KAV cant find this virus and its say its Corrupted file but its not !!!!

Discussion in 'other anti-virus software' started by big problem, Jun 28, 2005.

Thread Status:
Not open for further replies.
  1. big problem

    big problem Guest

    hi

    there is new virus I don load it from this link https://www.wilderssecurity.com/showthread.php?t=86708 to test by my self
    so I scan this file and it miss it
    so I send it to Kaspersky Online Virus Scanner and i have this resualt
    http://www.upfiles.com/upfiles/upload/82-1119983246.png
    the file is Corrupted !!!

    but in http://www.virustotal.com the rusult is differnt
    http://www.upfiles.com/upfiles/upload/82-1119983248.png
    you can see panda and dr web

    also you can see nod32 do nothing and the hueristics useless
     
  2. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    From your screenshot of Kaspersky Online Scanner, I can see that the file is corrupted. In this case, it is perfectly normal if some AVs do not detect the malware in that file (tell me, if the file is corrupt, how will the malware in that file execute?) :)
     
  3. big problem

    big problem Guest

    so the norton and dr.web and sybria and antvir and avir WRONG but the kav is TRUE !!!!
    hard to belive this :)
     
  4. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Its just that some vendors may choose not to detect malware in corrupt files (maybe because of performance reasons), because if the file is corrupt it wouldnt execute anyway. :)

    Did you try any other online scanner? Y'know, like Trend Micro's housecall, or something? :)
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    To be more correct....the file that was removed by the Wilders staff was virus.rar.txt....which contained 3 files....one of which was TFTP1448.exe

    Granted....TFTP1448.exe at the moment is not picked up by a number of AV's....but given adequate time....it will be in their respective databases. Of course....if the timely updating of AV signatures has become a race to some folks....it is indeed a sad commentary of where priorities are.
     
  6. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    If Trend, Panda and other online scanners also say the file is corrupted, then it IS corrupted.......
     
  7. big problem

    big problem Guest

    I have scan it in panda online and found the same virus
    http://www.upfiles.com/upfiles/upload/82-1119985918.png

    the BIG problem is the virus dicovered in Sept. 1, 2004 !!!!!
    http://www.pandasoftware.com/virus_info/encyclopedia/ficha.aspx?iddeteccion=97433
     
  8. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Well, I am not an expert at this, but upon disassembly of TFTP1448.exe, the header states the wrong file size and the disassembler I used stated that the file is not a windows executable. Both of these imply that the file is indeed corrupt and should not be able to execute. However I did not try that :D , so I would warn you not to try it either ;) ...
     
  9. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    To verify whether the file actually was corrupt or not, I set up a sandbox and tried to execute it from there. The file would not execute. Kaspersky was right that the file is corrupt. It can not run on windows. So basically it is a junk file, that no AV needs to find as it is not a "live" executable file or a threat.
     
  10. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Actually....as puff-m-d said....the file you're so hung up on is basically garbage and am thank-ful to those AV's that correctly diagnosed that fact. The BIG problem you should be concentrating on and hoping your AV correctly catches is the MHTMLRedir.Exploit html file....which contains a bee hive load of goodies.
     
  11. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma


    Norton detected and cleans that exploit since way back (MHTMLRedir.Exploit)
     
    Last edited: Jun 29, 2005
  12. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    If you can send the sample to heuristik [at] antivir.de, I can have a look at the file and check how exactly it is corrupted. I think it is just cut off at the end, as some malware fails to transfer itself completely sometimes. Depending on how the scanner detects malware (signature/crc, without/after unpacking), the detection will fail.

    Detection doesn't mean the same is still working. When you have a look at the collection of various testers, you will find tons of corrupted/garbage files.
    BTW, KAV is top in detecting those garbage files - they add detection for everything, even if it doesn't make sense at all. Just to pump up the detection rate for those badly performed tests.
     
  13. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Done ;) ...
     
  14. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    As I suspected, the file simply got cut off. The original file size was 138.752 bytes (the sample has 60.416 bytes). The entry point, import table and IAT are outside the physical file limits, the file cannot launch at all and is completely destroyed.

    From the remaining structures I would guess it was compressed with Molebox.
     
  15. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    So I was right after all...Wow :)
     
  16. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Don't hurt your lips tooting that horn :eek:
     
  17. big problem

    big problem Guest

    thank you :) its clear now :)
     
  18. big problem

    big problem Guest


    why you talk to me like this ?
    do you mean im horn ?
     
  19. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    It's an expression, and you can see from his quote that he's saying this to Firecat, not to you.
     
  20. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    :D :D :D ;)
     
Loading...
Thread Status:
Not open for further replies.