And 45 days after I sent the worm to AVAST

Shadow · External Since: Aug 19, 2009 Posts: 9

now recognizes it. Wow.
[]'s
But not on virustotal.

How strange

1PW · External Since: Aug 19, 2009 Posts: 5

Shadow wrote:
> now recognizes it. Wow.
> []'s
> But not on virustotal.
>
> How strange

If you had sent a suspected malware file to VT and it was positive, or
positive with any other antimalware application, you can also upload
it to:

<http://www.uploadmalware.com/>

It will then get a bit of help from those who can move it along.

--
1PW

Shadow · External Since: Aug 19, 2009 Posts: 9

On Wed, 19 Aug 2009 10:43:26 -0700, 1PW <1PW DeleteThis @INVALID.com> wrote:

>Shadow wrote:
>> now recognizes it. Wow.
>> []'s
>> But not on virustotal.
>>
>> How strange
>
>If you had sent a suspected malware file to VT and it was positive, or
>positive with any other antimalware application, you can also upload
>it to:
>
> <http://www.uploadmalware.com/>
OK, I will.
>
>It will then get a bit of help from those who can move it along.
You didn't understand. Avast now plays all the sirens when I
tell it to scan the file,
"AutoIt:Balero-A [Wrm]" has been found in
"C:\Recycled\Dc1.exe\AutoIt.script" file

but when I upload same file to virustotal, the virus is not
recognized by avast.. They should give the same results.

http://www.virustotal.com/analisis/af13e8a6b2aacea266e1c6899ada6fdd318...59b63be

Shadow · External Since: Aug 19, 2009 Posts: 9

On Thu, 20 Aug 2009 16:51:30 -0300, Shadow <Sh@dow> wrote:

>On Wed, 19 Aug 2009 10:43:26 -0700, 1PW <1PW DeleteThis @INVALID.com> wrote:

>>If you had sent a suspected malware file to VT and it was positive, or
>>positive with any other antimalware application, you can also upload
>>it to:
>>
>> <http://www.uploadmalware.com/>
> OK, I will.
Sorry, I lied, I won't. It requires an email address and
identification.
[]'s

David H. Lipman · External Since: Jul 04, 2003 Posts: 2116

From: "Shadow" <Sh@dow>

| On Thu, 20 Aug 2009 16:51:30 -0300, Shadow <Sh@dow> wrote:

>>On Wed, 19 Aug 2009 10:43:26 -0700, 1PW <1PW DeleteThis @INVALID.com> wrote:

>>>If you had sent a suspected malware file to VT and it was positive, or
>>>positive with any other antimalware application, you can also upload
>>>it to:

>>> <http://www.uploadmalware.com/>
>> OK, I will.
| Sorry, I lied, I won't. It requires an email address and
| identification.
| []'s

No it doesn't. You do NOT have to enter an email address nor ID as the are not required.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

FromTheRafters · External Since: Feb 16, 2009 Posts: 26

"Shadow" <Sh@dow> wrote in message
news:678r859iu9gghom497rrqd67se4hf31q82@4ax.com...
[...]

> "AutoIt:Balero-A [Wrm]" has been found in
> "C:\Recycled\Dc1.exe\AutoIt.script" file
>
> but when I upload same file to virustotal, the virus is not
> recognized by avast.. They should give the same results.

Why?

The one on your computer and one on their's may not be configured the
same - even if the engine versions are the same.

Buffalo · External Since: Jul 19, 2007 Posts: 12

FromTheRafters wrote:
> "Shadow" <Sh@dow> wrote in message
> news:678r859iu9gghom497rrqd67se4hf31q82@4ax.com...
> [...]
>
>> "AutoIt:Balero-A [Wrm]" has been found in
>> "C:\Recycled\Dc1.exe\AutoIt.script" file
>>
>> but when I upload same file to virustotal, the virus is not
>> recognized by avast.. They should give the same results.
>
> Why?
>
> The one on your computer and one on their's may not be configured the
> same - even if the engine versions are the same.
WTF?

