Very poor detection from MAJOR av on this trojan, whats up????

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
  I found this file on a hacked server a few weeks ago.

 A scan by all the major AV programs shows that less than 1/2 detected
this file.

The great Kaspersky and Mcafee do not see it.  Makes you warm and
fuzzy dont it.

Whats the excuse for this?


AntiVir    7.3.1.38    02.22.2007    TR/Dldr.Banload.ZV.4
Authentium    4.93.8    02.23.2007    no virus found
Avast    4.7.936.0    02.22.2007    no virus found
AVG    386    02.22.2007    Downloader.Dadobra.EW
BitDefender    7.2    02.23.2007    Trojan.Downloader.Banload.ZV
CAT-QuickHeal    9.00    02.22.2007    (Suspicious) - DNAScan
ClamAV    devel-20060426    02.22.2007    no virus found
DrWeb    4.33    02.23.2007    Trojan.DownLoader.18159
eSafe    7.0.14.0    02.23.2007    Suspicious Trojan/Worm
eTrust-Vet    30.4.3420    02.22.2007    no virus found
Ewido    4.0    02.22.2007    Downloader.Delf.acc
FileAdvisor    1    02.23.2007    no virus found
Fortinet    2.85.0.0    02.22.2007    W32/Dloader.FUQ!tr
F-Prot    4.3.1.45    02.22.2007    no virus found
F-Secure    6.70.13030.0    02.23.2007    no virus found
Ikarus    T3.1.0.31    02.22.2007    Trojan-Downloader.Win32.Banload.btw
Kaspersky    4.0.2.24    02.23.2007    no virus found
McAfee    4969    02.22.2007    no virus found
Microsoft    1.2204    02.23.2007    no virus found
NOD32v2    2076    02.22.2007    a variant of Win32/TrojanDownloader.Dadobra.IA
Norman    5.80.02    02.22.2007    no virus found
Panda    9.0.0.4    02.23.2007    Trj/Downloader.MPX
Prevx1    V2    02.23.2007    no virus found
Sophos    4.14.0    02.21.2007    no virus found
Sunbelt    2.2.907.0    02.22.2007    Trojan-Downloader.Banload.ZV
Symantec    10    02.23.2007    no virus found
TheHacker    6.1.6.062    02.21.2007    no virus found
UNA    1.83    02.22.2007    no virus found
VBA32    3.11.2    02.22.2007    suspected of Worm.Viking.7 (paranoid
heuristics)
VirusBuster    4.3.19:9    02.22.2007    no virus found


Re: Very poor detection from MAJOR av on this trojan, whats up????

On 22 Feb 2007 19:58:37 -0800, ginkobelowya@gmail.com wrote:

Quoted text here. Click to load it

And? What do the analysts at McAfee and Kaspersky have to say about
the file?

Art
http://home.epix.net/~artnpeg

Re: Very poor detection from MAJOR av on this trojan, whats up????

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ginkobelowya@gmail.com wrote:
Quoted text here. Click to load it

The big players don't detect a lot of what I come across, it's nothing new,
but Kaspersky don't often miss stuff, along with NOD32.


Quoted text here. Click to load it

Prioritisation, maybe they have not seen a sample before, or are still
working on it.
- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk /

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFF3t0M7uRVdtPsXDkRArV/AJ90ET/gQWcVqvcyBFgrQo6Ez/+XcQCgjzEp
/E1qXB6y+E+jTe7lu+1KRIA=
=j6ji
-----END PGP SIGNATURE-----

Re: Very poor detection from MAJOR av on this trojan, whats up????

 Well, this is in the wild for WEEKS now, and at the very least the
big names should be detecting it. I'm assuming the scanning service is
reliable in that they are running the latest versions.

  If something EASY to find like this is getting past them, they are
doing a pretty lousy job.


Re: Very poor detection from MAJOR av on this trojan, whats up????


|  Well, this is in the wild for WEEKS now, and at the very least the
| big names should be detecting it. I'm assuming the scanning service is
| reliable in that they are running the latest versions.
|
|   If something EASY to find like this is getting past them, they are
| doing a pretty lousy job.

The Banload Trojan has been in the wild for a long time but, has this variant ?

Ikarus -- Trojan-Downloader.Win32.Banload.btw

NOD32v2 -- Win32/TrojanDownloader.Dadobra.IA



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Very poor detection from MAJOR av on this trojan, whats up????

