malware analysis

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Installed trial version of NOD32 and it found malware on my computer.
No other scanner has ever flagged this file as malware before.  I
submitted to the following sites for analysis by their virus scanners.
Here are the results.  Why do the two AntiVir results differ?  Why do
so many of the vendors disagree?  What is your analysis?

----------------------
http://virusscan.jotti.org /
File:  XPKey.zip  
Status:  INFECTED/MALWARE  
MD5  a041d4f9fb88242e0fef31f20e8ac534  
Packers detected:  UPX
Scanner results  

AntiVir  Found SecurityPrivacyRisk/XP.Keyfinder riskware,
SecurityPrivacyRisk/PSW.RAS.A.2 riskware,
SecurityPrivacyRisk/PSW.RAS.A.3 riskware, SecurityPrivacyRisk/RAS.A
riskware
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
Fortinet  Found HackerTool/Keyfinder  
Kaspersky Anti-Virus  Found not-a-virus:PSWTool.Win32.RAS.a  
NOD32  Found Win32/PSWTool.RAS.A application  
Norman Virus Control  Found nothing
UNA  Found nothing
VirusBuster  Found nothing
VBA32  Found nothing

------------------------
http://www.virustotal.com/flash/index_en.html
This is a report processed by VirusTotal on 06/08/2006 at 02:21:47
(CET) after scanning the file "XPKey.zip" file.

Antivirus Version Update Result
AntiVir 6.34.1.37 06.07.2006 no virus found
Authentium 4.93.8 06.08.2006 no virus found
Avast 4.7.844.0 06.06.2006 no virus found
AVG 386 06.07.2006 no virus found
BitDefender 7.2 06.08.2006 no virus found
CAT-QuickHeal 8.00 06.07.2006 PSWTool.RAS.a (Not a Virus)
ClamAV devel-20060426 06.07.2006 no virus found
DrWeb 4.33 06.07.2006 no virus found
eTrust-InoculateIT 23.72.31 06.07.2006 no virus found
eTrust-Vet 12.6.2246 06.07.2006 no virus found
Ewido 3.5 06.07.2006 no virus found
Fortinet 2.77.0.0 06.08.2006 HackerTool/Keyfinder
F-Prot 3.16f 06.07.2006 no virus found
Ikarus 0.2.65.0 06.07.2006 no virus found
Kaspersky 4.0.2.24 06.08.2006 not-a-virus:PSWTool.Win32.RAS.a
McAfee 4779 06.07.2006 potentially unwanted program Generic PUP
Microsoft 1.1441 06.08.2006 no virus found
NOD32v2 1.1584 06.07.2006 Win32/PSWTool.RAS.A
Norman 5.90.17 06.07.2006 no virus found
Panda 9.0.0.4 06.07.2006 no virus found
Sophos 4.06.0 06.08.2006 no virus found
Symantec 8.0 06.07.2006 no virus found
TheHacker 5.9.8.156 06.07.2006 no virus found
UNA 1.83 06.06.2006 no virus found
VBA32 3.11.0 06.07.2006 no virus found

Re: malware analysis

On 08 Jun 2006 00:27:09 GMT, "badgolferman"

Quoted text here. Click to load it

This file is actually a keyfinder. I think it's called Magic
Jellybean. It's really not malicious in the hands of someone who has
genuinly lost their product key. It's my understanding that it is
detected because it could possibly be misused. The file is NOT
malicious.

--
Regards, Ian Kenefick
http://www.IK-CS.com

Re: malware analysis

Ian Kenefick, 6/7/2006,8:33:05 PM, wrote:

Quoted text here. Click to load it

Yes, I know what kind of file it is, but yet the questions remain.  Why
the inconsistent analyses from AntiVir and why do the vendors disagree?

Re: malware analysis


| Ian Kenefick, 6/7/2006,8:33:05 PM, wrote:
|
Quoted text here. Click to load it
|
| Yes, I know what kind of file it is, but yet the questions remain.  Why
| the inconsistent analyses from AntiVir and why do the vendors disagree?

From my understanding, Jotti's scanner are based upon Linux and sometimes
produces different
results because of this.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: malware analysis

On 08 Jun 2006 00:47:25 GMT, "badgolferman"

Quoted text here. Click to load it

As far as jotti and virus total are concerned. They both use command
line scanner versions of the products. Jotti's is Linux and Virustotal
is Windows based. Perhaps Virustotal has not iuncluded the parameter
for riskware detection or older version which doesn't include the
detection for this type of 'threat'.

As for vendors disagreeing... There is no real answer for this I
think. Some vendors like Kaspersky add a lot of stuff that they think
should be added whilst vendors like Dr.Web and NOD32 tend not to add
them. More and more this is changing though since 'what the public
wants the public gets'.

--
Regards, Ian Kenefick
http://www.IK-CS.com

Re: malware analysis

On 08 Jun 2006 00:27:09 GMT, "badgolferman"

Quoted text here. Click to load it

You'd have to ask the guys who run the sites. Could be you caught
it at a time when detection was just added and one site hadn't been
updated. Or it could be a scan options setting issue.

Quoted text here. Click to load it

You mean you expect them to use the same malware names? Ha!
Or do you mean that some alert and some don't. That's not unusual,
especially wih controversialware such as this sample. Not all vendors
alert on controversialware.
 
Quoted text here. Click to load it

The nature of the alerts tells me that the sample software is probably
commercial software which is legit but controversial since it can be
used for nefarious purposes.

Nothing at all unusual about the whole thing. It's a ho hum and what
else is new :)

Art
http://home.epix.net/~artnpeg

Re: malware analysis

4ax.com:

Quoted text here. Click to load it

Which is why BugHunter doesn't even offer names. :( Who's name should I
follow, one I create? Nah... :)

  
Quoted text here. Click to load it

It's not commercial. It's a freeware XP cd key recovery program. If you run
it on the host, it'll give you the install key, along with your office
install key if possible. It's a handy utility.


--
Dustin Cook
http://bughunter.atspace.org
BugHunter MalWare Removal Tool

Site Timeline