Discussion in 'NOD32 version 2 Forum' started by lynchknot, Nov 1, 2004.
As per post number 15, no AV picks up the .exe file by itself.
see post 24 where the .exe files were uploaded and nod & others detect ideath as an exe not a zip
one answer could be that jotti uses the linux versions of antiviruses whereas virus total & we use the WINDOWS versions and it's a strong possibility that the linux version doesn't see the exe as a threat as it cannot affect linux
I've noticed this before with some malware and online scanners
Sorry about that, missed it. Tis truly weird, will be interesting to see what Eset have to say...
It is weird
look out for the black helicopters
Only in very special cases vendor issue detection for zipfiles, this isn't one of them.
The extension of the file also doesn't matter.
You needn't bother Eset with this, this seems to be an error at Jotti's site.
haha - dvk -
where is "virustotl" I would like the url. Nice to have many alternatives. Thanks!
which has an advantage over jotti of having slightly faster servers and if you cannot use a browser to upload for any reason you can send by email direct to the scanner as well & get the reply back by email
appreciate it dvj01 - I goggled your typo "virustotl" which is why I asked.
Fortunately, that is not the case. All files are scanned, regardless of permission attributes or extensions.
A piece of malware that goes undetected in plain form is detected when archived. Combine this with the fact that most on-access scanners do not scan archives..............
There was a bug in my service that did not warn visitors when their upload was compromised. If a virus or firewall prevented you from uploading certain files, the service would receive files of 0 bytes (which are obviously harmless, so the service itself is basically correct in stating the file is OK). I corrected this problem and whenever a 0 bytes file is received, you will get a warning.
I think this is the problem, but I cannot be sure. If someone could please try again.... if the problem is still there, I would like a sample. I really never ask for samples, but I have been unable to reproduce this problem and uploading this very file myself seems the best way to start... Please send it to jotti at jotti dot dhs dot org in a password protected zip file using the password "malware" without quotes. Be sure not to mention the password in the email, or my email system will reject the message immediately.
By the way: about the service being slow: I agree. I'm just waiting for my new hardware parts to be delivered.
I have sent you a PM with the direct download link.
btw jotti excellent work at your site. A much needed resource. Are you using the latest NOD? I wonder why it misses as much as it does? I know you stopped posting percentages, but it always seemed quite a bit below KAV, any opinion on that?
Thanks for the sample Blackspear
I uploaded both malware pieces in the zip file, as well as the zip file itself, and my service responded with "INFECTED/MALWARE" all three times. Which makes me believe this is indeed an instance of malware/firewalls blocking uploads.
This is backed up by the fact that my service log does not mention Ideath.exe being uploaded at all (double files are ignored and a 0 bytes file had already been uploaded).
Thanks Sure. KAV detects more "bleeding edge malware" than NOD32 does. They add a lot though, they're on my automatic malware mailing list, which is good.
Thanks for the help. My service does not seem to be in error here.
I turned off AMON/IMON - Is gunB0t.exe a false positive? NOD scans it clean on my desktop as well.
NOD32 detected an infiltration inside the archive without any doubt. Here is a scan log (full directory path has been cut):
...\VIRUS\IDeath.exe - Win32/Spy.SCKeyLog.O trojan
...\VIRUS\Read Me.txt - is OK
...\VIRUS\gunB0t.exe - is OK
...\VIRUS\gunbot10.30.04.zip +ZIP +IDeath.exe - Win32/Spy.SCKeyLog.O trojan
...\VIRUS\gunbot10.30.04.zip +ZIP +Read Me.txt - is OK
...\VIRUS\gunbot10.30.04.zip +ZIP +gunB0t.exe - is OK
The "gunB0t.exe" contains Win32/Singu.v trojan which is not detected by NOD32 because it is not malware. It's basically just a game cheat type file... nothing actually malicious. So it appears that KAV and the others have got it wrong. The only file which is malware is Win32/Spy.SCKeyLog.O trojan which NOD32 detected.
Thank you Mr Coot for clearing that up, it was a bit mystifying to see the various results...
A pleasure as always
Separate names with a comma.