could anyone tell me how good the a2 scanner is?
I self tests it, but it has a very poor detection.

My Norton Scanner detects more then the a2 scanner from www.emsisoft.com, anyone has the same result?

I was wondering the same thing. :)

Can we please not beat around the bush here?

WHAT else is being detected by Norton? Pete

Sorry Pete I don't know I was just wondering how good is a²? I never downloaded it yet or ran any tests. But being that Norton is an AV and a² is an AT (?) I would assume Norton isn't finding anything more. than a² is finding.

I have downloaded several trojan files too and scan it with
Norton and a2 but Norton detects more. thats really poor for a2.

What trojan files?

Did you unpack the files? What trojan files did you download? What does Norton find? Can you post a log file?

<Did you unpack the files?

sure.

<What trojan files did you download?

several trojan files from serveral trojan archives, I think it was 80 files

<What does Norton find? Can you post a log file?

Cant find a log file and I deleted the a2 scanner because it has a poorly detection.

Well ... if you deleted it, why did you ask for other comments and thoughts? :) Can you send me the trojan files you tested with?

<Can you send me the trojan files you tested with?

No i cant, because you sell a software to the users thats really useless and earn money for that, also look self for the files and spend your time to find it.

Let's keep it civil. I must say, it appears obvious (to me) that this thread was a "fishing" thread. Let's avoid that in the future and try to keep the conversations "constructive." Thanks.

Hy bunnyhorse!

There is a free version of a²( a² free) and afaik a² personal is still in Beta.

I think all potential users of a² would appreciate your cooperation with Andreas Haak.

But anyway - keep on testing.

Thanx

-{ Quote: " quoting: bunnyhorse link=board=25;threadid=20062;start=0#msg122427 date=1074703116]
<Can you send me the trojan files you tested with?

No i cant, because you sell a software to the users thats really useless and earn money for that, also look self for the files and spend your time to find it.
" }-

Nice rant bunnyhorse..so is that why you joined the forum today. No data...no proof of what you did test just generalities..and now you show you have not even been to the a2 forum ( even though you did download.

Was it the a2 free or the a2 personal...and did you then at the forum look at the malware data base that was loaded to date?

Did you in fact find any badboys on the a2 list that it did not in fact identify for you ??


Did it identinfy any of these 80 for you at all..and if sso what were the names?

Or tell me the names of the ones that Norton found for you.

I think that would be a good place to start.

I know many badboys that a2 and other AT and AV will not ID...but they are not in the wild at this time..and i do not expect to ever see them again in the wild..no matter where you downloaded your zoo of 80. :)

-{ Quote: " quoting: StarFox link=board=25;threadid=20062;start=0#msg122434 date=1074704289]

There is a free version of a²( a² free) and afaik a² personal is still in Beta.

I think all potential users of a² would appreciate your cooperation with Andreas Haak.

" }-

The a2 team tells no one that the a2 is a beta, because there are sells it at the moment, a Beta version should not sold to the user right?

There are only tells the people that:

Notice! The greyed parts of the Background Guard will be completed and installed via the online update in the next few days. Some features of the background guard of a² personal are not available for Windows 95, 98 and ME.

But in fact it is a beta software and it inherited not all trojan files.
There are only speak from functions from the background guard! Also a useless beta trojan scanner for $29,95 and European users should pay 35,95 Euro.

-{ Quote: " quoting: Primrose link=board=25;threadid=20062;start=0#msg122436 date=1074704408]
-{ Quote: " quoting: bunnyhorse link=board=25;threadid=20062;start=0#msg122427 date=1074703116]
<Can you send me the trojan files you tested with?

No i cant, because you sell a software to the users thats really useless and earn money for that, also look self for the files and spend your time to find it.
" }-

Nice rant bunnyhorse..so is that why you joined the forum today. No data...no proof of what you did test just generalities..and now you show you have not even been to the a2 forum ( even though you did download.

