8 Virus Scanners vs 3 infected files!

Discussion in 'other anti-virus software' started by Technodrome, Aug 15, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    A couple nights ago I received (voluntarily) 3 files from some IRC channel! They were xxx.dll.xxx.exe (I won’t name them) for a security reasons. The length of these files was the same size (9.21 Kb). I knew they could be a potential malicious code (in fact they were)…Files were written in pure assembly language with use of slavic language. I decided to play with these files just for fun of it.

    During download, my primary virus scanner didn’t pick them as infected. No surprise here, these files were fairly strange. I decided to use another virus scanner to check these file for possible infection. Better yet, to test heuristics analyzers!

    Here are results:
    Kaspersky AV without heuristics- Nothing
    Kaspersky AV with heuristics – Nothing

    DrWeb32 AV without heuristics- Nothing
    DrWeb32 AV with heuristics – Nothing

    Command AV with heuristics (automatically) – Nothing

    F-Secure with heuristics (automatically) – Nothing

    RAV 8.6 (engine 8.7) without heuristics- Nothing
    RAV 8.6 (engine 8.7) with heuristics – Nothing

    NOD32 1.298 without heuristics- Nothing
    NOD32 1.298 with heuristics (deep) – Nothing

    Sophos 3.60 without heuristics- Nothing (sophos av uses no heuristics)

    F-Prot 3.12a without heuristics- Nothing
    F-Prot 3.12a with heuristics – Nothing
    F-Prot 3.12a with enabled neural heuristics – 3 suspicious files found

    In this particular case 6 heuristics engines failed to identify infected files. F-Prot was the only one able (by using extra strength heuristics) to identified files as suspicious.


    Technodrome
     

    Attached Files:

  2. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    What was the malicious activity of that file? Virus? Trojan?

    wizard
     
  3. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    It was a Virus. After executing, it deleted files from local drives. Similar to W97M/Melissa activities. I'd say very classic one. I believe it also damaged my system BIOS(not sure still investigating)...
    Pretty powerful virus. My old computer suffered a great deal of pain.

    Is there a twist between CIH and W97M? I head rumor that VXers are working on new version of CIH.
    o_O


    Technodrome
     
  4. minacross

    minacross Registered Member

    Joined:
    May 12, 2002
    Posts:
    657
    could you please check them with NAV2002 and Pc-cillin2002 and tell us the result ?? o_O :rolleyes: o_O
     
  5. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    I am sorry but I don't have those two products!


    Technodrome
     
  6. minacross

    minacross Registered Member

    Joined:
    May 12, 2002
    Posts:
    657
    could you guide us where we can get these virus files??
    i have both nav2001 and pcc2002 to check them with.
     
  7. FanJ

    FanJ Guest

    Sorry Minacross,

    We don't give links to those places.
     
  8. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Not me! Maybe someone else. ;)


    Technodrome
     
  9. kdcdq

    kdcdq Registered Member

    Joined:
    Apr 19, 2002
    Posts:
    657
    Location:
    Southwestern Massachusetts
    Hello Technodrome and all,

    I am willing to run/test the same virus-infected files that Technodrome used with the following products (all legally licensed to me) to see if any of them can detect the "stealth" virus that Technodrome found:

    . Computer Associates eTrust EZ Antivirus
    . McAfee VirusScan v6
    . NAV 2001 and/or NAV2002
    . Panda AntiVirus Platinum
    . PCC2000
    . PCC2002
    . VirusBuster

    Thats why they call me:
    KDCDQ, Security Freak
     
  10. grey_ghost

    grey_ghost Registered Member

    Joined:
    Apr 28, 2002
    Posts:
    60
    Hi,

    I was wondering if you could check those files with the DrWeb and Kaspersky online tests?

    I had a suspicious file a couple of days ago and my Kav4 missed it.
    When I checked with DrWeb online it identified it.

    Regards
     
  11. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    I am sorry kdcdq but I won't provide these files to anyone! I did this test for myself and decided to share only text version with you! There is no need to get curios over this. I just wanted to point out that sometimes, use of strong heuristics can be useful (if you know what you're doing).

    This test result is not suitable to measure anti-virus product because, on the one hand I am not professional and on the other hand only 3 samples were used.


    Technodrome
     
  12. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Missed by both products.


    Technodrome
     
  13. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    what the mo jo all that does is scare me arnt you supose to supply us with a since of security what do you plan to do with those nastys i can get nastys to lol i use to go to places you aint even seen till i made wilders my home.

    i think you should give them to the major tech guys here at wilders to test it out so us newbys can get the right software to fight these guys or if are current software will protect us.

    i think thats fair not saying hand it to a newby bad cyber candy =)
     
  14. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    These file will be shredded by using DoD 5220.22-M, NISPOM 8 - 306 standard!

    Ever heard about Guillotin MR Blaze? This is even worse!


    Technodrome
     
  15. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    LOL. The net paranoia is alive and well. Me included. I know the answer but I'm going to chime in too before the Swing Low Sweet Chariot song plays at your place?

    Can you send them to Paul W. so he can send them to Eset? LOL. Please?
     
  16. SKA

    SKA Registered Member

    Joined:
    Aug 2, 2002
    Posts:
    154
    Technodrome,

    1. What OS were you using F-Prot on please ?

    2. Would you say heuristics of F-Prot 3.12a Win version proves more aggressive than Nod32/DrWeb/KAV4 or would you say this is just one test case that's lucky for F-Prot and unlucky for others ?

    SKA
     
  17. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Hi SKA

    1.Windows XP & 98

    2. F-Prot has pretty aggressive neural heuristics, but this doesn't prove anything! More testing must be done to clearly answer your 2nd question!


    Technodrome
     
  18. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    yeah that way we know what program is up to date.

    i mean if you got ahold of these how long till it comes for us in the wild have you notified some one?

    it like saying theres this horriable thing out there and its comeing for you cheers have fun lol.

    panic panic=)
     
  19. Something just is not making sense here...but it was an interesting post. I will just leave it at that. :doubt: :doubt: :doubt:
     
  20. controler

    controler Guest

    Try NAV 2003 please ?
     
  21. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Life doesn't make sense sometimes....But we live!


    Technodrome
     
  22. kdcdq

    kdcdq Registered Member

    Joined:
    Apr 19, 2002
    Posts:
    657
    Location:
    Southwestern Massachusetts
    Hey Technodrome,

    If you ever run any more "Virus Scanners vs infected files" tests and need/want to test them against the AV products in my previous posting, I would be more than willing to assist in any way possible. :D

    Good luck in the future,
    KDCDQ, Security Freak
     
  23. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    KDCDQ,you are a real Security Freak!!! :D

    I'll let you know!


    Technodrome
     
  24. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    IMHO the heuristic of F-Prot is better than KAV but not as good as NOD32/DrWeb.

    wizard
     
  25. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Earlier versions of DrWeb32, say 4.25 and down had more aggressive heuristic analyzer. But more false positives were produced.


    Technodrome
     
Loading...
Thread Status:
Not open for further replies.