seems an trojan downloader, which didn't detected by nod32. Path: c:\windows\msantis.exe polls on port 135 and 5900 hidden process, not seen by the most task manangers Sophos sad its Troj/Dloadr-AKP (detected since 25.06.06) CA sad Wussoe A (since 19.10.06) Kaspersky calls it Trojan-Downloader.Win32.Delf.arx (det. since 27.07.06) Why NOD32 did detect it not yet, and, is this the same trojan!? Regards Meg
Do you have it on your own computer ? Please submit a copy of this file to email samples [at] eset [dot] com Include more details and a link to this thread
No, it was on one of our observed pcs... RAC said, that it was submitted... hopefully someone from eset can say something, when they have analysed it.
If you see in RAC that it was submitted, then it must have been detected. NOD32 doesn't submit files that are not detected at all unless you submit them manually.
Really? Are we talking about the same sample? msantis.exe Antivirus Version Update Result AntiVir 7.4.0.32 06.08.2007 Worm/Sdbot.448270 Avast 4.7.997.0 06.08.2007 Win32:SdBot-3700 BitDefender 7.2 06.08.2007 DeepScan:Generic.Sdbot.42D3DA65 CAT-QuickHeal 9.00 06.08.2007 W32.Brontok.Q DrWeb 4.33 06.08.2007 BackDoor.IRC.Sdbot.1424 eSafe 7.0.15.0 06.06.2007 suspicious Trojan/Worm Ikarus T3.1.1.8 06.08.2007 Generic.Sdbot NOD32v2 2319 06.08.2007 IRC/SdBot Panda 9.0.0.4 06.08.2007 W32/Sdbot.KPU.worm Prevx1 V2 06.08.2007 Covert.Sys.Exec Sophos 4.18.0 06.01.2007 Mal/Packer Sunbelt 2.2.907.0 06.07.2007 VIPRE.Suspicious Webwasher-Gateway 6.0.1 06.08.2007 Worm.Sdbot.448270 Aditional Information File size: 448270 bytes MD5: 47a07653b1b777f3fcadf4857a0aa892 SHA1: 1c6e576a384a0e340342b001b51d05ad568da3bf
possible msantis.exe isn't the same as msantis.exe, will mean, more than one virus could use these filename @marcos no detection by Symantec, Kaspersky etc regards
Megachip, this msantis.exe must be the one you have submitted according to the time of receipt and it's already detected. As for detection by other AVs, we should refrain from bashing them if they didn't pick it up as neither NOD32 initially did. I wouldn't have posted results from VT here if it wasn't necessary; I merely wanted to give you a chance to make sure that we were talking about the same file.
Hope we talk of the same file, at 2007-06-08 12:19:03 local time it was not detected by scanner neither by heuristics. If its adding because of submitting, fine for the fast reaction. Is it pattern 2319 since it was detected?