Dropper.Gen and others

Avast does not detect this, more than 12 month, annoying MSN virus? I had to download avira to detect and get rid of it. I recommend Avast to everyone, so it is a bit disappointing that such a well known worm is not detected. Is it a problem with updates or the heuristics engine?

Anyway, here are the avira details:

http://www.avira.com/en/threats/section/details/id_vir/3647/tr_dropper.gen.html
http://www.avira.com/en/threats/section/details/id_vir/3666/html_crypted.gen.html
http://www.avira.com/en/threats/section/details/id_vir/3684/html_infected.webpage.gen.html

So Avast is not detecting viruses, and I can provide information on what it ignores, and not so much as na reason or excuse is provided?

Here is a link to a virus(sent by the virus), detected by avira but not avast.

hXXp://cruesquarders.com/2cn5rwfkux7lbv.gif

There is a possibility that this is a false positive detection as only three scanners detect it out of 33 at virus total and one of those is suspicious (likely heuristic detection). So I would say the jury is still out as I also believe that the .gen suffix of the other two detections might indicate generic detections.

http://www.virustotal.com/analisis/1f892971c77e845d196fa19c8ffbc9ff

File foto-226.jpeg_ozecomplover_hotmai received on 06.22.2008 17:03:25 (CET) Antivirus Version Last Update Result AhnLab-V3 2008.6.22.0 2008.06.22 - AntiVir 7.8.0.59 2008.06.21 TR/Dropper.Gen Authentium 5.1.0.4 2008.06.21 - Avast 4.8.1195.0 2008.06.21 - AVG 7.5.0.516 2008.06.22 - BitDefender 7.2 2008.06.22 - CAT-QuickHeal 9.50 2008.06.20 (Suspicious) - DNAScan ClamAV 0.93.1 2008.06.22 - DrWeb 4.44.0.09170 2008.06.22 - eSafe 7.0.15.0 2008.06.22 - eTrust-Vet 31.6.5892 2008.06.21 - Ewido 4.0 2008.06.22 - F-Prot 4.4.4.56 2008.06.21 - F-Secure 7.60.13501.0 2008.06.20 - Fortinet 3.14.0.0 2008.06.22 - GData 2.0.7306.1023 2008.06.22 - Ikarus T3.1.1.26.0 2008.06.22 - Kaspersky 7.0.0.125 2008.06.22 - McAfee 5322 2008.06.20 - Microsoft 1.3604 2008.06.22 - NOD32v2 3207 2008.06.22 - Norman 5.80.02 2008.06.20 - Panda 9.0.0.4 2008.06.22 - Prevx1 V2 2008.06.22 - Rising 20.49.62.00 2008.06.22 - Sophos 4.30.0 2008.06.22 - Sunbelt 3.0.1153.1 2008.06.15 - Symantec 10 2008.06.22 - TheHacker 6.2.92.358 2008.06.21 - TrendMicro 8.700.0.1004 2008.06.20 - VBA32 3.12.6.7 2008.06.21 - VirusBuster 4.3.26:9 2008.06.12 - Webwasher-Gateway 6.6.2 2008.06.22 Trojan.Dropper.Gen Additional information File size: 238592 bytes MD5...: 266b2bc03fa450885bf19b29c3e97ab4 SHA1..: 79d2d897f5b8e1a20ce5b7bfc5f0a42ed7e5b088 SHA256: 6a2daaac2bdd5549b7584461113ebaaa19e96f02918e43999544cc80feb87103 SHA512: f5e79f2caebcc767787ff55977a7fc926b692acc0f7ba01427d0eb78d6b59104 63a1ad97234580175889d134f7e56335e5417987d753918c4d3e60ac8f4c0258 PEiD..: - PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4010db
timedatestamp…: 0x47245f05 (Sun Oct 28 10:05:57 2007)
machinetype…: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x508 0x600 5.87 8155f2af9607c0485034f1124f8afe52
.rdata 0x2000 0x2d0 0x400 3.76 92bb15335120da2937fd49edaf921d5b
.data 0x3000 0x2a2d8 0x2a400 8.00 9e7969e31b96e753f57968869095949a
.data0 0x2e000 0xf022 0xf200 7.90 0aebfa8ae8b60e84d0b4eca4e2e86f9b

