how good is a2?

Its Back

 

It was down for a few minutes will installing several kernel updates .

 

a2 is failing to detect ITW worm Mimail.Q. I just can't beleave that a program who can only detect 7 worms is not even able to detect those 7 correctly.

wizard

 

yes and what about version S..


http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.s@mm.html

LOL this board software sure does not like those @@@@

 

a2 doesn't claim to detect Mimail.S but for Mimail.Q a2 does.

wizard

 

Maybe it is a differnet Q they sure make those letter confusing depending on what side of the world you live these days


Name: W32/Mimail.Q
Type: Worm of Internet, polymorphic
Alias: W32/Mimail.q@MM, I-Worm.Mimail.q, W32/Sysout.A.worm, W32.Mimail.Q@mm, W32/Mimail.Q.worm, W32/Mimail.gen@MM
Size: 32.768 bytes
Platform: Windows 32-bit
Port: TCP/3000
Date: 26/ene/04

http://www.vsantivirus.com/mimail-q.htm

Worm detected for the first time the 26 of January of 2004. It is a variant of the family of the Mimail, able to rob personal information and data of credit cards, being like a false form of Microsoft.





Name: W32/Mimail.S
Type: Worm of Internet
Alias: W32/Mimail-S, W32.Mimail.R@mm, W32/Mimail.gen@MM
Size: 11.520 bytes
Platform: Windows 32-bit
Date: 29/ene/04


http://www.vsantivirus.com/mimail-s.htm

Worm detected for the first time the 29 of January of 2004. It is a variant of the Mimail.Q, able to rob personal information and data of credit cards, showing a false form of Microsoft.


Which Q do YOU have that it will not dectect ??

 

The version KAV detects as "Q". a2 uses KAV malware naming as well. See also this list http://www.emsisoft.com/a2/malware/a2.txt

wizard

 

That of course is NOT what i am asking...since you have stated that a2 will not dectect Q that must mean you have a copy of it...so we are talking about YOUR copy and nothing else..since the actual attacment is the same for both the Q and the S..i am assuming that you executed your copy or took it apart and found the first to be true...is that correct





W32.Mimail.Q@mm
Creates the files:
%Windir%\Sys32.exe: This file is a polymorphic encrypted version of the worm, which the Outlook.exe component sends.
%Windir%\Outlook.exe:

The first part of the attachment name consists of one of the following words:

my
priv
private
prv
the
best
super
great
cool
wild
sex

followed by an one or two underscores or a dash, and then one of the following words:

pic
img
phot
photos
pctrs
images
imgs
scene
plp
act
action

and one of the following extensions:

.pif
.scr
.exe
.jpg.scr
.jpg.pif
.jpg.exe
.gif.exe
.gif.pif
.gif.scr


The worm contains text threatening to perform a Denial of Service (DoS) on a particular ISP, and on any ISP that attempts to prevent stolen information from reaching the author.

****************************************

W32.Mimail.S@mm

is executed, it performs the following actions:


Copies itself as %Windir%\rabbit.exe and then executes the file.



Registers itself as a service.


Adds the value:

"RabbitWannaHome"="%Windir%\rabbit.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when Windows starts.



The first part of the attachment name consists of one of the following words:

my
priv
private
prv
the
best
super
great
cool
wild
sex

followed by one or two underscores or a dash, then one of the following words:

pic
img
phot
photos
pctrs
images
imgs
scene
plp
act
action

and then one of the following extensions:

.pif
.scr
.exe
.jpg.scr
.jpg.pif
.jpg.exe
.gif.exe
.gif.pif
.gif.scr


The worm queries www.google.com periodically to check the network status.


************************

And i am assuming since you are posting all that info in this thread that no matter which one you do have that you have no intentions of sending it off to them..;-)

Is that correct ?

One of those he can find it himself

 

Andreas has the worm. As I mentioned earlier: Take a look at the list of detected malware of a2 (see link in my posting above). Mimail.Q is listed but there is no working detection yet which is the key point here. In the meantime Andreas has promised Rokop-Security to fix the problem.

wizard

 

But we can all agree that a2 is coming along well.

 

Yes wizard..I read that thread at Rokop even before you came flying over here to the Wilders forum with your first post up there..

http://www.rokop-security.de/board/index.php?showtopic=1834&hl=



and I know who found the Mimail.Q and I know what Roman told you over there with your rant.. and i know what someone else posted about TH and all i can say to you one more time.. ~~snipped (LowWaterMark)~~ ..and we both know why you could not answer the questions frankly as a posed them to you above..it is because you really had nothing to do with it all.. and you, wizard, just picked a a little gossip in a great German security forum and tried to smear it in this a2 thread at wilders..even though the Admin of the forum new exactly what to do.

You are not here to help the Security Community..you are just looking a a little action.


- Snipped personalized comment out. LWM

 

@wizard:
I don't have to explain you the diffrence between the dropper and the worm itself. The dropped file (the real worm) is already detected. So if you say the Mimail.Q worm is undetected you are defnitly wrong. If you say the polymorphic dropper is undetected, you are right.

But well ... especially for you and the guys at Rokop I have added detection for the polymorphic dropper, too.

 

I am getting a little bit tired of your personal attacks. If you take all negative postings regarding a² personal than that's your problem not mine. EOD.

wizard

 

I am not talking about the dropper. I have the two dropped files which means the files which are present in the system after an infection. Both were not detected.

With the latest update this problem seems to be resolved.

wizard

 

Tried several dropped files now - all are detected with the update of 27. But well ... its ok. As you said they all are detected now.

 

I've moved the last reply to this thread for admin review as to whether it will return. In the meanwhile, please try to keep this discussion on the right track.

Andrew

 

You have to realize that A2 is still in Beta phase, so it doesn't have all the signatures necessary to detect everything. More is being added daily, so until it comes out of beta, I wouldn't be too quick to judge.

 

i think you missed something... officially it's out of the betaphase, at least the free-version.

 

The personal version is offered for sale on the website and still doesn't have all the features and I dought if it ever will. Do you see anywhere on the website the word beta?

notfooled