A couple nights ago I received (voluntarily) 3 files from some IRC channel! They were xxx.dll.xxx.exe (I won’t name them) for a security reasons. The length of these files was the same size (9.21 Kb). I knew they could be a potential malicious code (in fact they were)…Files were written in pure assembly language with use of slavic language. I decided to play with these files just for fun of it.

During download, my primary virus scanner didn’t pick them as infected. No surprise here, these files were fairly strange. I decided to use another virus scanner to check these file for possible infection. Better yet, to test heuristics analyzers!

Here are results:
Kaspersky AV without heuristics- Nothing
Kaspersky AV with heuristics – Nothing

DrWeb32 AV without heuristics- Nothing
DrWeb32 AV with heuristics – Nothing

Command AV with heuristics (automatically) – Nothing

F-Secure with heuristics (automatically) – Nothing

RAV 8.6 (engine 8.7) without heuristics- Nothing
RAV 8.6 (engine 8.7) with heuristics – Nothing

NOD32 1.298 without heuristics- Nothing
NOD32 1.298 with heuristics (deep) – Nothing

Sophos 3.60 without heuristics- Nothing (sophos av uses no heuristics)

F-Prot 3.12a without heuristics- Nothing
F-Prot 3.12a with heuristics – Nothing
F-Prot 3.12a with enabled neural heuristics – 3 suspicious files found

In this particular case 6 heuristics engines failed to identify infected files. F-Prot was the only one able (by using extra strength heuristics) to identified files as suspicious.


Technodrome

What was the malicious activity of that file? Virus? Trojan?

wizard

It was a Virus. After executing, it deleted files from local drives. Similar to W97M/Melissa activities. I'd say very classic one. I believe it also damaged my system BIOS(not sure still investigating)...
Pretty powerful virus. My old computer suffered a great deal of pain.

Is there a twist between CIH and W97M? I head rumor that VXers are working on new version of CIH.
???


Technodrome

could you please check them with NAV2002 and Pc-cillin2002 and tell us the result ?? ??? ::) ???

I am sorry but I don't have those two products!


Technodrome

could you guide us where we can get these virus files??
i have both nav2001 and pcc2002 to check them with.

-{ Quote: " quoting: minacross link=board=24;threadid=3030;start=0#20496 date=1029452579]
could you guide us where we can get these virus files??
i have both nav2001 and pcc2002 to check them with.

" }-

Sorry Minacross,

We don't give links to those places.

-{ Quote: " quoting: minacross link=board=24;threadid=3030;start=0#20496 date=1029452579]
could you guide us where we can get these virus files??
i have both nav2001 and pcc2002 to check them with.

" }-

Not me! Maybe someone else. ;)


Technodrome

Hello Technodrome and all,

I am willing to run/test the same virus-infected files that Technodrome used with the following products (all legally licensed to me) to see if any of them can detect the "stealth" virus that Technodrome found:

. Computer Associates eTrust EZ Antivirus
. McAfee VirusScan v6
. NAV 2001 and/or NAV2002
. Panda AntiVirus Platinum
. PCC2000
. PCC2002
. VirusBuster

Thats why they call me:
KDCDQ, Security Freak

Hi,

I was wondering if you could check those files with the DrWeb and Kaspersky online tests?

I had a suspicious file a couple of days ago and my Kav4 missed it.
When I checked with DrWeb online it identified it.

Regards

I am sorry kdcdq but I won't provide these files to anyone! I did this test for myself and decided to share only text version with you! There is no need to get curios over this. I just wanted to point out that sometimes, use of strong heuristics can be useful (if you know what you're doing).

This test result is not suitable to measure anti-virus product because, on the one hand I am not professional and on the other hand only 3 samples were used.


Technodrome

-{ Quote: " quoting: grey_ghost link=board=24;threadid=3030;start=0#20513 date=1029470681]
Hi,

I was wondering if you could check those files with the DrWeb and Kaspersky online tests?

I had a suspicious file a couple of days ago and my Kav4 missed it.
When I checked with DrWeb online it identified it.

Regards
" }-

Missed by both products.


Technodrome

what the mo jo all that does is scare me arnt you supose to supply us with a since of security what do you plan to do with those nastys i can get nastys to lol i use to go to places you aint even seen till i made wilders my home.

i think you should give them to the major tech guys here at wilders to test it out so us newbys can get the right software to fight these guys or if are current software will protect us.

i think thats fair not saying hand it to a newby bad cyber candy =)

-{ Quote: " quoting: MRBLAZE link=board=24;threadid=3030;start=0#20524 date=1029472441]
i think you should give them to the major tech guys here at wilders to test it out so us newbys can get the right software to fight these guys or if are current software will protect us.

" }-

These file will be shredded by using DoD 5220.22-M, NISPOM 8 - 306 standard!

Ever heard about Guillotin MR Blaze? This is even worse!


Technodrome

LOL. The net paranoia is alive and well. Me included. I know the answer but I'm going to chime in too before the Swing Low Sweet Chariot song plays at your place?

Can you send them to Paul W. so he can send them to Eset? LOL. Please?

Technodrome,

1. What OS were you using F-Prot on please ?

2. Would you say heuristics of F-Prot 3.12a Win version proves more aggressive than Nod32/DrWeb/KAV4 or would you say this is just one test case that's lucky for F-Prot and unlucky for others ?