  The point is, if it takes WEEKS for a variant to get into scanners,
not to mention NEW Virii, how is that going to protect anyone.

   And if the other scanners already were detecting it WEEKS ago, what
is the excuse for the others, that charge good money to keep up to
date.


Re: Very poor detection from MAJOR av on this trojan, whats up????

On 23 Feb 2007 21:00:33 -0800, ginkobelowya@gmail.com wrote:

Quoted text here. Click to load it

Considering how many viruses are released every min, we should be
congratulating them not berating them. Also, no matter how good a
company is at releasing updates for new viruses there is no substitute
for common sense.

--
Don't worry! Tomorrow will always be a better day!

Re: Very poor detection from MAJOR av on this trojan, whats up????


|   The point is, if it takes WEEKS for a variant to get into scanners,
| not to mention NEW Virii, how is that going to protect anyone.
|
|    And if the other scanners already were detecting it WEEKS ago, what
| is the excuse for the others, that charge good money to keep up to
| date.

A company has to have a smaple to write a signature and detect the malware.
Just becauase
other vendors recognize a sample for weeks doesn't mean ALL AV vendors will.

Did YOU actually submit this sample to the AV vendors weeks ago ?

BTW:  There are no new "Virii" or "viri" as the plural of virus is viruses.
http://spl.haxial.net/viruses.html
http://homepages.tesco.net/~J.deBoynePollard/FGA/plural-of-virus.html
http://linuxmafia.com/~rick/faq/plural-of-virus.html

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Very poor detection from MAJOR av on this trojan, whats up????

  Thanks for the English lesson,  I know I am in the company of giants
now.


  Back to more important matters, maybe this is a good reason for
these guys to be cooperating with each  other in this regard.

  If you think I am going to submit something to 20 companies as an
unpaid volunteer, you are a badly overestimating my goodwill.

  PS  I did go so far as to directly contact by phone, the VICTIM
whose OPEN server hosted this virus, so I am not totally without the
spirit.


Re: Very poor detection from MAJOR av on this trojan, whats up????


|   Thanks for the English lesson,  I know I am in the company of giants
| now.
|
|   Back to more important matters, maybe this is a good reason for
| these guys to be cooperating with each  other in this regard.
|
|   If you think I am going to submit something to 20 companies as an
| unpaid volunteer, you are a badly overestimating my goodwill.
|
|   PS  I did go so far as to directly contact by phone, the VICTIM
| whose OPEN server hosted this virus, so I am not totally without the
| spirit.

Cooperate ?

Actuallty now that Microsoft is into AV, there is less.  The was a recent case
of a MS
Office Explotation file and Microsoft wrote signatures for their product but
refused to
share the samples with the traditional AV vendors.

I want you to know I understand your POV but I also want you to understand this
isn't a
Black & White situation and there are many variables as to why signatures aren't
created
immediately.

I have a situation with McAfee concerning a Pakes sample.  I submitted it in the
beginning
of Feruary and I suplied to a direct contact at McAfee.  Even Microsoft got this
ample...

Complete scanning result of "SteveIrwin-DEATHVIDEO.exe", processed in VirusTotal
at
02/04/2007 21:34:28 (CET).

[ file data ]
* name: SteveIrwin-DEATHVIDEO.exe
* size: 39697
* md5.: 7a68535ae7a1951456a532825098c9f5
* sha1: ea10c8e5f57848658f403d3d8cb24a27ad4c0f26

