Possible virus?

Discussion in 'malware problems & news' started by ellison64, Nov 22, 2007.

Thread Status:
Not open for further replies.
  1. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Hello everyone...
    I just recieved a bogus email with an access.exe attachment in it.Avast warned of the possible danger but did not detect anything.I uploaded to jottis and virus total ,and only antivir/webroot detects anything.Antivir calls it worm.stration.xw.Now im usually very suprised when only one av detects something and usually suspect that its a false positive.However the nature of the email and the fact that .exe file is attached, unzipped ,makes me think that perhaps it is a worm.Theres also a seperate .pdf file that shows money owed to some fictious bank.So should i send this to all that d0nt detect it or just antivir that does? (maybe false positive).
    tia
    ellison
     
  2. yeow

    yeow Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    225
  3. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    If you are comfortable keeping such a suspicious file on your harddrive, I would suggest hanging on to it for a day or two (to give AV vendors a chance to update their signatures) and then re-submit to Jotti's.
    If, as you say, it is a bogus email, chances are it has been sent to many many people. In which case, any malware within will be discovered.
     
  4. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
  5. ugly

    ugly Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    276
    Location:
    Romania
    Send it to kaspersky. In a few hours they will give you an answer if that file is infected or not.
     
  6. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Just done it.
    ellison
     
  7. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
  8. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Well i must say kaspersky are quick.I just recieved email back .....
    ....................
    Hello.
    No malicious software was found in the attached file.

    Please quote all when answering. Do not forget to include you registration data.
    ....................

    Back to square one i guess o_O
    ellison
     
  9. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Ok Interesting.

    You would do Antivir a favour then by visiting http://analysis.avira.com/samples/index.php and submitting the file (Tagging the false positive tab) and see what Antivir say about it.

    Best wishes

    Jlo

    PS I still would not feel happy running that file
     
  10. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    They said it, then it's true :)
     
  11. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Just posted
     
  12. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Well although i dont use kaspersky as a resident av i do tend to use their online scan as the last word....then again i removed a pest (a dialler) from my brothers computer that only prevx detected so i guess its swings and roundabouts.
    ellison
     
  13. Terror_Eyez

    Terror_Eyez Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    23
    Location:
    Your moms bed...
    Well I just ran it sandboxed for you guys, then used a suite of tools unsandboxed to monitor the file and it doesn't seem to be doing anything suspicious, so I just deleted my sandbox to make sure im safe and now im here to say it seems clean! Though i'd still be cautious with any file since you never know and it could be infected, just hope that your A/V catches it in time before you get infected with it.;)
     
  14. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Well this is even more interesting.Avira antivir have just sent an email stating that the file access.exe which i submitted to them (also submitted to avast and kaspersky) IS malware....
    ..................................
    File ID Filename Size (Byte) Result
    2246689 access.exe 44 KB MALWARE

    Please find a detailed report concerning each individual sample below:

    Filename Result
    access.exe MALWARE
    The file 'access.exe' has been determined to be 'MALWARE'.Our analysts named the threat Worm/Stration.XW.The term "WORM/" denotes a worm that is able to spread itself for instance over the Internet (using eMail, peer-to-peer networks, IRC networks etc.).Detection is added to our virus definition file (VDF) starting with version 6.39.00.76.
    ...................................

    So whats going on here ,kaspersky (and others) says no avira says yes.
    ellison
     
  15. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    There is a gamut of possibilities as to why the detection(s) are all over the board.
    You can go here:
    http://analysis.seclab.tuwien.ac.at/index.php

    here:
    http://research.sunbelt-software.com/submit.aspx

    Or here and:
    http://www.threatexpert.com/submit.aspx

    And see what these virtual machines say. They will inform you of system changes, created files and the like. But only if there is not some sort of anti-vm in the code. As there may well be....

    *****Please do not substitute these above sites for an expert opinion they are only for informational purposes*****
     
    Last edited: Nov 23, 2007
  16. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Since you recieved this in an e-mail i'd say probaly bad.
    A little info from BillP on this.
     

    Attached Files:

  17. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    to the best of my knowledge (and please correct me if i'm wrong), in virustotal, if some AV detects malware and others not, the file is autmatically submitted to AV companies, so you could try again in a couple of days and see if others added it to the signatures.
     
  18. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    I'm not surprised from the avira's results, just take a look at my posts here.
    I would always put my hands in the fire for Kaspersky..
     
  19. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    It could also be a broken executable, although Kaspersky I think says so in the reply. That is one of the reasons I posted the other sites in my previous post on this topic.
     
  20. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Probably is a broken file and Avira used automated tools o_O
     
  21. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    They are handy links to know about...thanks...
    heres report from the first one..
    http://analysis.seclab.tuwien.ac.at...9c5c66254990850cf197f084c&refresh=1#id2018251

    I dunno i get the feeling maybe kav is wrong on this one? though i dont pretend to understand everything that report says
    ellison
     
  22. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    hmm... I think this is infected, but send it to AVG also virus@grisoft.cz . They also reply. :)
     
  23. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Ive been advised that the file is probably damaged so maybe thats why others dont detect it.I resubmitted today at virus total and otheres still dont detect it only those with avira engine.I guess if the file wasnt damaged more would detect it.Perhaps its as someone said that aviras response is automated and its detecting as if the file wasnt damaged?
    ellison
     
  24. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    More than likely that is the case, from looking at the Anubis report.
    But then again, it too is a VM(Qemu in Linux) so the only real way to know is to get a full blown "yes it is corrupt/garbage" from a vendor or try it yourself(NOT recommended) ;)
     
  25. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    well the email it came in is the green grin one shown here...
    http://www.viruslist.com/en/weblog?page=3
    so i guess it is/was malware before it became damaged?
    If it is damaged though i guess that explains why kav says its ok.
    ellison
     
Loading...
Thread Status:
Not open for further replies.