Possible virus?

Hello everyone...
I just recieved a bogus email with an access.exe attachment in it.Avast warned of the possible danger but did not detect anything.I uploaded to jottis and virus total ,and only antivir/webroot detects anything.Antivir calls it worm.stration.xw.Now im usually very suprised when only one av detects something and usually suspect that its a false positive.However the nature of the email and the fact that .exe file is attached, unzipped ,makes me think that perhaps it is a worm.Theres also a seperate .pdf file that shows money owed to some fictious bank.So should i send this to all that d0nt detect it or just antivir that does? (maybe false positive).
tia
ellison

 

Likely harmful. See similar http://www.viruslist.com/en/weblog?page=3

 

If you are comfortable keeping such a suspicious file on your harddrive, I would suggest hanging on to it for a day or two (to give AV vendors a chance to update their signatures) and then re-submit to Jotti's.
If, as you say, it is a bogus email, chances are it has been sent to many many people. In which case, any malware within will be discovered.

 

thanks...thats the exact same email.Guess ill hold onto the file for a while
ellison

 

Send it to kaspersky. In a few hours they will give you an answer if that file is infected or not.

 

Just done it.
ellison

 

Another place to submit new malware and are always promt in replying (although not as quick as KAV!) is https://www.microsoft.com/security/portal/submit.aspx (Microsoft onecare offering)

Good luck.

Jlo

 

Well i must say kaspersky are quick.I just recieved email back .....
....................
Hello.
No malicious software was found in the attached file.

Please quote all when answering. Do not forget to include you registration data.
....................

Back to square one i guess
ellison

 

Ok Interesting.

You would do Antivir a favour then by visiting http://analysis.avira.com/samples/index.php and submitting the file (Tagging the false positive tab) and see what Antivir say about it.

Best wishes

Jlo

PS I still would not feel happy running that file

 

They said it, then it's true

 

Just posted

 

Well although i dont use kaspersky as a resident av i do tend to use their online scan as the last word....then again i removed a pest (a dialler) from my brothers computer that only prevx detected so i guess its swings and roundabouts.
ellison

 

Well I just ran it sandboxed for you guys, then used a suite of tools unsandboxed to monitor the file and it doesn't seem to be doing anything suspicious, so I just deleted my sandbox to make sure im safe and now im here to say it seems clean! Though i'd still be cautious with any file since you never know and it could be infected, just hope that your A/V catches it in time before you get infected with it.

 

Well this is even more interesting.Avira antivir have just sent an email stating that the file access.exe which i submitted to them (also submitted to avast and kaspersky) IS malware....
..................................
File ID Filename Size (Byte) Result
2246689 access.exe 44 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result
access.exe MALWARE
The file 'access.exe' has been determined to be 'MALWARE'.Our analysts named the threat Worm/Stration.XW.The term "WORM/" denotes a worm that is able to spread itself for instance over the Internet (using eMail, peer-to-peer networks, IRC networks etc.).Detection is added to our virus definition file (VDF) starting with version 6.39.00.76.
...................................

So whats going on here ,kaspersky (and others) says no avira says yes.
ellison

 

There is a gamut of possibilities as to why the detection(s) are all over the board.
You can go here:
http://analysis.seclab.tuwien.ac.at/index.php

here:
http://research.sunbelt-software.com/submit.aspx

Or here and:
http://www.threatexpert.com/submit.aspx

And see what these virtual machines say. They will inform you of system changes, created files and the like. But only if there is not some sort of anti-vm in the code. As there may well be....

*****Please do not substitute these above sites for an expert opinion they are only for informational purposes*****

 

Since you recieved this in an e-mail i'd say probaly bad.
A little info from BillP on this.

 

to the best of my knowledge (and please correct me if i'm wrong), in virustotal, if some AV detects malware and others not, the file is autmatically submitted to AV companies, so you could try again in a couple of days and see if others added it to the signatures.

 

I'm not surprised from the avira's results, just take a look at my posts here.
I would always put my hands in the fire for Kaspersky..

 

It could also be a broken executable, although Kaspersky I think says so in the reply. That is one of the reasons I posted the other sites in my previous post on this topic.

 

Probably is a broken file and Avira used automated tools

 

They are handy links to know about...thanks...
heres report from the first one..
http://analysis.seclab.tuwien.ac.at...9c5c66254990850cf197f084c&refresh=1#id2018251

I dunno i get the feeling maybe kav is wrong on this one? though i dont pretend to understand everything that report says
ellison

 

hmm... I think this is infected, but send it to AVG also virus@grisoft.cz . They also reply.

 

Ive been advised that the file is probably damaged so maybe thats why others dont detect it.I resubmitted today at virus total and otheres still dont detect it only those with avira engine.I guess if the file wasnt damaged more would detect it.Perhaps its as someone said that aviras response is automated and its detecting as if the file wasnt damaged?
ellison

 

More than likely that is the case, from looking at the Anubis report.
But then again, it too is a VM(Qemu in Linux) so the only real way to know is to get a full blown "yes it is corrupt/garbage" from a vendor or try it yourself(NOT recommended)

 

well the email it came in is the green grin one shown here...
http://www.viruslist.com/en/weblog?page=3
so i guess it is/was malware before it became damaged?
If it is damaged though i guess that explains why kav says its ok.
ellison