Was it the a2 free or the a2 personal...and did you then at the forum look at the malware data base that was loaded to date?

Did you in fact find any badboys on the a2 list that it did not in fact identify for you ??


Did it identinfy any of these 80 for you at all..and if sso what were the names?

Or tell me the names of the ones that Norton found for you.

I think that would be a good place to start.

I know many badboys that a2 and other AT and AV will not ID...but they are not in the wild at this time..and i do not expect to ever see them again in the wild..no matter where you downloaded your zoo of 80. :)
" }-

I test the a2 personal , but I will come back with a test and publish it here.
Otherwise test it for yourself and see the poorly detection rate.
fact is, the a2 team sells a beta software to the users that isn't completed!

And look at the main site www.emsisoft.com the description about a2 personal
--------------------------------------------------------------------------------------------------
a² personal is primarily a Trojan scanner and remover. But beside Trojan Horses and Backdoors, it also detects other harmful software like Worm-Virurses, Dialer and other dangerous tools which are used by attackers to spy your files. The advanced background guard gives harmful programs no chance to get on your PC. As from now you have the full control over all active programs and their rights on your computer
--------------------------------------------------------------------------------------------------

I have not read about a beta? You?

>The a2 team tells no one that the a2 is a beta, because there are sells it at the moment, a Beta version
>should not sold to the user right?

Wrong. There is notice everywhere - on the purchase page and the download page that a² personal isn't completed yet. Not completed means everytime its unfinished and not final. But well ... I will please Christian to put a more clear notice to the pages :).

And in fact you missed a second important point:

a² is in fact a subscription service and you pay for a yearly subscription. The subscription itself will start with the day of the final release. So you won't pay for the time while its not finished.

But well ... surely you already know that and you just try to instigate people within several boards :). I hope you enjoy your game and wish you a nice day :).

*DFTT*

I certainly know what data base of malware they do have at this time...

a² Malware Database


http://www.emsisoft.com/en/support/malware/


which was my purpose in asking you the names and/or more information.


You say beta ???? I do not think so..it is a stable scanner.

Now if you tell me it is not fully loaded then i can not argue with what i can not see. But if you plan to do some tests and post it here..at least make them badboys the scanner lists in the data base.

That would be interesting.. ;)

>The a2 team tells no one that the a2 is a beta, because there are sells it at the moment, a Beta version
>should not sold to the user right?

>Wrong. There is notice everywhere - on the purchase page and the >download page that a² personal isn't completed yet. Not completed >means everytime its unfinished and not final. But well ... I will please >Christian to put a more clear notice to the pages .

Wrong Andreas Haak,

On the download and purchase site stands only that:
--------------------------------------------------------------------------------------
Notice! The greyed parts of the Background Guard will be completed and installed via the online update in the next few days. Some features of the background guard of a² personal are not available for Windows 95, 98 and ME.
--------------------------------------------------------------------------------------

Only information that the background guard not finished, no information that the software is a beta and no information that the software isnt completed and no information that not all signatures included!

>But well ... surely you already know that and you just try to instigate >people within several boards . I hope you enjoy your game and wish >you a nice day .

That is not a game, it is the true that you sell a beta software!!

Be ashamed you Andreas Haak!

There are many attempts to cause a flame war. But this may be the clumsiest one I have ever seen ... :-*

-{ Quote: " quoting: bunnyhorse link=board=25;threadid=20062;start=0#msg122421 date=1074702233]
<Did you unpack the files?

sure.

<What trojan files did you download?

several trojan files from serveral trojan archives, I think it was 80 files

<What does Norton find? Can you post a log file?

Cant find a log file and I deleted the a2 scanner because it has a poorly detection.

" }-

"Cant find a log file"

(Amazing! Can you find the "Power On" button?)

"deleted the a2 scanner"

(Guess - hope - that actually means you un-installed the scanner - even so, it's folder would still be on your computer somewhere [unless you actually did "delete" that] - perhaps a log file is left behind in that?).

