Never too many AV:s and AT:s installed in one PC?

Discussion in 'other anti-virus software' started by Firefighter, Aug 31, 2003.

Thread Status:
Not open for further replies.
  1. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Hi everyone! Between 21.-24. August I have got 7 infections to my PC. All that time I had DrWeb 4.30 as my resident AV and TrojanHunter 3.6 trial version as my AT (updated manually every possible day) installed in my PC.

    According to RAV and KAV, those infections were trojans, one exploit and one dialer!


    Count.class-42fad49f-2e7173e8.class | Infected: Trojan:Java/ClassLoader.A

    BlackBox.class | Infected: Trojan:Java/ClassLoader.C

    Dummy.class | Infected: Trojan.Java.ClassLoader.d

    VerifierBug.class | Infected: Java/Bytverify

    Beyond.class | Infected: Trojan:Java/Needy

    Dummy.class-1012b178-7d88f275.class | Infected: Trojan.Java.Nocheat   

    _10910-p-1-0-.exe->(UPXW) | Infected: Tool:pornDialer.gen!

    I found almost all those infections by KAV 4.5 full scan, except Tool:pornDialer.gen, which was found by RAV. I am using the extended database in my KAV, by adding "_ext" to the end of every Update Server URL:s and it works fine!

    After those findings, I posted those infections on 27. August to RAV, DrWeb and TrojanHunter, but it is still only KAV, that is able to detect all of them, except that dialer, because I send that to KAV today.

    After those infections, I scanned my PC with NOD32 and best possible settings of course. Result, found nothing! It was some two days after that I have send those files to DrWeb and RAV.

    So, if those should be viruses, according to VB rules, when some virus was detected twice with different av-company, it will be "in the Wild" virus. What a shame that they were mostly only "trojans"!

    The only conclusion I can make from this is, "Without Kaspersky engined AV in your PC, You are in big trouble"!

    That's why I am using KAV 4.5 as my resident now without control center!


    "The truth is out there, but it hurts!"

    Best Regards,
    Firefighter!
     
  2. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Hi FF

    NOD32 missed them, because they are Trojans. That field is where NOD32 is currently improving (doing a great job).

    They are not ITW Trojans cause they are not spreading.

    Please send me copies of these files to avspyder@inbox.lv (if you still posses them) so I can send them out to AV vendors.


    Thanks

    tECHNODROME
     
  3. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Hi Firefighter!

    Let's forget the brand of the used AV and/or AT:

    of course a stupid question from my side, but how is it possible to get 7 infections on your PC in just 4 days?

    Ciao,

    Smokey
     
  4. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To everyone from Firefighter!

    First of all, I was not at all using my puter, when those infections had become to my PC. It was my 16 year old son, who was doing what so ever with this machine!

    Obviously, that was very interesting session during that time, but for me it was quite plenty of work.

    Secondly, I will wait some couple of weeks, after that I am sending these files, because I want to see if there is any cooperation between different AV or AT companies anymore!

    When we are talking about viruses, after that when I sent those files to RAV and DrWeb, they had to be "in the Wild". I wonder, if anything happens now when they were trojans and other stuff!

    By the way, Panda online scanner found this,

    Exploit/ByteVerify [BlackBox.class]
    Exploit/ByteVerify [VerifierBug.class]
    Exploit/ByteVerify [Dummy.class]
    Exploit/ByteVerify [Beyond.class]
    BitDefender online scan found nothing!

    After what had happened, I have KAV, RAV and DrWeb installed on my PC plus TrojanHunter as my AT! Still I trust mostly on KAV 4.5, why, I have not had any viruses in my PC when I used many other AV:s too, but here we can see that several trojans and other stuff, were KAV is unbeatenable! Even NOD32 has never found a single virus from my puter, but had missed plenty of other stuff!

    "The truth is out there, but it hurts!"

    Best Regards,
    Firefighter!
     
  5. Rickster

    Rickster Guest

    Per Network Associates, an example of your Panda results describes Exploit/ByteVerify as:

    "Trojan Characteristics: This detection covers Java applets that attempt to exploit the Microsoft Security Bulletin MS03-011 vulnerability. This severity of this vulnerability is considered to be critical. It allows an attacker to execute malicious code, simply by visiting an infectious website. Detections of this exploit do not necessarily mean that any malicious code was executed. It simply means that a Java applet was found to contain the exploit code. Conversely malicious code may have been run, which could result in any number of modifications to the system. All vulnerable systems should apply the patch from Microsoft. Patched systems are immune from the effects of the exploit code. However, detection will still occur files attempting to make use of this exploit."

    I'd suppose your system is fully patched, but might be wise for your son to surf with scripting of Java applets (and other scripting functions, including Active X and file downloads) disabled. If he can't find something fun to interact with in that mode, he probably doesn't need to be there in the first place. Just a thought.

    Rickster
     
  6. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To everyone from Firefighter!

    It is very strange for me about that, when I posted that infected archive (happy99.zip) to BitDefender, DrWeb, KAV , RAV and TrojanHunter tech support some 2-4 days ago, so it was just today, when only DrWeb (3 days later) could detect that dangerous "Trojan.FlashKiller".

    http://www.datafellows.fi/v-descs/flkiller.shtml

    As I said earlier, everything started when TrojanHunter 3.6 detected that file as "suspicous" with heuristics settings and all limitations off.

    I have scanned that file today with, BitDefender Free 7.1, DrWeb 4.30, Kaspersky Personal 4.5, McAfee FreeScan Online, Panda ActiveScan, RAV 8.6, Trend Micro HouseCall, and TrojanHunter 3.6, but only one right identification with DrWeb 4.30. I have only some 16 different trojans, worms, exploits, testfiles and so on, but McAfee Free Scan online detected 5 compared to DrWeb 13, KAV 12, RAV 11, BitDefender 10 and TrojanHunter 6 of them!

    It seems to me that McAfee is mostly against "our family surfing habits", but it still won that latest Rokop av-test!

    "The truth is out there, but it hurts!"

    Best Regards,
    Firefighter!
     
  7. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To everyone from Firefighter!

    It wasn't that simple, read this:

    http://www.wilderssecurity.com/showthread.php?t=13282


    "The truth is out there, but it hurts!"

    Best Regards,
    Firefighter!
     
Loading...
Similar Threads
  1. chabbo
    Replies:
    10
    Views:
    1,070
  2. waters
    Replies:
    4
    Views:
    668
Thread Status:
Not open for further replies.