David H. Lipman · External Since: Jul 04, 2003 Posts: 2116

From: "Buffalo" <Eric DeleteThis @nada.com.invalid>

| FromTheRafters wrote:
>> "Shadow" <Sh@dow> wrote in message
>> news:678r859iu9gghom497rrqd67se4hf31q82@4ax.com...
>> [...]

>>> "AutoIt:Balero-A [Wrm]" has been found in
>>> "C:\Recycled\Dc1.exe\AutoIt.script" file

>>> but when I upload same file to virustotal, the virus is not
>>> recognized by avast.. They should give the same results.

>> Why?

>> The one on your computer and one on their's may not be configured the
>> same - even if the engine versions are the same.
| WTF?

Different signature revisions albeit VT should get multiple updates.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

FromTheRafters · External Since: Feb 16, 2009 Posts: 26

"Buffalo" <Eric.DeleteThis@nada.com.invalid> wrote in message
news:h6krgd$avd$1@news.eternal-september.org...
>
>
> FromTheRafters wrote:
>> "Shadow" <Sh@dow> wrote in message
>> news:678r859iu9gghom497rrqd67se4hf31q82@4ax.com...
>> [...]
>>
>>> "AutoIt:Balero-A [Wrm]" has been found in
>>> "C:\Recycled\Dc1.exe\AutoIt.script" file
>>>
>>> but when I upload same file to virustotal, the virus is not
>>> recognized by avast.. They should give the same results.
>>
>> Why?
>>
>> The one on your computer and one on their's may not be configured the
>> same - even if the engine versions are the same.
> WTF?

What heuristic level does VT use with the Avast! scanning engine as
opposed to what a desktop machine might use?

Besides, VT doesn't have the luxury of possible (ancillary) context
scanning.

Max Wachtel · External Since: Aug 22, 2009 Posts: 1

On Wed, 19 Aug 2009 11:42:17 -0400, Shadow <Sh@dow> wrote:

> now recognizes it. Wow.But not on virustotal.How strange

The malware submission at Avast is being upgraded and will be finished
soon.
--
This post was created using Opera's revolutionary e-mail client:
http://www.opera.com/mail/

FromTheRafters · External Since: Feb 16, 2009 Posts: 26

"Buffalo" <Eric.DeleteThis@nada.com.invalid> wrote in message
news:h6krgd$avd$1@news.eternal-september.org...
>
>
> FromTheRafters wrote:
>> "Shadow" <Sh@dow> wrote in message
>> news:678r859iu9gghom497rrqd67se4hf31q82@4ax.com...
>> [...]
>>
>>> "AutoIt:Balero-A [Wrm]" has been found in
>>> "C:\Recycled\Dc1.exe\AutoIt.script" file
>>>
>>> but when I upload same file to virustotal, the virus is not
>>> recognized by avast.. They should give the same results.
>>
>> Why?
>>
>> The one on your computer and one on their's may not be configured the
>> same - even if the engine versions are the same.
> WTF?

Differences in definitions, the "engine" doesn't exist in a vacuum - it
is more like a "engine/definitions" set that may contain disparity
despite the engines being the same.

A submitted file scanner wouldn't have the luxury of context. I wouldn't
expect identical results from an installation of Avast! against an
Avast! file submission scanner.

Okay, so I don't know how Avast! works, but it would be possible that
the "program" does some preparatory work (such as unpacking archives )
prior to giving the "engine" a go at the results. If this is the case,
even more reason to expect variance.

Sometimes, a file's contents changes subtly during transmission - maybe
not that often anymore...

Shadow · External Since: Aug 19, 2009 Posts: 9

On Thu, 20 Aug 2009 16:43:39 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Shadow" <Sh@dow>
>
>| On Thu, 20 Aug 2009 16:51:30 -0300, Shadow <Sh@dow> wrote:
>
>>>On Wed, 19 Aug 2009 10:43:26 -0700, 1PW <1PW RemoveThis @INVALID.com> wrote:
>
>>>>If you had sent a suspected malware file to VT and it was positive, or
>>>>positive with any other antimalware application, you can also upload
>>>>it to:
>
>>>> <http://www.uploadmalware.com/>
>>> OK, I will.
>| Sorry, I lied, I won't. It requires an email address and
>| identification.
>| []'s
>
>No it doesn't. You do NOT have to enter an email address nor ID as the are not required.