"several trojan files from serveral trojan archives, I think it was 80 files"

(Gee, you don't remember which ones they were or where you got them from - how utterly convenient).

Your credibility with this rates about a minus 10 here, frankly.

Even if you simply wanted to bash the product - you could have done it more intelligently.

As regards the "Beta" status of the program, I'm looking at a thread in the a2 forum ( http://forum.emsisoft.com/viewtopic.php?t=226 ) which clearly calls the current free version a "final".

The status of the "Personal" edition isn't really clear to me - I don't use it. But if people want to pay for it and all the features don't work, or are being constantly changed (IOW, if it's still in a "beta-like" status) that's certainly their privilege (most people regard that as being supportive of the developer and/or getting a chance to play-with/beta-test all new improvements/features).

I do agree that the actual functioning/non-function of any given component that you're actually purchasing should be clearly denoted on the a2 "Personal" version page ( http://www.emsisoft.com/en/software/personal/ ) - so, at least we agree on something! ;D Pete

hi bunny,
i thought i would not interfere here as i am not using a² but .. i had to come...
here in Wilders... we try to help people and be helped in the ways that are informative, polite and ofcourse understanding and reading to what one says.
I would say to you... if you have any problems regarding anything... you will say it ofcourse but there are some etiquettes... maybe you know.. or maybe.. leave it...
if you have problems with a² ( ofcourse one can have with any thing) then i think some of us are having problems with the way you are trying to put up your problems...
You are always welcome here... we are friends here .. and i think we can expect our new friend to be more "friendly"
thx

-{ Quote: " quoting: noname5 link=board=25;threadid=20062;start=15#msg122455 date=1074710791]
There are many attempts to cause a flame war. But this may be the clumsiest one I have ever seen ... :-*


" }-

be nice.. bunny is just practicing ;D I enjoy your posts also BTW..but they always make sense. Practice makes perfect..but I am still trying to figure out the motive here for bunny...guess that last post said it all.

It is tough starting out a new Anti-Malware program.
Testing it with accredited Labs will come some day.

-{ Quote: " quoting: spy1 link=board=25;threadid=20062;start=15#msg122456 date=1074710867]I do agree that the actual functioning/non-function of any given component that you're actually purchasing should be clearly denoted on the a2 "Personal" version page ( http://www.emsisoft.com/en/software/personal/ ) - so, at least we agree on something! ;D Pete
" }-

Changed to:

-{ Quote: "Important information! a² personal has currently not all planned features implemented but is stable. The greyed parts of the Background Guard will be completed and installed via the online update soon. All purchased licenses will be reset on the day of the release of all features to ensure a full year license period.

Some features of the background guard of a² personal are not available for Windows 95, 98 and ME. " }-

Is it better now? :)

Much better - thank you! Pete

*Except, of course, for the fact that I'm NOT seeing it on the page indicated! :o Isn't it uploaded yet? Pete

Its cached within your browser. Click refresh :).

Coming back to the original question raised. How good a²? The freeware version can be considered for the moment as nearly useless as all the other products that don't provide no unpacking/mem scanning feature.

So looking at the commercial version: It's not finished and therefore to test and rate it would be unfair against the programmer.

This gives a rather simple conclusion: Unless the commercial version is finished it's better to go with an established product if you are looking for protection now. The free version is not enough for protection and might be only usefull for all the "I have 200 different security tools just on one pc"-type people.

wizard

<g> I must be doing something wrong here (or looking at the wrong page).

I'm looking at this page: http://www.emsisoft.com/en/software/personal/ .

I closed the tab in Mozilla, then re-clicked on that link - it's either not there, or it's not in the body of the main page. Same with IE 6.0.

