Reporting a new malware sample

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


How can I report a new malware-infected file without having to trawl
through the various individual vendors' sites? Are there central reporting
sites, or maybe a distribution list?

(I've tried various searches but only found out-of-date or vendor-specific
info)

Re: Reporting a new malware sample




| How can I report a new malware-infected file without having to trawl
| through the various individual vendors' sites? Are there central reporting
| sites, or maybe a distribution list?

| (I've tried various searches but only found out-of-date or vendor-specific
| info)


Please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it.  In addition Virus
Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Reporting a new malware sample



On Wed, 8 Oct 2008 06:32:55 -0400, David H. Lipman wrote:

Quoted text here. Click to load it

David,

How's about answering my question?

NB: Identifying that it's infected isn't the problem. Fixing it isn't the
problem. I've done both, two days ago.

I confirmed that it was infected via upload to the virustotal.com,
virscan.org and virus.org sites. I've since re-uploaded/scanned it on those
sites: it is clear that the various vendors either aren't hooked into them
at all or are very slow in updating their definitions because there are
still only a minority recognising it.

Here's today's virustotal report FYI:
File beep.sys received on 10.08.2008 10:46:07 (CET)Antivirus Version Last
Update Result
AhnLab-V3 2008.10.3.2 2008.10.08 Win-Trojan/Agent.16896.LN
AntiVir 7.8.1.34 2008.10.08 TR/Rootkit.Agent.NFK.1
Authentium 5.1.0.4 2008.10.08 -
Avast 4.8.1248.0 2008.10.08 -
AVG 8.0.0.161 2008.10.07 Agent.AETS
BitDefender 7.2 2008.10.08 Trojan.Rootkit.Agent.NFK
CAT-QuickHeal 9.50 2008.10.08 -
ClamAV 0.93.1 2008.10.08 -
DrWeb 4.44.0.09170 2008.10.08 -
eSafe 7.0.17.0 2008.10.07 -
eTrust-Vet 31.6.6135 2008.10.08 -
Ewido 4.0 2008.10.07 -
F-Prot 4.4.4.56 2008.10.07 -
F-Secure 8.0.14332.0 2008.10.08 Rootkit.Win32.Agent.efs
Fortinet 3.113.0.0 2008.10.08 -
GData 19 2008.10.08 Trojan.Rootkit.Agent.NFK
Ikarus T3.1.1.34.0 2008.10.08 Trojan.Rootkit.Agent.NFK
K7AntiVirus 7.10.487 2008.10.07 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2008.10.08 Rootkit.Win32.Agent.efs
McAfee 5400 2008.10.07 -
Microsoft 1.4005 2008.10.08 -
NOD32 3502 2008.10.07 -
Norman 5.80.02 2008.10.07 -
Panda 9.0.0.4 2008.10.07 Generic Trojan
PCTools 4.4.2.0 2008.10.07 -
Prevx1 V2 2008.10.08 Malicious Software
Rising 20.65.21.00 2008.10.08 -
SecureWeb-Gateway 6.7.6 2008.10.08 Trojan.Rootkit.Agent.NFK.1
Sophos 4.34.0 2008.10.08 Troj/Agent-HVP
Sunbelt 3.1.1708.1 2008.10.08 -
Symantec 10 2008.10.08 Trojan Horse
TheHacker 6.3.1.0.103 2008.10.07 -
TrendMicro 8.700.0.1004 2008.10.08 -
VBA32 3.12.8.6 2008.10.07 -
ViRobot 2008.10.8.1411 2008.10.08 -
VirusBuster 4.5.11.0 2008.10.07 -

Re: Reporting a new malware sample




| On Wed, 8 Oct 2008 06:32:55 -0400, David H. Lipman wrote:


Quoted text here. Click to load it






| David,

| How's about answering my question?

NB:: Identifying that it's infected isn't the problem. Fixing it isn't the
| problem. I've done both, two days ago.

| I confirmed that it was infected via upload to the virustotal.com,
| virscan.org and virus.org sites. I've since re-uploaded/scanned it on those
| sites: it is clear that the various vendors either aren't hooked into them
| at all or are very slow in updating their definitions because there are
| still only a minority recognising it.


My reply clearly stated "In addition Virus Total will provide the sample to all
participating vendors."

You weren't specific as to what vendors.  I have a laundry list of submission
addresses.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Reporting a new malware sample



On Wed, 8 Oct 2008 12:50:25 -0400, David H. Lipman wrote:

Quoted text here. Click to load it

You did indeed, sorry I missed that bit.

I've just checked again and the report still shows only 14 of 36 hits. It
was first uploaded (by someone else) on 30-Sep-2008. So after 8 days, 22
vendors' definitions still do not appear to have been updated with its
signature. Are the participating vendors *that* snowed under with samples
to process?

Quoted text here. Click to load it
The virustotal report I posted shows the vendors.

Re: Reporting a new malware sample






Quoted text here. Click to load it
| The virustotal report I posted shows the vendors.

I meant, you weren't specific as to what vendors you should contact to send the
sample
submission.

I'll tell you what.  Send me a sample and I will get it distributd ASAP.  I have
direct
contact with numerous anti malware vendors.

