Scanning with VirusTotal

Uploaded a dll file @ VirusTotal.

why so many names for a particular trojan?
And some popular scanners didnt even flag out anything..

so is this dll file ok? False Positive

~~ removed VT summary per policy~~ (It's enough to say that about half the scanners picked the file up under many different general names while many big names showed it as clean.)

 

difficult to tell, think to yourself, how did you get it, was it downloaded/was it from a trusted source, if it wasnt and you havent seen before then where is it located, if you dont know any of those then look up the file on google and see if it might be a legitimate file

 

Industry lacks any unified naming convention. Each vendor has their own logic, some clearer than others

And some scanners pick up files solely based on packers used, it's easier for them to just classify everything packed (with packer known to be in use with malware authors) than to unpack it etc.

Not saying this is the case here since I didn't see the results. Also, some vendors are more prone to heuristic false positives than others (case in point, Ikarus taking a2 with them). Also, not saying this is the case here


Probably safer for you to send that file for further analysis to the vendor whose product you use.

 

i think if the big names ( kaspersky , avira , avast , norton, gdata,....) tell the file is clean then you can keep it.

 

You should not use Virustotal if you think that the file could be malware.

You should use such a service like those instead:
http://camas.comodo.com/cgi-bin/submit
http://www.threatexpert.com/

It will reveal whether a file is malicious or not even though it is a 0-day sample which antiviruses dosn't detect yet.

 

Err?

Of course you should use them, to see if those files are known malware.

And what comes to for example ThreatExpert and others of its kind, you need knowledge of Windows processes and files and deeper understanding of what goes on in your computer before you can really understand the results.

 

it's not so much a lack of a unified naming convention (because there is the CARO naming convention that a lot of them follow) but rather a lack of coordinated naming. a naming convention specifies what the general format of the name should be but it can't specify what the actual name of something new should be - that still has to be decided on by the vendor. and since their priority is rushing signatures out to the customer as fast as possible there isn't time to ask all the other vendors "have you seen this yet? what are you calling it?" for each and every new piece of malware they get each day so they just come up with their own label and slap it on.

agreed - if you're suspicious of the file, get an actual expert to look at it, rather than just an automated service.

 

I was aware of the similar naming scheme some vendors use, but unaware of the entire CARO thing, good to know.

 

But take any results from such services with a pinch of salt as many pieces of malware may not reveal any incriminating results on behaviour analysis services.....

Virustotal results should also not be taken to face value because factors such as versions used, scan settings, database version etc etc etc which can all influence whether a file is flagged or not, however it can serve as a general indicator of whether a file is known malware or not.

 

Regarding naming - there are up to 20,000 new viruses, trojans and worms per day. There is no way to coordinate naming among vendors.