Can anyone else see it? I'll check back later - gotta get to work. Pete

-{ Quote: " quoting: wizard link=board=25;threadid=20062;start=15#msg122479 date=1074715803]
The free version is not enough for protection and might be only usefull for all the "I have 200 different security tools just on one pc"-type people.wizard" }-

wizard - OUCH! lol! Pete

*But you know, come to think of it - how else am I supposed to be able to keep up with everybody else's stuff?? Let them know about false positives, or problems that new components may cause?

Now, if I could just find someone that would buy me an additional five or so high-end computers..... ;D

>Coming back to the original question raised. How good a²? The freeware version can be considered for the
>moment as nearly useless as all the other products that don't provide no unpacking/mem scanning feature.

a² free and personal both providing process memory scan and process module memory scan :).

-{ Quote: " quoting: spy1 link=board=25;threadid=20062;start=15#msg122481 date=1074716089]
<g> I must be doing something wrong here (or looking at the wrong page).

I'm looking at this page: http://www.emsisoft.com/en/software/personal/ .

I closed the tab in Mozilla, then re-clicked on that link - it's either not there, or it's not in the body of the main page. Same with IE 6.0.

Can anyone else see it? I'll check back later - gotta get to work. Pete
" }-

Its on the download and the purchase page ... .

-{ Quote: " quoting: Andreas Haak link=board=25;threadid=20062;start=15#msg122489 date=1074716543]
a² free and personal both providing process memory scan and process module memory scan :).
" }-

Yes you are right I remember the process memory scan was there but the memory signatures where missing - that's why I could not test it. Are now all missing (memory) signatures included? Than I will redownload the program and redo my testings. :)

wizard

Not all, but we started adding them ...

-{ Quote: " quoting: wizard link=board=25;threadid=20062;start=30#msg122493 date=1074717000]
-{ Quote: " quoting: Andreas Haak link=board=25;threadid=20062;start=15#msg122489 date=1074716543]
a² free and personal both providing process memory scan and process module memory scan :).
" }-

Yes you are right I remember the process memory scan was there but the memory signatures where missing - that's why I could not test it. Are now all missing (memory) signatures included? Than I will redownload the program and redo my testings. :)

wizard
" }-

Redo testing...???
:) Glad to see someone is still testing. How are you going to test this a2 and against what ?

This is now the third test mentioned in this thread and no one has yet even qualified how they are going to be doing it or the test bench..but rather just a sunday drive after they state they have "done it before and were not happy " or " they are going to do it again cause their NAV found some tojans but they just can't seem to remember which ones. "


Which ones are you going to be using..or is it an empirical type test. ?

Tests for my personal intrest are rather simple. I take some samples out of my private collection and do some functional tests: Like how does the program perform against runtime packing or how easy it is to avoid detection by patching.

My findings so far on a² freeware: of course no unpacking capabilities, mem scan was not working or better for the trojan I tried a signature was not available yet. I also tried some easy tests with patching. Overall I must say that I was not really impresed.

wizard

Well ... a² free only uses fingerprints. Its quite easy to patch them. But well ... that will change, too ... .

It seems to me that the process & module memory scanner is currently the main benefit which a2 can offer to the user.

Therefore, adding signatures for the memory scanner should have priority. The filescanner does not need any signatures for trojans until it is supported by a generic unpacking engine (see, for example, BOClean which does not have a file scanner at all). Consequently, the trojan fingerprints should be removed. The file scanner could still be responsible for detecting dialers etc.

-{ Quote: " quoting: wizard link=board=25;threadid=20062;start=30#msg122504 date=1074718708]
Tests for my personal intrest are rather simple. I take some samples out of my private collection and do some functional tests: Like how does the program perform against runtime packing or how easy it is to avoid detection by patching.

My findings so far on a² freeware: of course no unpacking capabilities, mem scan was not working or better for the trojan I tried a signature was not available yet. I also tried some easy tests with patching. Overall I must say that I was not really impresed.

wizard
" }-


Well that is a honest answer and much appreciated in this silly thread so thank you ;) That is a type of empirical testing - based on experience or observational information and not necessarily on proven scientific data.