( 3 imports )
> KERNEL32.dll: GetProcessWorkingSetSize, WriteConsoleInputA, LocalHandle, IsValidCodePage, FindResourceA, GetProcAddress, WriteConsoleOutputAttribute
> USER32.dll: GetMessageTime, DdeGetData, SetWindowPos, UnregisterClassW, GetForegroundWindow, CheckRadioButton, ReleaseCapture, GetWindowRgn, CallWindowProcA, GetMenuCheckMarkDimensions
> GDI32.dll: CancelDC, SetPolyFillMode, CopyMetaFileA, ModifyWorldTransform

( 0 exports )

No,

No jury is out, it is a virus.

I had a completely clean system, and clicked on a link similar to what I posted, and then contracted the virus. There is now a hidden msn windows which sends out similar links to people in my contact list. This is a real threat(albeit minor), and not open for interpretation. I am surprised so few of the virus scanners detect it though, is it perhaps a very new variant?

In fact more than 3 virus scanners detect it, at least 5

http://www.virustotal.com/analisis/90e2da27dc2cb3f06d6fccb2f90b7cb9

Well that is the file you uploaded now that isn’t the virus you are talking about but what it sends and what it sends I have uploaded that to VT and from those results the jury is most certainly out on what it sends.

You need to upload the actual virus to VT or submit it to avast as I have said in the the other topic you started.

Not to mention if it is truly a virus then the link you provided ‘could’ infect the unwary, so you should modify the post so the link isn’t active, e.g. hXXp://cruesquarders.com/2cn5rwfkux7lbv.gif the XX replacing the tt will break an active link but allow humans to access it if required.

That is two more and 1 of those is also suspicious, as I keep banging on, send the sample to avast.

Hi josh000,

The difficulty here is that it is generic detection routine:
"TR/Dropper.Gen

Description:
A generic detection routine designed to detect common family characteristics shared in several variants.

This special detection routine was developed in order to detect unknown variants and will be enhanced continuously."

_fsntfs.sys
014[1].exe
0712301.exe
0801011.exe
1.exe
33.exe
76022_164338_load.exe
76038_788837_newad.exe
76046_8295707_2.exe
anjwsoinhj.exe
bot.exe
darkskp1007.exe
explorer.exe
fk[1].exe
gift_vip_net_VideoAccessCodecInstall.exe
herjt384.exe
iergkj.exe
img604.jpg_jesusmillan160@hotmail.com
it.exe
loader.exe
postal_gusanito.exe
rising95.exe
syskiuf.exe
tcmsetup.dll
Tempmbroit.exe
test.exe
timplatform.exe
tmhcsgbbcf.exe
tmp3595029.exe
tmp608194.exe
vv18.exe

In Grid Unlocker it is a FP, so make an analysis if the above can be found on your system,

polonus

David,

What I uploaded is the virus, the executable code that infects and starts spreading itself. I have uploaded the virus, the jury is not out, please do not make excuses. It is clear from the context that the link is a virus, but if you don’t think it is there is nothing to worry about.

why would I make excuses, I’m an avast user like yourself and I make my comments based on what evidence I see nothing else, you only need to check the forums to see that.

You still haven’t modified the active link, so if you are concerned about the fact avast doesn’t detect this then you should avoid accidental exposure to other avast users.

Josh, please, edit the live link to malware.
Alwil, please, improve detection.

No reply from the avast devs?

I know this is a generic routine, but it is a simple variant of a virus over a year old, so it should still be detected. Avast does not detect vundo as well, iirc.

This is disturbing to say the least. I’ve used this anti-virus for years and it cannot detect this? Not good fellas. Not good at all. And nothing from the developers huh?

Got to drop it then. I need to trust my anti virus.