how do I report undetected malware?

Discussion in 'malware problems & news' started by skekr, May 9, 2005.

Thread Status:
Not open for further replies.
  1. skekr

    skekr Registered Member

    Joined:
    May 9, 2005
    Posts:
    5
    Hi everyone. I'm new to this forumn, but over the past few days I've been lurking here, and I must say it's a great site!

    Anyway, the reason I started looking at security websites is that I was recently infected with a virus that my brother downloaded and that my anti-virus program (Avast) was unable to detect. Using Jotti's online malware scan, no one but Kaspersky identified the executable as malware. I emailed the file to Avast, and they have since updated their definitions, as have VBA32.

    Viruses tick me off, and I would like to report this virus to other anti-virus companies to help prevent further infections. However, I've had trouble finding a way to report unknown infected files. Could anyone tell me how to report the file to the following companies:

    AntiVir, AVG, BitDefender, ClamAV, Dr. Web, F-Prot, Fortinet, mks_vir, NOD32, Norman Virus Control.

    I'm unsure as to whether Norton or Mcafee or any other companies can detect this file, as they are not listed on Jotti's website.

    Thank you for your help, and thank you for creating such a helpful forumn.
     
  2. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Hi,

    Send the file to http://www.virustotal.com/flash/index_en.html which is another multi AV scanner where Norton is used (Symantec)

    You can submit the file to Mcaffee by zipping the file and passwording it 'infected' and send to vsample@nai.com

    It is automatically unzipped (as long as it is passworded 'infected' and you will get a reply e mail either saying

    1) Our current Dats detect this as XXXXXX

    or

    2) Our strongest set of Heuristics had identified this as a possible virus, being fowarded to virus researcher

    or

    3) Our current dats do not detect any virus. this file is being refered to a researcher to check the file.

    You will be contacted on the findings.

    Hope this helps

    Jlo
     
  3. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Should have said as well for other Antivirus software vendors

    also zip the file and password it (tell the password in your e mail)

    and send to

    Bitdefender virus_submission@bitdefender.com

    Trend Antivirus virus_doctor@trendmicro.co.uk

    Sophos samples@sophos.com

    Panda virussamples@pandasoftware.com

    Norman analysis@norman.no

    Nod32 samples@nod32.com

    KAV newvirus@kaspersky.com

    VBA Antivirus newvirus@anti-virus.by

    MKS/Arcabit/Arcavir virus@arcabit.com

    F-secure vsamples@f-secure.com

    Fortinet submitvirus@fortinet.com

    Dr Web vms@drweb.com (Password protect 'virus' Dont know whey but thats what they say!)

    Computer Associates (Vet Inoculate etc) virus@ca.com

    AVG virus@grisoft.com

    Avast virus@asw.cz

    Antivir virus@free-av.de

    Authentium Antivirus virus@authentium.com

    ahnlan AV v3sos@ahnlab.com

    Sure their are many other but hope these are useful.

    Cheers

    Jlo
     
    Last edited: May 9, 2005
  4. Happy Bytes

    Happy Bytes Guest

  5. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Cheers Happy Bytes :)
     
  6. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Virus submissions can be made for Clam here http://cgi.clamav.net/sendvirus.cgi

    Bear in mind though that some of the AV vendors have access to all of Jotti's submissions so many will add defs just from getting it scanned by Jotti.

    Cheers

    Jlo
     
  7. skekr

    skekr Registered Member

    Joined:
    May 9, 2005
    Posts:
    5
    jlo-

    Thanks for the help - I sent the infected file to all the addresses listed. Here are the results of the multi-AV scanner you recommended (VirusTotal):