The a2 free is not much at this point and all know Andreas well enough, that if you just ask him a point blank questions on what anything he has developed will do and/or will not do at the point and how it works technically... he will tell you.. he has never tried to tell me at least anything that was not true..even at his own site.

So anyway you could help him with the explanations of the different products that you think will be more understandable in English or German to the majority of people who read his forum..or the write ups..I am sure would be appreciated.

>Therefore, adding signatures for the memory scanner should have priority.

In fact it has not. a² has a time problem while loading signatures. So the next release of the engine has priority.

>The filescanner does not need any signatures for trojans until it is supported by a generic unpacking engine

Well ... generic unpacking has weaknesses and is exploitable. Emulators are quite slow. So you can simply fool them by adding useless loops to the code at the entry point of the file. They will simply stand still or will stop emulation. And generic unpacking has a second weakness: The scanner has to detect that a file is packed using a kind of heuristic that can be easyly fooled sometimes.

Not to mention that its in my opinion simply impossible to unpack/decrypt modern protectors like XtremeProtector or Armadillo that reassemble its own code into the the binary code of the application or that use kernel mode decryption/protection/unpacking. So generic unpacking helps only if the script kiddies are "outdated" and still use "normal" EXE packers like UPX or ASPack ... .

>Consequently, the trojan fingerprints should be removed.

Consequently, not. For unpacked files and memory images it would use strong code based signatures. You can not add code based signatures of a packed file cause the only code inside is the unpacking/decrypting stub. So you would detect every packed/crypted file. In this cases a² will use a checksum over the packed code as done in the current version.

"Why? Its good to have a fall back detection method and in fact it doesn't cost that much time to scan a file using the simple fingerprint ... "

O.k. ... I assumed the removal of the fingerprints would help you to solve the speed problem so that additional mem signatures can be added. If this does not work ... no reason to remove the fingerprints.

"in my opinion simply impossible to unpack/decrypt modern protectors like XtremeProtector or Armadillo"

You are possibly right. Against this background it may be worth considering the use of backup signatures taken from a file's resource section (like McAfee does).

The mem scanner of course should be able to decrypt Armadillo. But it seems that you have already found a solution for this problem.

Looking forward to test the mem scanner with a least one trojan ... ;-)

Seltsam, you have tricked me. ;D

Since your post has been edited my post does not fit anymore. I cannot edit my own post. That's unfair ;-)

Register and login ... quite easy ...

-{ Quote: " quoting: noname5 link=board=25;threadid=20062;start=30#msg122529 date=1074725064]
Seltsam, you have tricked me. ;D

Since your post has been edited my post does not fit anymore. I cannot edit my own post. That's unfair ;-)
" }-

Yes play fair andreas..now edit your post back...guest are in a disadvantage when you move so fast. :(

nautilus should remember the password and just use the login button to post here ::)
ok you can 'fool' each scanner..also the best of the best bla etc mem scanners it depends on the signature. So if a scanner has a real..i mean real mem scanner - an not a fake one which only catch the pid and re-scan the file local on hard drive or something like that - you can also make a malware undetect if you know which kind of signature use the scanner to detect the malware. so a mem scanner is nice but useless if the scanner use weak signatures.
and i think a unpacking engine is nice and useful, i like the one from kaspersky, ok it has also some weak points, but again it can be useful..see the evolution of av programs, kav was one of the first program with this (or not ?)..and symatenc..lol they just added such kind of unpacking stuff in their latets version, also other av vendors try of just added just a useful funcation into their product.

"now edit your post back...guest are in a disadvantage when you move so fast."

No problem. I won't give up ;-)

@Seltsam


"Well ... generic unpacking has weaknesses and is exploitable. Emulators are quite slow. So you can simply fool them by adding useless loops to the code at the entry point of the file. They will simply stand still or will stop emulation. And generic unpacking has a second weakness: The scanner has to detect that a file is packed using a kind of heuristic that can be easyly fooled sometimes."

