filesystem browser. It is not
dangerous to open a file for other than execution, but if the AV scans
on "open" it will alert even though your action posed no real risk.



Re: And 45 days after I sent the worm to AVAST




| On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"

Quoted text here. Click to load it


| YW
| Did you figure out why virustotal's avast does not detect it
| while my desktop free version does ?
| []'s

The answer from VT...

"Well, it seems that there's something weird, as besides Avast, GData also
doesn't detect
it here (using the Avast engine) so it could be a limitation of the command line
scanner,
or maybe they detect it with an AV feature I don't have here :?"

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: And 45 days after I sent the worm to AVAST



On Wed, 26 Aug 2009 06:08:41 -0400, "David H. Lipman"

Quoted text here. Click to load it

    Uploaded oswnbi.tar.gz to your site. I just picked it up at
the local hospital. AVG is running , fully updated, on the machine I
got it from. This time I booted into linux, tar.gz the file and posted
that. So you can see what the autorun.inf looks like. Notice it has
changed name again.
    Virustotal
http://www.virustotal.com/analisis/af8292fc53daeba7bd615d584af77c3d4d64925a263ec09c06ae34ace36e3bcc-1251300636
    FWIW
    Back to work .....

Re: And 45 days after I sent the worm to AVAST




| On Wed, 26 Aug 2009 06:08:41 -0400, "David H. Lipman"

Quoted text here. Click to load it


| Uploaded oswnbi.tar.gz to your site. I just picked it up at
| the local hospital. AVG is running , fully updated, on the machine I
| got it from. This time I booted into linux, tar.gz the file and posted
| that. So you can see what the autorun.inf looks like. Notice it has
| changed name again.
| Virustotal
| http://www.virustotal.com/analisis /
| af8292fc53daeba7bd615d584af77c3d4d64925a263ec09c06ae34ace36e3bcc-1251300636
| FWIW
| Back to work .....

Got it, thanx !


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: And 45 days after I sent the worm to AVAST



On Wed, 26 Aug 2009 16:39:09 -0400, "David H. Lipman"
Sh@dow wrote:
Quoted text here. Click to load it
    They (virustotal) deleted the link."Link has expired". WTF ?
The older links still work, for the virus I uploaded almost 2 months
ago. Today's link expired and a 2 month old one valid ?
    []'s
Quoted text here. Click to load it

Re: And 45 days after I sent the worm to AVAST





| They (virustotal) deleted the link."Link has expired". WTF ?
| The older links still work, for the virus I uploaded almost 2 months
| ago. Today's link expired and a 2 month old one valid ?


http://www.virustotal.com/analisis/9903e8a905551f8581941ac53c654be3f2cd8667ae871418dbeb6b5f5b6ff3b8-1251319071

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: And 45 days after I sent the worm to AVAST



On Wed, 26 Aug 2009 19:49:46 -0400, "David H. Lipman"

Quoted text here. Click to load it

Your file has expired or does not exists.

[]'s

Site Timeline