Kaspersky submission screwup !

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Recently I came across a post where someone was boasting they have a virus they
provide to anyone who wanted it.  I indicated I would take a copy and I provided
an email
address in which it could be sent to.  A few days later, on Monday Oct. 10, I
received the
infector with the following text...


You said on that chat thingy that you wanted a copy of this. It's four files on
obviously is
the virus which is LOADER.EXE. Unless you are prepaired to format your computer
dont click
on it. It does work i have tried it on a couple of computers just to make sure
and they dont
work any more. Anyway all yours."

So I uploaded it to Virus Total.  Not one vendor recognized the infector.
However, I tried
McAfee VirusScan v7.1E, ENGINE v5000 Beta and DAT v4597 (?) and under Heuristic
detection it
was flagged by McAfee as "New Malware.h".  I then proceeded to submit a sample
to all AV
companies.  DrWeb, Panda and Kaspersky were the first to respond.

DrWeb -- Trojan Mygot
Panda -- Trj/ForSpok.A
Kaspersky -- "File is clean"

I replied back to Kaspersky under the ticket number that I was assigned and I
queried how
the analyst came to that "File is clean" conclusion when McAfee flagged it using
scanning and DrWeb and Panda found it to be a malicious Trojan.

The reply from the same Kaspersky analyst was "We already analyzed this."  I
found this
strange and I thought this was a faux conclusion and I sent a copy to Ian
Kenefick.  He
examined it and he also concluded it was malicious and thought that the
Kaspersky conclusion
was ludicrous.  He then submitted a copy to Kaspersky and he got a different
researcher.  This time it was concluded that it was indeed malicious and the
infector was
called Trojan.Win32.Agent.JZ

I later received an email message back from the virus researcher I had
communicated with
earlier with the following text...


Ok, we bad analyze this.

Malicious software was found in the attached file.
It's detection was included in the next update. Thank you for your help."


Re: Kaspersky submission screwup !

On Thu, 13 Oct 2005 23:11:39 GMT, "David H. Lipman"

Quoted text here. Click to load it
Quoted text here. Click to load it

Either he was a very junior virus researcher, he was half asleep or he
drank too much vodka. Russians! :)

(I know you may find this rich coming from and Irishman)

Ian Kenefick
Our website

Useful info

Re: OT Kaspersky submission screwup !

Quoted text here. Click to load it
.... or he drank too much XXXX. Irishmen! :)

Please replace the X's. :)

Replies to: Nherr1professor2doktor31109(at)Oyahoo(dot)Tcom

Re: Kaspersky submission screwup !

David H. Lipman wrote:
Quoted text here. Click to load it

I've had "bad" analysis of certain pieces of malware at least twice. Not
going to mention the companies involved.

Eventually though they correct their mistakes, especially if you prod

Site Timeline