Agreed. I have already planned to patch a loop (using CPU time) into a UPX packed sample in order to test ewido's and TDS-4's emulation.

"Consequently, not. For unpacked files ... "

I believe there are almost no unpacked trojans. Only stupid testers may require a2 to have signatures for unpacked trojans.


"... and memory images it would use strong code based signatures."

This makes indeed a whole lot of sense.

"You can not add code based signatures of a packed file cause the only code inside is the unpacking/decrypting stub. So you would detect every packed/crypted file. In this cases a² will use a checksum over the packed code as done in the current version."

If possible, the checksum should not cover the entire file because this will make it easier to patch a trojan. In many cases it will suffice to take a signature from the resource section (see Armadillo). If this is not possible, however, you can still use a big fingerpint.

>Agreed. I have already planned to patch a loop (using CPU time) into a UPX packed sample in order to test
>ewido's and TDS-4's emulation.

Would be interesting :).

>I believe there are almost no unpacked trojans. Only stupid testers may require a2 to have signatures for
>unpacked trojans.

But if I add the a² emulator or some other kind of unpacking I don't have to add new signatures ;).

>If possible, the checksum should not cover the entire file because this will make it easier to patch a trojan.
>In many cases it will suffice to take a signature from the resource section (see Armadillo). If this is not
>possible, however, you can still use a big fingerpint.

As I said: "In this cases a² will use a checksum over the packed code as done in the current version."

Signatures cought from the ressources are sometimes usefull. Maybe as a fall back method. We will see.

-{ Quote: "
Well ... generic unpacking has weaknesses and is exploitable. Emulators are quite slow. So you can simply fool them by adding useless loops to the code at the entry point of the file. They will simply stand still or will stop emulation.
" }-
no, they don't stand still....they emulate the loop and after that they can successfully unpack the file. the only disadvantage ist the cost of time...

-{ Quote: "
And generic unpacking has a second weakness: The scanner has to detect that a file is packed using a kind of heuristic that can be easyly fooled sometimes."
" }-
to fool a heuristic is harder than to fool a simple signature of the entrypoint!

compare this two "disadvantages" to static unpacking:
if i add loops to the unpack stub, the signature of the entry point changes and the static unpacker has NO CHANCE to unpack the file....an emulation has the chance! it only takes time...


-{ Quote: "
As I said: "In this cases a² will use a checksum over the packed code as done in the current version."
" }-
only one word ;) -> polymorphic crypter.....

@
blablabla

1.
"only one word -> polymorphic crypter....." Actually, two words. "Morphine" would be one ;-)

2.
Can you estimate the ratio between CPU (real) speed and emulation speed? (For example, a ratio of 10:1 would mean that a 1-minute loop would take the ewido emu 10 minutes to process.)

@
Seltsam

I can understand that you want to complete the file scanning engine first. It's probably a matter of having unfinished business or not.

A working mem scanner, however, would be a real "added value" which could be combined with the multitude of file scanners which are already on the market.

>no, they don't stand still....they emulate the loop and after that they can successfully unpack the file. the
>only disadvantage ist the cost of time...

And the fact that some emulations will stop emulation after a certain number of steps (don't know if this is the case in ess ... ).

>to fool a heuristic is harder than to fool a simple signature of the entrypoint!

Right :). But i did not defend static unpacking cause in fact static unpacking is way more stupid then generic unpacking using an emulator *fg*. But well ... In my opinion unpacking in general (no matter if generic or static) is an ungrateful venture :).

>only one word ;) -> polymorphic crypter.....

Well ... poly plugin :).

>I can understand that you want to complete the file scanning engine first. It's probably a matter of having
>unfinished business or not.

I want to complete the new SCAN ENGINE first. Not the file scan engine.

