msantis.exe

Discussion in 'NOD32 version 2 Forum' started by Megachip, Jun 8, 2007.

Thread Status:
Not open for further replies.
  1. Megachip

    Megachip Registered Member

    Joined:
    Dec 4, 2006
    Posts:
    243
    seems an trojan downloader, which didn't detected by nod32.

    Path: c:\windows\msantis.exe
    polls on port 135 and 5900
    hidden process, not seen by the most task manangers

    Sophos sad its Troj/Dloadr-AKP (detected since 25.06.06)

    CA sad Wussoe A (since 19.10.06)

    Kaspersky calls it Trojan-Downloader.Win32.Delf.arx (det. since 27.07.06)


    Why NOD32 did detect it not yet, and, is this the same trojan!?


    Regards Meg
     
    Last edited: Jun 8, 2007
  2. ASpace

    ASpace Guest

    Do you have it on your own computer ?

    Please submit a copy of this file to email samples [at] eset [dot] com
    Include more details and a link to this thread
     
  3. Megachip

    Megachip Registered Member

    Joined:
    Dec 4, 2006
    Posts:
    243
    No, it was on one of our observed pcs...

    RAC said, that it was submitted...

    hopefully someone from eset can say something, when they have analysed it.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you see in RAC that it was submitted, then it must have been detected. NOD32 doesn't submit files that are not detected at all unless you submit them manually.
     
  5. Megachip

    Megachip Registered Member

    Joined:
    Dec 4, 2006
    Posts:
    243
    we submitted it manuel, but than immediately deleted it by security task mananger

     
    Last edited: Jun 8, 2007
  6. tsilo

    tsilo Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    376
    For my surprise is that CA can detect it, NOD32 don't :eek:
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Really? Are we talking about the same sample?

    msantis.exe
    Antivirus Version Update Result
    AntiVir 7.4.0.32 06.08.2007 Worm/Sdbot.448270
    Avast 4.7.997.0 06.08.2007 Win32:SdBot-3700
    BitDefender 7.2 06.08.2007 DeepScan:Generic.Sdbot.42D3DA65
    CAT-QuickHeal 9.00 06.08.2007 W32.Brontok.Q
    DrWeb 4.33 06.08.2007 BackDoor.IRC.Sdbot.1424
    eSafe 7.0.15.0 06.06.2007 suspicious Trojan/Worm
    Ikarus T3.1.1.8 06.08.2007 Generic.Sdbot
    NOD32v2 2319 06.08.2007 IRC/SdBot
    Panda 9.0.0.4 06.08.2007 W32/Sdbot.KPU.worm
    Prevx1 V2 06.08.2007 Covert.Sys.Exec
    Sophos 4.18.0 06.01.2007 Mal/Packer
    Sunbelt 2.2.907.0 06.07.2007 VIPRE.Suspicious
    Webwasher-Gateway 6.0.1 06.08.2007 Worm.Sdbot.448270

    Aditional Information
    File size: 448270 bytes
    MD5: 47a07653b1b777f3fcadf4857a0aa892
    SHA1: 1c6e576a384a0e340342b001b51d05ad568da3bf
     
  8. tsilo

    tsilo Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    376
    NO I am talking about sampe not detected by NOD32 in 8 June at 06:14 AM
     
  9. Megachip

    Megachip Registered Member

    Joined:
    Dec 4, 2006
    Posts:
    243
    possible msantis.exe isn't the same as msantis.exe, will mean, more than one virus could use these filename


    @marcos
    no detection by Symantec, Kaspersky etco_O

    regards
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Megachip, this msantis.exe must be the one you have submitted according to the time of receipt and it's already detected. As for detection by other AVs, we should refrain from bashing them if they didn't pick it up as neither NOD32 initially did. I wouldn't have posted results from VT here if it wasn't necessary; I merely wanted to give you a chance to make sure that we were talking about the same file.
     
  11. Megachip

    Megachip Registered Member

    Joined:
    Dec 4, 2006
    Posts:
    243
    Hope we talk of the same file, at
    2007-06-08 12:19:03 local time it was not detected by scanner neither by heuristics.
    If its adding because of submitting, fine for the fast reaction.
    Is it pattern 2319 since it was detected?
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    We didn't receive another file with the same name on that day so it must be the file you submitted.
     
Thread Status:
Not open for further replies.