How to report false negatives?

Viruses and worms
1

Hi. I had recently got across several Autorun-based infections on my pendrive, which luckily (I have Vista) I did not execute. But these infections were composed of an executable file e.g. auto.exe, fun.xls.exe (both caught by avast!), and an autorun.inf, which avast! did not detect at all. Is there any way to report this and provide some samples?

Thanks in advance!

2

did you take a look inside the autorun.inf? you can open it in notepad and post the content here… then we can tell you why is this file not yet detected (in fact some autoruns are padded with random garbage etc, what makes the detection quite difficult, because we’re dealing with an text file)…

3

Since I’ve cleaned up my memory card, I can’t even recover a sample of an autorun.inf.

I’ll surely get infected :slight_smile: on Monday or Tuesday (I have IT classes and the computers are full of worms). So then I’ll post and add some samples, OK?

See ya! ;D

4

As promised, I got infected with lots of trojans.

Here goes first autorun:


[AutoRun]
open=auto.exe
shell\open=´ò¿ª(&O)
shell\open\Command=RavMon.exe
shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
shell\explore\Command="RavMon.exe -e"
shellexecute=auto.exe
shell\Auto\command=auto.exe

(seems that it was firstly infected with RavMon, then auto.exe appended its own content…)

Second autorun:


[AutoRun]
;iDsseDaDSDfs2La5dwJ3fo
open=auto.exe
;rkl4i9Kawswk3nfAwdO
shell\open\Command=uxkl0apt.bat
shellexecute=auto.exe
shell\Auto\command=auto.exe
5

the second snippet contains some garbage comments, i have seen them many times… they can increase the suspiciousness of the whole file, but the main point is to detect the autoruns regardless their comments… unforunately the format of autorun.inf may be quite variable (conficker e.g. used unicode autoruns padded with lots of binary garbage - these files didn’t look like text)… there’s also a situation, when someone uses autorun.inf to run autorun.exe (that’s pretty common on cd/dvd, but may be fishy on hard drives) - then you’re not able to simply judge that’s something bad… our priority is to detect the autorunned binaries - when they’re cleaned up, then the autorun.inf is sterile…