    Scan results
    File: [removed]
    Date: 05/09/2005 23:54:09 (CET)
    ----
    AntiVir 6.30.0.12/20050509 found nothing
    AVG 718/20050509 found nothing
    BitDefender 7.0/20050509 found nothing
    ClamAV devel-20050501/20050509 found nothing
    DrWeb 4.32b/20050509 found nothing
    eTrust-Iris 7.1.194.0/20050509 found nothing
    eTrust-Vet 11.9.1.0/20050509 found nothing
    Fortinet 2.51/20050509 found nothing
    Ikarus 2.32/20050509 found [suspicious program sequence found]
    Kaspersky 4.0.2.24/20050509 found [removed]
    McAfee 4487/20050509 found nothing
    NOD32v2 1.1091/20050509 found nothing
    Norman 5.70.10/20050503 found nothing
    Panda 8.02.00/20050509 found nothing
    Sybari 7.5.1314/20050509 found nothing
    Symantec 8.0/20050509 found nothing
    VBA32 3.10.3/20050509 found [removed]


    I'll keep you updated on how long it takes for the various companies to update their definitions. Personally, I'm interested to see how long it takes.

    (P.S. I removed the malware name - I don't want to encourage anyone to spread it)
     
  8. skekr

    skekr Registered Member

    Joined:
    May 9, 2005
    Posts:
    5
    It's now been a little over 48 hours since I submitted the malware to the emails listed above. FYI, the file is a trojan that attempts to dial pay-XXX phone numbers. Good thing I use broadband and not a modem!

    As of last night, eTrust-Isis, eTrust-Vet, Fortinet, and Sybari could detect the trojan. As of tonight, AntiVir can also detect it. When I submitted it to Avast last week, it took them under 48 hours to add definitions.

    Symantec, McAfee, AVG, BitDefender, ClamAV, Dr. Web, F-Prot, mks_vir, NOD32, Norman Virus Control, and Panda can still not detect the trojan. I must say I'm disappointed at how long it's taking some of these companies to recognize new malware.

    However, this little incident has been enough to convince me to purchase Kaspersky. I was previously considering their software, but this did it. They're the only ones who would have prevented the infection for me.
     
  9. skekr

    skekr Registered Member

    Joined:
    May 9, 2005
    Posts:
    5
    If anyone's interested, this is what the scanners detect today.

    Jotti's malware scan:

    AntiVir Found DIAL/302066 dialer
    Avast Found Win32:Lisa
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    Fortinet Found Dial/Lisd.A
    Kaspersky Anti-Virus Found not-a-virus:RiskWare.Dialer.gen
    mks_vir Found nothing
    NOD32 Found nothing
    Norman Virus Control Found nothing
    VBA32 Found RiskWare.Dialer.gen

    VirusTotal.com:

    AntiVir 6.30.0.12 05.13.2005 DIAL/302066
    AVG 718 05.13.2005 no virus found
    Avira 6.30.0.12 05.13.2005 DIAL/302066
    BitDefender 7.0 05.13.2005 no virus found
    ClamAV devel-20050501 05.13.2005 no virus found
    DrWeb 4.32b 05.13.2005 no virus found
    eTrust-Iris 7.1.194.0 05.13.2005 Win32/Dluca.AH!Trojan
    eTrust-Vet 11.9.1.0 05.13.2005 Win32.Dluca.AE
    Fortinet 2.51 05.13.2005 Dial/Lisd.A
    Ikarus 2.32 05.13.2005 suspicious program sequence found
    Kaspersky 4.0.2.24 05.13.2005 not-a-virus:RiskWare.Dialer.gen
    McAfee 4491 05.13.2005 no virus found
    NOD32v2 1.1095 05.13.2005 no virus found
    Norman 5.70.10 05.13.2005 no virus found
    Panda 8.02.00 05.15.2005 no virus found
    Sybari 7.5.1314 05.13.2005 Win32/Dluca.AH!Trojan
    Symantec 8.0 05.13.2005 no virus found
    VBA32 3.10.3 05.13.2005 RiskWare.Dialer.gen

    This will be the last time I submit the file for scanning - the time has come for me to delete it permanently. I must say I'm disappointed that it takes over 4 days for so many companies to update their definitions.
     
  10. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
    Add BOClean- support@nsclean.com (please ZIP or RAR) We typically incude any malware submission within 24 hours. We understand sentiments like those expressed by Skekr.
     
Loading...
Thread Status:
Not open for further replies.