Anybody know why the A 2 forum is down?

controler

;DIts Back ;)

It was down for a few minutes will installing several kernel updates :).

a2 is failing to detect ITW worm Mimail.Q. I just can't beleave that a program who can only detect 7 worms is not even able to detect those 7 correctly.

wizard

-{ Quote: " quoting: wizard link=board=25;threadid=20062;start=45#msg125466 date=1075405035]
a2 is failing to detect ITW worm Mimail.Q. I just can't beleave that a program who can only detect 7 worms is not even able to detect those 7 correctly.

wizard
" }-

yes and what about version S..


http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.s@mm.html

LOL this board software sure does not like those @@@@

a2 doesn't claim to detect Mimail.S but for Mimail.Q a2 does.

wizard

Maybe it is a differnet Q they sure make those letter confusing depending on what side of the world you live these days ;)


Name: W32/Mimail.Q
Type: Worm of Internet, polymorphic
Alias: W32/Mimail.q@MM, I-Worm.Mimail.q, W32/Sysout.A.worm, W32.Mimail.Q@mm, W32/Mimail.Q.worm, W32/Mimail.gen@MM
Size: 32.768 bytes
Platform: Windows 32-bit
Port: TCP/3000
Date: 26/ene/04

http://www.vsantivirus.com/mimail-q.htm

Worm detected for the first time the 26 of January of 2004. It is a variant of the family of the Mimail, able to rob personal information and data of credit cards, being like a false form of Microsoft.





Name: W32/Mimail.S
Type: Worm of Internet
Alias: W32/Mimail-S, W32.Mimail.R@mm, W32/Mimail.gen@MM
Size: 11.520 bytes
Platform: Windows 32-bit
Date: 29/ene/04


http://www.vsantivirus.com/mimail-s.htm

Worm detected for the first time the 29 of January of 2004. It is a variant of the Mimail.Q, able to rob personal information and data of credit cards, showing a false form of Microsoft.


Which Q do YOU have that it will not dectect ??

-{ Quote: " quoting: Primrose link=board=25;threadid=20062;start=45#msg125496 date=1075407978]
Which Q do YOU have that it will not dectect ??
" }-

The version KAV detects as "Q". a2 uses KAV malware naming as well. See also this list http://www.emsisoft.com/a2/malware/a2.txt

wizard

That of course is NOT what i am asking...since you have stated that a2 will not dectect Q that must mean you have a copy of it...so we are talking about YOUR copy and nothing else..since the actual attacment is the same for both the Q and the S..i am assuming that you executed your copy or took it apart and found the first to be true...is that correct ???



:)

W32.Mimail.Q@mm
Creates the files:
%Windir%\Sys32.exe: This file is a polymorphic encrypted version of the worm, which the Outlook.exe component sends.
%Windir%\Outlook.exe:

The first part of the attachment name consists of one of the following words:

my
priv
private
prv
the
best
super
great
cool
wild
sex

followed by an one or two underscores or a dash, and then one of the following words:

pic
img
phot
photos
pctrs
images
imgs
scene
plp
act
action

and one of the following extensions:

.pif
.scr
.exe
.jpg.scr
.jpg.pif
.jpg.exe
.gif.exe
.gif.pif
.gif.scr


The worm contains text threatening to perform a Denial of Service (DoS) on a particular ISP, and on any ISP that attempts to prevent stolen information from reaching the author.

****************************************

W32.Mimail.S@mm

is executed, it performs the following actions:


Copies itself as %Windir%\rabbit.exe and then executes the file.



Registers itself as a service.


Adds the value:

"RabbitWannaHome"="%Windir%\rabbit.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when Windows starts.



The first part of the attachment name consists of one of the following words:

my
priv
private
prv
the
best
super
great
cool
wild
sex

followed by one or two underscores or a dash, then one of the following words:

pic
img
phot
photos
pctrs
images
imgs
scene
plp
act
action

and then one of the following extensions:

.pif
.scr
.exe
.jpg.scr
.jpg.pif
.jpg.exe
.gif.exe
.gif.pif
.gif.scr


The worm queries www.google.com periodically to check the network status.


