8 Virus Scanners vs 3 infected files!

[Technodrome]

A couple nights ago I received (voluntarily) 3 files from some IRC channel! They were xxx.dll.xxx.exe (I won’t name them) for a security reasons. The length of these files was the same size (9.21 Kb). I knew they could be a potential malicious code (in fact they were)…Files were written in pure assembly language with use of slavic language. I decided to play with these files just for fun of it.

During download, my primary virus scanner didn’t pick them as infected. No surprise here, these files were fairly strange. I decided to use another virus scanner to check these file for possible infection. Better yet, to test heuristics analyzers!

Here are results:
Kaspersky AV without heuristics- Nothing
Kaspersky AV with heuristics – Nothing

DrWeb32 AV without heuristics- Nothing
DrWeb32 AV with heuristics – Nothing

Command AV with heuristics (automatically) – Nothing

F-Secure with heuristics (automatically) – Nothing

RAV 8.6 (engine 8.7) without heuristics- Nothing
RAV 8.6 (engine 8.7) with heuristics – Nothing

NOD32 1.298 without heuristics- Nothing
NOD32 1.298 with heuristics (deep) – Nothing

Sophos 3.60 without heuristics- Nothing (sophos av uses no heuristics)

F-Prot 3.12a without heuristics- Nothing
F-Prot 3.12a with heuristics – Nothing
F-Prot 3.12a with enabled neural heuristics – 3 suspicious files found

In this particular case 6 heuristics engines failed to identify infected files. F-Prot was the only one able (by using extra strength heuristics) to identified files as suspicious.


Technodrome

[wizard]

What was the malicious activity of that file? Virus? Trojan?

wizard

[Technodrome]

It was a Virus. After executing, it deleted files from local drives. Similar to W97M/Melissa activities. I'd say very classic one. I believe it also damaged my system BIOS(not sure still investigating)...
Pretty powerful virus. My old computer suffered a great deal of pain.

Is there a twist between CIH and W97M? I head rumor that VXers are working on new version of CIH.



Technodrome

[minacross]

could you please check them with NAV2002 and Pc-cillin2002 and tell us the result ??

[Technodrome]

I am sorry but I don't have those two products!


Technodrome

[minacross]

could you guide us where we can get these virus files??
i have both nav2001 and pcc2002 to check them with.

Quote:

quoting: minacross link=board=24;threadid=3030;start=0#20496 date=1029452579]
could you guide us where we can get these virus files??
i have both nav2001 and pcc2002 to check them with.

Sorry Minacross,

We don't give links to those places.

[Technodrome]

Quote:

quoting: minacross link=board=24;threadid=3030;start=0#20496 date=1029452579]
could you guide us where we can get these virus files??
i have both nav2001 and pcc2002 to check them with.

Not me! Maybe someone else.


Technodrome

[kdcdq]

Hello Technodrome and all,

I am willing to run/test the same virus-infected files that Technodrome used with the following products (all legally licensed to me) to see if any of them can detect the "stealth" virus that Technodrome found:

. Computer Associates eTrust EZ Antivirus
. McAfee VirusScan v6
. NAV 2001 and/or NAV2002
. Panda AntiVirus Platinum
. PCC2000
. PCC2002
. VirusBuster

Thats why they call me:
KDCDQ, Security Freak

[grey_ghost]

Hi,

I was wondering if you could check those files with the DrWeb and Kaspersky online tests?

I had a suspicious file a couple of days ago and my Kav4 missed it.
When I checked with DrWeb online it identified it.

Regards

[Technodrome]

I am sorry kdcdq but I won't provide these files to anyone! I did this test for myself and decided to share only text version with you! There is no need to get curios over this. I just wanted to point out that sometimes, use of strong heuristics can be useful (if you know what you're doing).

This test result is not suitable to measure anti-virus product because, on the one hand I am not professional and on the other hand only 3 samples were used.


Technodrome

[Technodrome]

Quote:

quoting: grey_ghost link=board=24;threadid=3030;start=0#20513 date=1029470681]
Hi,

I was wondering if you could check those files with the DrWeb and Kaspersky online tests?

I had a suspicious file a couple of days ago and my Kav4 missed it.
When I checked with DrWeb online it identified it.

Regards

Missed by both products.


Technodrome

[Mr.Blaze]

what the mo jo all that does is scare me arnt you supose to supply us with a since of security what do you plan to do with those nastys i can get nastys to lol i use to go to places you aint even seen till i made wilders my home.

i think you should give them to the major tech guys here at wilders to test it out so us newbys can get the right software to fight these guys or if are current software will protect us.

i think thats fair not saying hand it to a newby bad cyber candy =)

[Technodrome]

Quote:

quoting: MRBLAZE link=board=24;threadid=3030;start=0#20524 date=1029472441]
i think you should give them to the major tech guys here at wilders to test it out so us newbys can get the right software to fight these guys or if are current software will protect us.

These file will be shredded by using DoD 5220.22-M, NISPOM 8 - 306 standard!

Ever heard about Guillotin MR Blaze? This is even worse!


Technodrome

[zappa]

LOL. The net paranoia is alive and well. Me included. I know the answer but I'm going to chime in too before the Swing Low Sweet Chariot song plays at your place?

Can you send them to Paul W. so he can send them to Eset? LOL. Please?

[SKA]

Technodrome,

1. What OS were you using F-Prot on please ?

2. Would you say heuristics of F-Prot 3.12a Win version proves more aggressive than Nod32/DrWeb/KAV4 or would you say this is just one test case that's lucky for F-Prot and unlucky for others ?

SKA

[Technodrome]

Quote:

quoting: SKA link=board=24;threadid=3030;start=15#20560 date=1029486046]
Technodrome,

1. What OS were you using F-Prot on please ?

2. Would you say heuristics of F-Prot 3.12a Win version proves more aggressive than Nod32/DrWeb/KAV4 or would you say this is just one test case that's lucky for F-Prot and unlucky for others ?

SKA

Hi SKA

1.Windows XP & 98

2. F-Prot has pretty aggressive neural heuristics, but this doesn't prove anything! More testing must be done to clearly answer your 2nd question!


Technodrome

[Mr.Blaze]

yeah that way we know what program is up to date.

i mean if you got ahold of these how long till it comes for us in the wild have you notified some one?

it like saying theres this horriable thing out there and its comeing for you cheers have fun lol.

panic panic=)

Something just is not making sense here...but it was an interesting post. I will just leave it at that.

[controler]

Try NAV 2003 please ?

[Technodrome]

Quote:

quoting: MyNethingyman link=board=24;threadid=3030;start=15#20591 date=1029505162]
Something just is not making sense here...but it was an interesting post. I will just leave it at that.

Life doesn't make sense sometimes....But we live!


Technodrome

[kdcdq]

Hey Technodrome,

If you ever run any more "Virus Scanners vs infected files" tests and need/want to test them against the AV products in my previous posting, I would be more than willing to assist in any way possible.

Good luck in the future,
KDCDQ, Security Freak

[Technodrome]

KDCDQ,you are a real Security Freak!!!

I'll let you know!


Technodrome

[wizard]

Quote:

quoting: SKA link=board=24;threadid=3030;start=15#20560 date=1029486046]
2. Would you say heuristics of F-Prot 3.12a Win version proves more aggressive than Nod32/DrWeb/KAV4 or would you say this is just one test case that's lucky for F-Prot and unlucky for others ?

IMHO the heuristic of F-Prot is better than KAV but not as good as NOD32/DrWeb.

wizard

[Technodrome]

Earlier versions of DrWeb32, say 4.25 and down had more aggressive heuristic analyzer. But more false positives were produced.


Technodrome