OK , so I lied the second time, not the first.

qpqdcj.virus.exe.zip

The name I uploaded it up as. Play around with it, but it is
certainly nasty.

Loved the site. Amazingly, did not need javascript. How did it
access a file deep down on my PC ?
[]'s

David H. Lipman · External Since: Jul 04, 2003 Posts: 2116

From: "Shadow" <Sh@dow>

>>>>> <http://www.uploadmalware.com/>
>>>> OK, I will.
>>| Sorry, I lied, I won't. It requires an email address and
>>| identification.
>>| []'s

>>No it doesn't. You do NOT have to enter an email address nor ID as the are not
>>required.

| OK , so I lied the second time, not the first.

| qpqdcj.virus.exe.zip

| The name I uploaded it up as. Play around with it, but it is
| certainly nasty.

| Loved the site. Amazingly, did not need javascript. How did it
| access a file deep down on my PC ?
| []'s

Got it -- Thanx !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Shadow · External Since: Aug 19, 2009 Posts: 9

On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:
>
>| The name I uploaded it up as. Play around with it, but it is
>| certainly nasty.
>
>| Loved the site. Amazingly, did not need javascript. How did it
>| access a file deep down on my PC ?
>| []'s
>
>Got it -- Thanx !
YW
Did you figure out why virustotal's avast does not detect it
while my desktop free version does ?
[]'s

1PW · External Since: Aug 19, 2009 Posts: 5

Shadow wrote:
> On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"
> <DLipman~nospam~@Verizon.Net> wrote:
>> | The name I uploaded it up as. Play around with it, but it is
>> | certainly nasty.
>>
>> | Loved the site. Amazingly, did not need javascript. How did it
>> | access a file deep down on my PC ?
>> | []'s
>>
>> Got it -- Thanx !
> YW
> Did you figure out why virustotal's avast does not detect it
> while my desktop free version does ?
> []'s

It's probably a question of context. VT's Avast looks at the file's
contents all alone. Avast in your system looks at the whole dynamics
of your OS.

--
1PW

David H. Lipman · External Since: Jul 04, 2003 Posts: 2116

From: "Shadow" <Sh@dow>

| On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote:

>>| The name I uploaded it up as. Play around with it, but it is
>>| certainly nasty.

>>| Loved the site. Amazingly, did not need javascript. How did it
>>| access a file deep down on my PC ?
>>| []'s

>>Got it -- Thanx !
| YW
| Did you figure out why virustotal's avast does not detect it
| while my desktop free version does ?
| []'s

No but I will discuss with someone at Virus Total.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman · External Since: Jul 04, 2003 Posts: 2116

From: "Shadow" <Sh@dow>

| On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote:

>>| The name I uploaded it up as. Play around with it, but it is
>>| certainly nasty.

>>| Loved the site. Amazingly, did not need javascript. How did it
>>| access a file deep down on my PC ?
>>| []'s

>>Got it -- Thanx !
| YW
| Did you figure out why virustotal's avast does not detect it
| while my desktop free version does ?
| []'s

I should ask...
Are you SURE the file C:\Recycled\Dc1.exe is what you posted to UploadMalware as;
csrcs.exe ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Shadow · External Since: Aug 19, 2009 Posts: 9