************************

And i am assuming since you are posting all that info in this thread that no matter which one you do have that you have no intentions of sending it off to them..;-)

Is that correct ?

One of those he can find it himself ??? >:(

-{ Quote: " quoting: Primrose link=board=25;threadid=20062;start=45#msg125513 date=1075409918]
One of those he can find it himself ??? >:(" }-

Andreas has the worm. As I mentioned earlier: Take a look at the list of detected malware of a2 (see link in my posting above). Mimail.Q is listed but there is no working detection yet which is the key point here. In the meantime Andreas has promised Rokop-Security to fix the problem.

wizard

But we can all agree that a2 is coming along well.

-{ Quote: " quoting: wizard link=board=25;threadid=20062;start=45#msg125520 date=1075410919]
-{ Quote: " quoting: Primrose link=board=25;threadid=20062;start=45#msg125513 date=1075409918]
One of those he can find it himself ??? >:(" }-

Andreas has the worm. As I mentioned earlier: Take a look at the list of detected malware of a2 (see link in my posting above). Mimail.Q is listed but there is no working detection yet which is the key point here. In the meantime Andreas has promised Rokop-Security to fix the problem.

wizard
" }-


Yes wizard..I read that thread at Rokop even before you came flying over here to the Wilders forum with your first post up there..

http://www.rokop-security.de/board/index.php?showtopic=1834&hl=

>:(

and I know who found the Mimail.Q and I know what Roman told you over there with your rant.. and i know what someone else posted about TH and all i can say to you one more time.. ~~snipped (LowWaterMark)~~ ..and we both know why you could not answer the questions frankly as a posed them to you above..it is because you really had nothing to do with it all.. and you, wizard, just picked a a little gossip in a great German security forum and tried to smear it in this a2 thread at wilders..even though the Admin of the forum new exactly what to do.

You are not here to help the Security Community..you are just looking a a little action.


- Snipped personalized comment out. LWM

@wizard:
I don't have to explain you the diffrence between the dropper and the worm itself. The dropped file (the real worm) is already detected. So if you say the Mimail.Q worm is undetected you are defnitly wrong. If you say the polymorphic dropper is undetected, you are right.

But well ... especially for you and the guys at Rokop I have added detection for the polymorphic dropper, too.

-{ Quote: " quoting: Primrose link=board=25;threadid=20062;start=60#msg125572 date=1075418796]
You are not here to help the Security Community..you are just looking a a little action.
" }-

I am getting a little bit tired of your personal attacks. If you take all negative postings regarding a² personal than that's your problem not mine. EOD.

wizard

-{ Quote: " quoting: Andreas Haak link=board=25;threadid=20062;start=60#msg125633 date=1075436756]
So if you say the Mimail.Q worm is undetected you are defnitly wrong.
" }-

I am not talking about the dropper. I have the two dropped files which means the files which are present in the system after an infection. Both were not detected.

With the latest update this problem seems to be resolved.

wizard

Tried several dropped files now - all are detected with the update of 27. But well ... its ok. As you said they all are detected now.

I've moved the last reply to this thread for admin review as to whether it will return. In the meanwhile, please try to keep this discussion on the right track.

Andrew

-{ Quote: " quoting: Detox link=board=25;threadid=20062;start=60#msg125798 date=1075474517]I've moved the last reply to this thread for admin review as to whether it will return. In the meanwhile, please try to keep this discussion on the right track." }-

It won't be back and the poster knows why. Personal attacks have no place here - period!

You have to realize that A2 is still in Beta phase, so it doesn't have all the signatures necessary to detect everything. More is being added daily, so until it comes out of beta, I wouldn't be too quick to judge.

i think you missed something... officially it's out of the betaphase, at least the free-version.

The personal version is offered for sale on the website and still doesn't have all the features and I dought if it ever will. Do you see anywhere on the website the word beta?

notfooled