Possible rogue attachment detected in MSE but not Avast

HI all,
I’ve got two installs of XP on the same PC (it’s a long story).
On one I have Avast free (latest version) and on the other MSE.

I was browsing my yahoo mail today and saw a post that looked immediately
suspicious. I decided to download the attached zip file to see what was inside.
MSE notified me of a threat while it was downloading and dealt with it.

Later, I logged onto the other XP and downloaded the attachment, but neither
Avast nor MBAM had anything to say about this file.

Here’s the virustotal info:
http://www.virustotal.com/file-scan/report.html?id=5baed0bbd3d71e16d7a9a0b7ac9820424358964b4f465ffd10be7c62797deb13-1303700887

I still have the zip file. Would Avast like me to upload it somewhere for investigation?

you can send to virus @ avast.com in a password protected zip.file
mail subject: undetected sample
zip password: infected

you may add a link to this topic in the mail

Thanks for the instructions, file sent in 7z format, hope that’s OK.

That’s OK.
Thanks for helping…! :slight_smile:
asyn

Still no detection by avast: http://www.virustotal.com/file-scan/report.html?id=5baed0bbd3d71e16d7a9a0b7ac9820424358964b4f465ffd10be7c62797deb13-1303738682 18 /42 (42.9%)

pol

Hey virus analysts… we need improve on detection! :slight_smile:

Not sure, as the avast VPS used in VT is from the 25th…
Maybe it’s already dedected and we don’t know it.

Avast5 5.0.677.0 2011.04.25

avast! dedects it. :slight_smile:
http://www.virustotal.com/file-scan/report.html?id=5baed0bbd3d71e16d7a9a0b7ac9820424358964b4f465ffd10be7c62797deb13-1304060309

Something to this? Avast a day or two behind MSE in detecting this and similar?
According to virustotal, it was first seen on April 25th, yet MSE detected it on the same day.

How did they know about it?

probably because it is using a generic signature, if you have a look at the malware mane.

Generic and heuristic signatures are designed to pick up new variants of a specific type, so it is possible to detect first day stuff. The issue is having a balance in generic and heuristic signatures so that they aren’t too sensitive and throw up many FPs or to lax as to not detect new variants.

Most of the detections on these VT results, including avast are by generic signatures.

But it is also a question of checking on available resources to further detection. The candidate rogue attachments for detection do not come “falling from the sky” so to speak, as soon as there is a follow-up source (name, file hash, domain, Ip, Ip migration report, etc. etc.) to be followed up and certainly when there is a wepawet report or Anubis analysis, or a monkey wrench beta analysis or a jsunpack detection etc. or ThreatExpert report even, then there is not much of an excuse for not having detection or having created a sinkhole for from where malcode is being launched from - pending detection. We know what the malware domains are, we know the migration reports for ip ranges, we even know when domains have been registered for a specific purpose, when they are alive and active, dead, locked etc. etc. and in a lot of cases we have the user community reporting on another line. So, I agree detection of first day stuff, yes there you may be very lucky, but not catching up a fortnight later, so this time it was just a couple of days…

polonus

HI all, here’s a little more background on this item .
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3AWin32%2FHostil.gen!A&threatid=2147620602

Hi davexnet & others,

We have detection now: http://www.virustotal.com/file-scan/report.html?id=5baed0bbd3d71e16d7a9a0b7ac9820424358964b4f465ffd10be7c62797deb13-1304060309

Avast detects as Win32:Trojan-gen,

polonus

See Reply #7:wink:

Hallo Asyn,

You have beaten me to it, where were my specs?
thanks for checking with Reply #7, most important thing we have detection now,

Schönen Gruß,

polonus