I found a new Trojan around the 16th of June. (estimate) I submitted it to several multiple scan engines, and only 3 AV's detected it. I carefully monitored daily to see who added it. NOD32, KAV and VBA32 had it immediately on outbreak (around 10th?) The trojans name is:

Troj/Bahnhof-A
Aliases Trojan-Downloader.Win32.Small.ayl

What concerns me, is the amount of AV's that STILL haven't dealt with this outbreak.. I personally sent this file to all of them, including Dr.Web, and it still hasn't been added. Also alarming was the fact that a majority of time only 3 AV's detected this, the rest only added it very recently.

http://www.boredmofo.com/downloads/tj.JPG

very good!
It's very important!

{QUOTE-> I personally sent this file to all of them, including Dr.Web, and it still hasn't been added. <-QUOTE}Because it seems to be a Dialer, have you checked DrWeb with Beta update defs too? If DrWeb still doesn't detect that, I believe that they are not so interested about Dielers anymore!

Best regards,
Firefighter!

This actually broaches the issue of whether you should depend on any AV product to fully protect against against spyware and trojans! :-\

{QUOTE-> Because it seems to be a Dialer, have you checked DrWeb with Beta update defs too? If DrWeb still doesn't detect that, I believe that they are not so interested about Dielers anymore!

Best regards,
Firefighter! <-QUOTE}

Yes it was checked with Dr.Web BETA Risky/Spyware databases, still not detected.

Also, the term "Dialer" is pretty loose, since most AV's tend to label this as a TrojanDownloader rather than a dialer. Given what this program does, and how it works, i'd also label it a trojan, and the annoyance and damage it causes should immediately have it in database of all major AV.

I should add, Norman's Sandbox actually detected it before definitions.

I will also point out I would have been infected with this if I had not been using Safe'n'Sec, which shut it down and allowed me to examine it more closely and stop the infection. So that means this made it past 2 layers of my 3 layer security and was caught. Which pretty much is how I set it up, given the highly unlikely nature of anything ever passing Safe'n'Sec.

Hi SDS909,

Which aspect of SafeNSecure stopped the malware. Was it the new process detection or was it the registry protection - or something else? Thanks.

Rich

{QUOTE-> Hi SDS909,

Which aspect of SafeNSecure stopped the malware. Was it the new process detection or was it the registry protection - or something else? Thanks.

Rich <-QUOTE}

I believe was when it tried to copy a new file to Windows directory, but so many alarms were going off, I just blocked everything, and sent the file to the AV scanners. Needless to say, i'm extremely happy with Safe'n'Sec at this point.

Thanks for the info.

Rich

safensec is really looking good

Well this is certanly not an outbreak. And dialers are losing ther purpose since more and more people are moving to Cable/DSL which are immune to dialers.

{QUOTE-> Well this is certanly not an outbreak. And dialers are losing ther purpose since more and more people are moving to Cable/DSL which are immune to dialers. <-QUOTE}

It isn't a dialer, I already said that once. Catagorizing it as such is incorrect. It is a trojan downloader, and can work fine off of TCP/IP stack. Curious, several AV's still don't have definitions for it. Pretty disappointed with Dr.Web. I used the correct submission form as well.

I don't really care WHAT it does though, it is a trojan, and should be detected considering it is several weeks after it was discovered. Also of concern is the very long delay of the ones that now detect it.

I think everyone checking response times checks only major outbreaks, and not these other things (which are extremely common). Smaller or less responsive AV companies seem to respond rapidly to huge, high publicity threats - and sometimes don't respond at all to lesser threats.

{QUOTE-> I believe was when it tried to copy a new file to Windows directory, but so many alarms were going off, I just blocked everything, and sent the file to the AV scanners. Needless to say, i'm extremely happy with Safe'n'Sec at this point. <-QUOTE}

That's why solutions like Regdefend+Processguard+AV isn't always enough. There should be something monitoring sensitive file areas as well .


That's why many people use PrevX as well . Or you could run as a none-admin.

SDS909!
There is some a mistake. Doctor Web detects Trojan-Downloader.Win32.Small.ayl as Trojan.DownLoader.3073 since two weeks ago.
http://www.viruslist.com/en/viruses/encyclopedia?virusid=84712
Maybe file was damaged. Resend the file to DrWeb as described in http://support.drweb.com/sendnew
On my experience answer will arrive in 1-2 hours (in 7-19 GMT).

{QUOTE-> SDS909!
There is some a mistake. Doctor Web detects Trojan-Downloader.Win32.Small.ayl as Trojan.DownLoader.3073 since two weeks ago.
http://www.viruslist.com/en/viruses/encyclopedia?virusid=84712
Maybe file was damaged. Resend the file to DrWeb as described in http://support.drweb.com/sendnew
On my experience answer will arrive in 1-2 hours (in 7-19 GMT). <-QUOTE}

I've already sent it to them twice. Perhaps Dr.Web is missing it because this one is packed with YODA or something?

Either way, the good Dr. definately doesn't detect this for me, nor on the scan sites!

{QUOTE-> I've already sent it to them twice. Perhaps Dr.Web is missing it because this one is packed with YODA or something?

Either way, the good Dr. definately doesn't detect this for me, nor on the scan sites! <-QUOTE}

Try to send by mail vms@drweb.com

Dr.Web JUST added detections for this, and it took someone that has a contact there to send it.

I'm not impressed with what it took to get them to add this threat and most worrying it took them weeks and weeks to add it.

...or you could just use Linux!

{QUOTE-> ...or you could just use Linux! <-QUOTE}
Or switch to NOD.

{QUOTE-> Dr.Web JUST added detections for this, and it took someone that has a contact there to send it.

I'm not impressed with what it took to get them to add this threat and most worrying it took them weeks and weeks to add it. <-QUOTE}I'm not so worried about DrWeb after that single sample, because there are so many new samples each day. What do you think about my "P2P-Worm.Win32.Furby" sample? I picked up that sample when I used Panda Platinum v7.0 about a year ago, it took almost HALF A YEAR when KASPERSKY detected that. I'm not saying that Kaspersky is a bad scanner after this, because it still has the best detection rate overall. S...t happens. ???

Best regards,
Firefighter!

{QUOTE-> Or switch to NOD. <-QUOTE}

Been there, done that. No thanks, won't happen again. And thats with free licenses to it. LOL