Interesting scan results

Discussion in 'NOD32 version 2 Forum' started by lynchknot, Nov 1, 2004.

Thread Status:
Not open for further replies.
  1. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    As per post number 15, no AV picks up the .exe file by itself.

    Cheers :D
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    see post 24 where the .exe files were uploaded and nod & others detect ideath as an exe not a zip
     
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    one answer could be that jotti uses the linux versions of antiviruses whereas virus total & we use the WINDOWS versions and it's a strong possibility that the linux version doesn't see the exe as a threat as it cannot affect linux
    I've noticed this before with some malware and online scanners
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Sorry about that, missed it. Tis truly weird, will be interesting to see what Eset have to say...

    Cheers :D
     
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    It is weird

    look out for the black helicopters :D
     
  6. Schouw

    Schouw AV Expert

    Joined:
    Jan 4, 2004
    Posts:
    29
    Location:
    Netherlands
    Interesting. :)

    Only in very special cases vendor issue detection for zipfiles, this isn't one of them.
    The extension of the file also doesn't matter.

    You needn't bother Eset with this, this seems to be an error at Jotti's site.
    Contact him. :)
     
  7. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    haha - dvk - :)


    where is "virustotl" I would like the url. Nice to have many alternatives. Thanks!
     
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    http://www.virustotal.com/flash/index_en.html

    which has an advantage over jotti of having slightly faster servers and if you cannot use a browser to upload for any reason you can send by email direct to the scanner as well & get the reply back by email
     
  9. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    appreciate it dvj01 - :cool: I goggled your typo "virustotl" which is why I asked.
     
  10. Jotti

    Jotti Registered Member

    Joined:
    Oct 15, 2004
    Posts:
    11
    Location:
    The Netherlands
    Fortunately, that is not the case. All files are scanned, regardless of permission attributes or extensions.

    A piece of malware that goes undetected in plain form is detected when archived. Combine this with the fact that most on-access scanners do not scan archives..............
    There was a bug in my service that did not warn visitors when their upload was compromised. If a virus or firewall prevented you from uploading certain files, the service would receive files of 0 bytes (which are obviously harmless, so the service itself is basically correct in stating the file is OK). I corrected this problem and whenever a 0 bytes file is received, you will get a warning.

    I think this is the problem, but I cannot be sure. If someone could please try again.... if the problem is still there, I would like a sample. I really never ask for samples, but I have been unable to reproduce this problem and uploading this very file myself seems the best way to start... Please send it to jotti at jotti dot dhs dot org in a password protected zip file using the password "malware" without quotes. Be sure not to mention the password in the email, or my email system will reject the message immediately.

    By the way: about the service being slow: I agree. I'm just waiting for my new hardware parts to be delivered.
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I have sent you a PM with the direct download link.

    Cheers :D
     
  12. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    btw jotti excellent work at your site. A much needed resource. Are you using the latest NOD? I wonder why it misses as much as it does? I know you stopped posting percentages, but it always seemed quite a bit below KAV, any opinion on that?
     
    Last edited: Nov 2, 2004
  13. Jotti

    Jotti Registered Member

    Joined:
    Oct 15, 2004
    Posts:
    11
    Location:
    The Netherlands
    Thanks for the sample Blackspear :)

    I uploaded both malware pieces in the zip file, as well as the zip file itself, and my service responded with "INFECTED/MALWARE" all three times. Which makes me believe this is indeed an instance of malware/firewalls blocking uploads.
    This is backed up by the fact that my service log does not mention Ideath.exe being uploaded at all (double files are ignored and a 0 bytes file had already been uploaded).

    Thanks :) Sure. KAV detects more "bleeding edge malware" than NOD32 does. They add a lot though, they're on my automatic malware mailing list, which is good.

    Thanks for the help. My service does not seem to be in error here.
     
  14. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    I turned off AMON/IMON - Is gunB0t.exe a false positive? NOD scans it clean on my desktop as well.

     
  15. Bandicoot

    Bandicoot Eset Staff

    Joined:
    Mar 23, 2004
    Posts:
    297
    Location:
    California
    NOD32 detected an infiltration inside the archive without any doubt. Here is a scan log (full directory path has been cut):

    ...\VIRUS\IDeath.exe - Win32/Spy.SCKeyLog.O trojan
    ...\VIRUS\Read Me.txt - is OK
    ...\VIRUS\gunB0t.exe - is OK
    ...\VIRUS\gunbot10.30.04.zip +ZIP +IDeath.exe - Win32/Spy.SCKeyLog.O trojan
    ...\VIRUS\gunbot10.30.04.zip +ZIP +Read Me.txt - is OK
    ...\VIRUS\gunbot10.30.04.zip +ZIP +gunB0t.exe - is OK

    The "gunB0t.exe" contains Win32/Singu.v trojan which is not detected by NOD32 because it is not malware. It's basically just a game cheat type file... nothing actually malicious. So it appears that KAV and the others have got it wrong. The only file which is malware is Win32/Spy.SCKeyLog.O trojan which NOD32 detected.

    Bandicoot.
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thank you Mr Coot for clearing that up, it was a bit mystifying to see the various results...

    A pleasure as always ;) :D

    Cheers :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.