On Tue, 25 Aug 2009 17:26:50 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Shadow" <Sh@dow>
>
>| On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"
>| <DLipman~nospam~@Verizon.Net> wrote:
>
>>>| The name I uploaded it up as. Play around with it, but it is
>>>| certainly nasty.
>
>>>| Loved the site. Amazingly, did not need javascript. How did it
>>>| access a file deep down on my PC ?
>>>| []'s
>
>>>Got it -- Thanx !
>| YW
>| Did you figure out why virustotal's avast does not detect it
>| while my desktop free version does ?
>| []'s
>
>I should ask...
>Are you SURE the file C:\Recycled\Dc1.exe is what you posted to UploadMalware as;
>csrcs.exe ?
I disabled my antivirus and I uploaded C:\Documents and
Settings\nemesis\Meus documentos\qpqdcj.virus.exe.zip. I used pathcopy
and pasted in the whole path. I don't follow your logic. It's exactly
the same file I posted to virustotal. Try and see.
The csrcs.exe file is what the virus becomes when it is
loaded in memory. It is written with that name to system32 folder. On
the pendrive it adopts at least 4 different names. The csrcs is a type
of memory-resident thingy that writes to any pendrive introduced into
the machine. It also tries to connect to the internet, messes around
with some share (registry) permissions, alters the explorers shell
command so you cannot see it in a browser, and dunno what else. The
virus csrcs.exe (inside the zip) has an md5 of:

3DE68324891964BDD2227141474797BB

and exactly 725.796 bytes.

Ooops, was that dangerous ? I had to turn my AV off to give
you that ....
If your virus is NOT what I uploaded, I will upload again. Or
I'll post it to you, zip-password protected and with the extension
renamed to txt to allow my mail servers to pass it through.

PS you can see it on the pendrive with the old dos command dir
/a from a command prompt.

PPS I just picked the virus up again at the local library. It
is now called kejmii.exe. Funny thing is they are running Avira
there,(the one with the red icon). According to virustotal, avira sees
it, avast does not. Real life is exactly the opposite. Go figure.

David H. Lipman · External Since: Jul 04, 2003 Posts: 2116

From: "Shadow" <Sh@dow>

| I disabled my antivirus and I uploaded C:\Documents and
| Settings\nemesis\Meus documentos\qpqdcj.virus.exe.zip. I used pathcopy
| and pasted in the whole path. I don't follow your logic. It's exactly
| the same file I posted to virustotal. Try and see.
| The csrcs.exe file is what the virus becomes when it is
| loaded in memory. It is written with that name to system32 folder. On
| the pendrive it adopts at least 4 different names. The csrcs is a type
| of memory-resident thingy that writes to any pendrive introduced into
| the machine. It also tries to connect to the internet, messes around
| with some share (registry) permissions, alters the explorers shell
| command so you cannot see it in a browser, and dunno what else. The
| virus csrcs.exe (inside the zip) has an md5 of:

| 3DE68324891964BDD2227141474797BB

| and exactly 725.796 bytes.

| Ooops, was that dangerous ? I had to turn my AV off to give
| you that ....
| If your virus is NOT what I uploaded, I will upload again. Or
| I'll post it to you, zip-password protected and with the extension
| renamed to txt to allow my mail servers to pass it through.

| PS you can see it on the pendrive with the old dos command dir
| /a from a command prompt.

| PPS I just picked the virus up again at the local library. It
| is now called kejmii.exe. Funny thing is they are running Avira
| there,(the one with the red icon). According to virustotal, avira sees
| it, avast does not. Real life is exactly the opposite. Go figure.

Yes, I have;
MD5: 0x3DE68324891964BDD2227141474797BB
SHA-1: 0x5DAE0941F1818E6127729FC15897F12539ED6D5E
Filesize: 725,796 bytes

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman · External Since: Jul 04, 2003 Posts: 2116

From: "Shadow" <Sh@dow>

| On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote:

>>| The name I uploaded it up as. Play around with it, but it is
>>| certainly nasty.

>>| Loved the site. Amazingly, did not need javascript. How did it
>>| access a file deep down on my PC ?
>>| []'s

>>Got it -- Thanx !
| YW
| Did you figure out why virustotal's avast does not detect it
| while my desktop free version does ?
| []'s

The answer from VT...

"Well, it seems that there's something weird, as besides Avast, GData also doesn't detect
it here (using the Avast engine) so it could be a limitation of the command line scanner,
or maybe they detect it with an AV feature I don't have here Confused

"

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp