Is this possible?

Viruses and worms
1

Hi :slight_smile:

2-4hours ago I sent ExeFile to VT and and get these results:http://www.virustotal.com/sl/analisis/8c78a3a10ffd3f55c053b22a4176d9b5583e82ca54363e771463afe46c742b37-1263492781

I sent this to XXXX lab…(via-mail)…and get this answer:

-Juninho:

Thank you for your submission. We have analyzed the file you submitted and it is not a false positive. The file is infected with Zbot.

Joe Frederick, MCSE, CCNA
QA Engineer
Sunbelt Software

Thx and have a nice day. :slight_smile:

2

Is what possible ?
Some info on the original file might help, e.g. its location and if it has been on the system for some time, etc.

The fact response or the fact that so few detect it (3) on virustotal or that those which did two are generic and the other heuristic, which are more prone to FP ?

Try sending it here for a detailed analysis of the file, http://anubis.iseclab.org/?action=home and post the results URL.

3

http://anubis.iseclab.org/?action=result&task_id=1c81ae5dea885aae4b9086dfe4e143db1&format=txt

http://anubis.iseclab.org/?action=result&task_id=128eb3857f2563914b17111d56e390c3f&format=txt

Have a nice day. :wink:

4

Whilst files often legitimately create registry keys, not so common to monitor them as in the:

Summary: - Performs Registry Activities: The executable reads and modifies registry values. It also creates and monitors registry keys.

Unfortunately anubis doesn’t state clearly if it feels it suspicious/malicious, etc.

That is why my questions about:
1 Its location (path) is important to get some background on it ?

2 As is how long it has been on your system and add to that what do you know about the program it is associated with ?

5

OK, a further update, Anubis classes this as a low risk, see in the HTML results.

I downloaded this and uploaded it to another detailed analysis scanner, which considers it suspicious also, http://camas.comodo.com/cgi-bin/submit?file=8c78a3a10ffd3f55c053b22a4176d9b5583e82ca54363e771463afe46c742b37

So I would submit this to avast as a possible undetected malware:
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

6

Today I sent same ExeFile to VT and and get these results:http://www.virustotal.com/analisis/8c78a3a10ffd3f55c053b22a4176d9b5583e82ca54363e771463afe46c742b37-1263569181

I already sent this to Avast. :wink:

What is generic and heuristic?

Have a nice day. :slight_smile:

7

http://www.lmgtfy.com/?q=What+is+generic+and+heuristic+virus+detection :smiley:

8

That appears to be the same analysis report, if you upload a file that has already been analysed VT offers the ‘old’ report, you should always have it re-analyse the file.

9

I get different results…

File respect.exe received on 2010.01.15 15:26:21 (UTC)
Current status: finished
Result: 16/41 (39.02%)

EDIT: I never noticed the threatexpert md5/prevx comparison on VT… quite informative…

10

Weird, I’m sure I got the 3/41 results first time I looked now I get the 16/41, so it looks like the early suspicions were correct.

I have just resubmitted it to avast.

11

Is something wrong with VT. My friend sent file to xxxx lab… He was sure that this is a false alarm.

Virustotal:http://www.virustotal.com/analisis/a7c637eb8ec6d50988d8f436eb856495be9820e43679b0ab272c6f08a02d6f29-1263578349

He get this mail answer:

-[b]Dear Andrej

The file you’ve submitted is indeed malicious.

Regards.
[/b]

Is something wrong with VT?

Have a nice day. :slight_smile:

12

You keep mentioning xxxx lab (rather than a specific name), that is only one source, were virustotal has 41 scanners so there are going to be differences.

You have already seen that the file you first submitted only had 3/41 the next day you scanned it again and 16/41 detections that is how things progress as other scanners get samples of the malware and add it to their signatures.

That is also why I give other analysis sites which do a detailed analysis of a file and what it does and that can at times give a better determination of if it is malicious than a simple scan against ‘known virus signatures.’

13

Is something wrong if I write name of his AV program?

He sent this file:wxxw.alwaysinwork.com/kvusa/newload.php?ids=MDAC

Have a nice day. :slight_smile:

14

Unmask Parasites wxxw.alwaysinwork.com/kvusa/newload.php?ids=MDAC
http://www.UnmaskParasites.com/security-report/?page=www.alwaysinwork.com/kvusa/newload.php%3Fids%3DMDAC
is not a web page.

not listed at hpHost but MBAM is blocking IP 213.108.56.18

wot http://www.mywot.com/en/scorecard/www.alwaysinwork.com

15

No nothing wrong in it because it provides us with some information on exactly what detected it, so we have something to compare with.

@ pondus,
Going to just the domain name gives no hits on unmask parasites, however this site seems to be private or you have to jump through some hoops to access it (at JuninhoSlo, can you shed any light on why we can’t get into the site ?).