[ scan result ]
AntiVir 7.3.1.34/20070204 found [TR/Drop.Pakes.120]
Authentium 4.93.8/20070203 found [W32/Trojan.MDH]
Avast 4.7.936.0/20070204 found [Win32:Delf-CIV]
AVG 386/20070204 found [Generic2.IST]
BitDefender 7.2/20070204 found [Trojan.Pakes.CTL]
CAT-QuickHeal 9.00/20070203 found nothing
ClamAV devel-20060426/20070204 found nothing
DrWeb 4.33/20070204 found [Trojan.Dunz]
eSafe 7.0.14.0/20070203 found [suspicious Trojan/Worm]
eTrust-InoculateIT 30.4.3364/20070202 found nothing
eTrust-Vet 30.3.3366/20070203 found nothing
Ewido 4.0/20070204 found [Dropper.Pakes]
F-Prot 4.2.1.29/20070203 found [W32/Trojan.MDH]
Fortinet 2.85.0.0/20070204 found [W32/Agent.DBX!tr]
Ikarus T3.1.0.31/20070204 found [Trojan-Dropper.Win32.Pakes]
Kaspersky 4.0.2.24/20070204 found [Trojan-Dropper.Win32.Pakes]
McAfee 4955/20070202 found nothing
Microsoft 1.2101/20070204 found [TrojanSpy:Win32/Logsnif.gen]
NOD32v2 2036/20070204 found [a variant of Win32/Spy.Delf.JQ]
Norman 5.80.02/20070202 found [W32/Pakes.XY]
Panda 9.0.0.4/20070204 found [Trj/Agent.DBX]
Prevx1 V2/20070204 found nothing
Sophos 4.13.0/20070202 found nothing
Sunbelt 2.2.907.0/20070202 found nothing
Symantec 10/20070204 found [Trojan Horse]
TheHacker 6.0.3.162/20070202 found [Trojan/Dropper.Pakes]
UNA 1.83/20070203 found [TrojanDropper.Win32.Pakes.F22B]
VBA32 3.11.2/20070204 found [Trojan-Dropper.Win32.Pakes]
VirusBuster 4.3.19:9/20070204 found [Trojan.DR.Pakes.CZ]

[ notes ]
packers: UPX
packers: UPX
packers: UPX
packers: UPX


Tested again just now...

Complete scanning result of "SteveIrwin-DEATHVIDEO.exe", processed in VirusTotal
at
02/25/2007 01:26:10 (CET).

[ file data ]
* name: SteveIrwin-DEATHVIDEO.exe
* size: 39697
* md5.: 7a68535ae7a1951456a532825098c9f5
* sha1: ea10c8e5f57848658f403d3d8cb24a27ad4c0f26

[ scan result ]
AntiVir 7.3.1.38/20070225 found [TR/Drop.Pakes.120]
Authentium 4.93.8/20070223 found [W32/Trojan.MDH]
Avast 4.7.936.0/20070223 found [Win32:Delf-CIV]
AVG 386/20070224 found [Generic2.IST]
BitDefender 7.2/20070224 found [Trojan.Pakes.CTL]
CAT-QuickHeal 9.00/20070224 found [TrojanDropper.Pakes]
ClamAV devel-20060426/20070225 found nothing
DrWeb 4.33/20070225 found [Trojan.Dunz]
eSafe 7.0.14.0/20070223 found [Win32.Pakes]
eTrust-Vet 30.4.3424/20070223 found nothing
Ewido 4.0/20070224 found [Dropper.Pakes]
F-Prot 4.3.1.45/20070222 found [W32/Trojan.MDH]
F-Secure 6.70.13030.0/20070224 found [Trojan-Dropper.Win32.Pakes]
FileAdvisor 1/20070225 found nothing
Fortinet 2.85.0.0/20070224 found [W32/Agent.DBX!tr]
Ikarus T3.1.0.31/20070224 found [Trojan-Dropper.Win32.Pakes]
Kaspersky 4.0.2.24/20070225 found [Trojan-Dropper.Win32.Pakes]
McAfee 4970/20070223 found nothing
Microsoft 1.2204/20070224 found [TrojanSpy:Win32/Logsnif.gen]
NOD32v2 2079/20070224 found [probably a variant of Win32/Spy.Delf.JG]
Norman 5.80.02/20070223 found [W32/Pakes.XY]
Panda 9.0.0.4/20070224 found [Trj/Agent.DBX]
Prevx1 V2/20070225 found nothing
Sophos 4.14.0/20070224 found [Troj/Delf-EAW]
Sunbelt 2.2.907.0/20070224 found [Trojan.Unclassified.gen]
Symantec 10/20070225 found [Trojan Horse]
TheHacker 6.1.6.063/20070223 found [Trojan/Dropper.Pakes]
UNA 1.83/20070223 found [TrojanDropper.Win32.Pakes.3FC4]
VBA32 3.11.2/20070224 found [Trojan-Dropper.Win32.Pakes]
VirusBuster 4.3.19:9/20070224 found [Trojan.DR.Pakes.CZ]

[ notes ]
packers: UPX
packers: UPX
packers: UPX
packers: UPX


One last statement...
Over the last 30 days or so I have submitted over 1200 samples to way more than
just 20
vendors.

I am willing to do this for you.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Site Timeline