McAfee and sample submissions

EliteKiller · #1 February 9th, 2010, 08:43 PM

This morning a co-worker received an email from DHL with an attachment. The attachment was titled "UPS_Print_Label_912.zip" and inside was an executable with an icon of a MS Word document. At the time neither Prevx 3.0, MBAM, or Panda Cloud was detecting anything malicious. I uploaded to Virus Total and someone else had already uploaded it a few hours ago. At the time only 15/40 were able to detect it. I decided to submit the sample to several companies, one of them being McAfee, as a password protected zip renamed to .zi_p in order to pass thru Gmail. I even tested the file before submitting to make sure you would be prompted for a password upon opening the file.

McAfee Labs - Beaverton replied:

Quote:

A sample did not arrive in a password-protected ZIP file. To ensure the sample was not cleaned in transit it is necessary to put all samples in password protected ZIP files (password - infected). There may be an infection on your system but we are unable to make a conclusive analysis without a sample being sent in this fashion.

I can only assume the "bot" was unable to process the file since the extension was renamed. Even then it should be passed on to a real analyst for further inspection. Has anyone else had issues submitting samples to McAfee?

lordpake · #2 February 10th, 2010, 07:46 AM

I usually submit samples via website, WebImmunize.

Far more easier that way

https://www.webimmune.net/

marciocruz · #3 February 11th, 2010, 09:28 AM

can send sample via e-mail

Virus_Research @ avertlabs.com

zip the file,and use "infected" as pass.

fcukdat · #4 February 11th, 2010, 09:39 AM

Hi Elite,

MBAM wont unpack zipped folders to sniff the file inside,

If you custom scanned the extracted file and we did not detect the malicious code can you please upload @ the MBAM research center and i will make sure its attended too quickly.
http://forums.malwarebytes.org/index.php?showforum=51

Thanks in advance

EliteKiller · #5 February 11th, 2010, 02:06 PM

Quote:

Originally Posted by marciocruz

can send sample via e-mail

Virus_Research @ avertlabs.com

zip the file,and use "infected" as pass.

Sorry for not clarifying in my original post, but that is the address I sent it to.

Quote:

Originally Posted by fcukdat

Hi Elite,

MBAM wont unpack zipped folders to sniff the file inside,

If you custom scanned the extracted file and we did not detect the malicious code can you please upload @ the MBAM research center and i will make sure its attended too quickly.
http://forums.malwarebytes.org/index.php?showforum=51

Thanks in advance

Howdy.

I unzipped and scanned the actual .exe Tuesday morning with MBAM and which came up clean. I uploaded the .zip to
http://uploads.malwarebytes.org/ (which is now offline) and scanned it a few minutes ago.

Malwarebytes' Anti-Malware 1.44
Database version: 3721
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/11/2010 12:40:26 PM
mbam-log-2010-02-11 (12-40-26).txt

Files Infected:
c:\documents and settings\texascom\desktop\ups_print_label_912\UPS_Print_Label_912.exe (Trojan.Sasfis) -> Quarantined and deleted successfully.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search