SKA

-{ Quote: " quoting: SKA link=board=24;threadid=3030;start=15#20560 date=1029486046]
Technodrome,

1. What OS were you using F-Prot on please ?

2. Would you say heuristics of F-Prot 3.12a Win version proves more aggressive than Nod32/DrWeb/KAV4 or would you say this is just one test case that's lucky for F-Prot and unlucky for others ?

SKA
" }-

Hi SKA

1.Windows XP & 98

2. F-Prot has pretty aggressive neural heuristics, but this doesn't prove anything! More testing must be done to clearly answer your 2nd question!


Technodrome

yeah that way we know what program is up to date.

i mean if you got ahold of these how long till it comes for us in the wild have you notified some one?

it like saying theres this horriable thing out there and its comeing for you cheers have fun lol.

panic panic=)

Something just is not making sense here...but it was an interesting post. I will just leave it at that. :-\ :-\ :-\

Try NAV 2003 please ?

-{ Quote: " quoting: MyNethingyman link=board=24;threadid=3030;start=15#20591 date=1029505162]
Something just is not making sense here...but it was an interesting post. I will just leave it at that. :-\ :-\ :-\
" }-

Life doesn't make sense sometimes....But we live!


Technodrome

Hey Technodrome,

If you ever run any more "Virus Scanners vs infected files" tests and need/want to test them against the AV products in my previous posting, I would be more than willing to assist in any way possible. ;D

Good luck in the future,
KDCDQ, Security Freak

KDCDQ,you are a real Security Freak!!! ;D

I'll let you know!


Technodrome

-{ Quote: " quoting: SKA link=board=24;threadid=3030;start=15#20560 date=1029486046]
2. Would you say heuristics of F-Prot 3.12a Win version proves more aggressive than Nod32/DrWeb/KAV4 or would you say this is just one test case that's lucky for F-Prot and unlucky for others ?" }-

IMHO the heuristic of F-Prot is better than KAV but not as good as NOD32/DrWeb.

wizard

Earlier versions of DrWeb32, say 4.25 and down had more aggressive heuristic analyzer. But more false positives were produced.


Technodrome

Thanks Technod & Wiz for your thoughts. I 've bought a 20 PC license(1 yr) for just 40/- USD !!! This must be the lowest priced AV(not counting free AVG,Avast etc). What really impresed me in F-prot Win is its integrity scanner,
which are costlier options in KAVPro / AdInf(part of DrWeb Suite) but is included "free" at USD 2/PC in F-prot Win !!!

Apart from having 2nd Windows AV scanner(non-resident) as backup, I think having F-prot DOS is a further asset for
Win 98 & XP. I found its better than NOD32 DOS(slow)
& haven't yet tried KAVDos32.

In case ne1 interested in DOS AVs- go here for DOS updaters for KAV,F-prot, Mcafee by Art Kopp :

http://home.epix.net/~artnpeg/

SKA

-{ Quote: " quoting: SKA link=board=24;threadid=3030;start=15#20804 date=1029573719]
What really impresed me in F-prot Win is its integrity scanner,
which are costlier options in KAVPro / AdInf(part of DrWeb Suite) but is included "free" at USD 2/PC in F-prot Win !!!

SKA

" }-

Hi SKA,

Thanks for telling me about that Integrity scanner for F-Prot. :)

-{ Quote: " quoting: controler link=board=24;threadid=3030;start=15#20605 date=1029508543]
Try NAV 2003 please ?
" }-

Hi Controler!

I have tested NAV 2003, but the detection rate was not so very well >:(
Last trojan not detected by NAV 2003: NETBUIE

Therefore I stay by DrWeb ;D

Ciao,

Smokey

-{ Quote: " quoting: minacross link=board=24;threadid=3030;start=0#20486 date=1029449119]
could you please check them with NAV2002 and Pc-cillin2002 and tell us the result ?? ??? ::) ???
" }-

Hi Minacross!

I only can give you a general answer on NAV an PCC: PCC has a better trojan detection rate, but I cannot advice NAV neither PCC because their heuristic scanning technique is not as good as should be.

There are much better anti-virus/trojan products.

Ciao,

Smokey

thanx Smokey,

but what are these "much better anti-virus/trojan products"? ???

-{ Quote: " quoting: minacross link=board=24;threadid=3030;start=15#20833 date=1029591874]
thanx Smokey,

but what are these "much better anti-virus/trojan products"? ???
" }-

I can only write here my PERSONAL opinion, but I have tested almost every virus/trojan scanner on the market and I stay at this moment by one: DrWeb, it has a very strong heuristic scanning and also detects a lot of trojans, other programs don't do or not as good like DrWeb does.

Is not free but if you want a really satisfying virusscanner you have to pay for it.

A good choice too is NOD32, I think DrWeb is more for the user with some experience but like life is: read the manuals (what most people don't do) and there are not many problems with installing and using the software.

You can also take a look at the Wilders virus- an trojan forums to make your own opinion about the available virus/trojans programs on the market and their functionating.

Link to DrWeb:

http://www.drweb.ru

Good luck!

Ciao,

Smokey

thanx again. :)