Send it to me in a password proected ZIP file with the password being;  infected
{ password = infected }

Just remove ~nospam~ from my posting email address.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Reporting a new malware sample



On Wed, 8 Oct 2008 15:13:09 -0400, David H. Lipman wrote:

Quoted text here. Click to load it

On its way to you. Thanks for your help.

Re: Reporting a new malware sample





| On its way to you. Thanks for your help.

Received and will be disseminated.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Reporting a new malware sample



David H. Lipman wrote:
Quoted text here. Click to load it

I thought soliciting virii was a no-no in this venue, unless of course
you happen to be the very guy that harangues others accordingly.

Re: Reporting a new malware sample




| David H. Lipman wrote:

Quoted text here. Click to load it

| I thought soliciting virii was a no-no in this venue, unless of course
| you happen to be the very guy that harangues others accordingly.

You are incorrect about "virii".
However you would be correct that it is dissuaded to solicit viruses (malware).

However this isn't a case of an initial post by someone such as...
"I just install AV and I want to test it.  Can you send me a virus to test it"

I agree that it is frowned upon to request samples but there are exceptions.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Reporting a new malware sample



wrote Re Re: Reporting a new malware sample:

Quoted text here. Click to load it

I just did a check on a file that was identified by only  7 of 28
scanners.

First received:     10.14.2006 06:36:35 (CET)
Date:     10.14.2006 06:36:35 (CET) [>725D]
Results:     7/28
http://www.virustotal.com/analisis/8dd968d184c7e729e4feef85ba43bdc5

Note that the infected file was first received at VirusTotal.com on
10/14/06 and it was still missed by 21 of 28 scanners. That tells me
that

1) scanner companies aren't updating their signatures  or,

2) the scanning technology generally used is deficient or

3) VirusTotal's reports and/or testing are deficient


Re: Reporting a new malware sample




Quoted text here. Click to load it

If you will send this file to us at http://uploads.malwarebytes.org I will
get a look at it that day and get it's detection and removal added to
MalwareBytes if we don't already know it.

--
Regards,
Dustin Cook,  Author of BugHunter
BugHunter - http://bughunter.it-mate.co.uk
MalwareBytes - http://www.malwarebytes.org
  


Re: Reporting a new malware sample





| If you will send this file to us at http://uploads.malwarebytes.org I will
| get a look at it that day and get it's detection and removal added to
| MalwareBytes if we don't already know it.

Dustin:

Done already  :-)



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Reporting a new malware sample



You mean you don't know? That file has been in mine for a few months now.



--
Ignore any posts made by the Stalker Leythos, he's still in love with me.
He started stalking me after I spurned his advances towards me.
He said he would stop Stalking me If I stopped mentioning his name.
As you can see that does not work. He is a sick obsessive STALKER.





Quoted text here. Click to load it


Re: Reporting a new malware sample



@nlpi069.nbdc.sbc.com:

Quoted text here. Click to load it

Nope, as I have no way of knowing what the file really is by name alone.
Our software isn't batch or script based.


--
Regards,
Dustin Cook,  Author of BugHunter
BugHunter - http://bughunter.it-mate.co.uk
MalwareBytes - http://www.malwarebytes.org
  


Re: Reporting a new malware sample




| @nlpi069.nbdc.sbc.com:

Quoted text here. Click to load it

| Nope, as I have no way of knowing what the file really is by name alone.
| Our software isn't batch or script based.


Yes, and the following is NOT the file...

%systemroot%\system32\components\beep.sys

Oooooooops....



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Reporting a new malware sample



And the following is true
http://www.tsgnet.com/pres.php?id=357563&altf=Ebwje1I1Mjqnbo&altl=jt1hbz


--
Ignore any posts made by the Stalker Leythos, he's still in love with me.
He started stalking me after I spurned his advances towards me.
He said he would stop Stalking me If I stopped mentioning his name.
As you can see that does not work. He is a sick obsessive STALKER.





Quoted text here. Click to load it


Re: Reporting a new malware sample



says...
Quoted text here. Click to load it

I guess that it makes this true also:

http://www.velocityreviews.com/forums/t513604-author-of-removeit.html

http://www.google.com/search?hl=en&q=pcbutts1+thief

And more importantly, Butts has been exposed in a public article that
can be found online:

http://translate.google.co.uk/translate?u=http%3A%2F %
2Fwww.tagesanzeiger.ch%2Fdigital%2FSoftwaredieb-2Fdigital%
2FSoftwaredieb-zensiert-Schweizer-PCMagazin%2Fstory%2F27917275
&sl=de&tl=en&hl=en&ie=UTF-8

Tiny Version of above url:
http://tinyurl.com/4rruwd


--
Leythos - spam999free@rrohio.com (remove 999 to email me)
Public Service Warning: Learn about PCButts before you trust:
http://www.velocityreviews.com/forums/t513604-author-of-removeit.html
http://www.google.com/search?hl=en&q=pcbutts1+thief

Re: Reporting a new malware sample




Quoted text here. Click to load it

http://uploads.malwarebytes.org

http://www.virustotal.com


--
Regards,
Dustin Cook,  Author of BugHunter
BugHunter - http://bughunter.it-mate.co.uk
MalwareBytes - http://www.malwarebytes.org
  


Site Timeline