S
Shadow
now recognizes it. Wow.
[]'s
But not on virustotal.
How strange
[]'s
But not on virustotal.
How strange
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
1
1PW
Shadow said:now recognizes it. Wow.
[]'s
But not on virustotal.
How strange
If you had sent a suspected malware file to VT and it was positive, or
positive with any other antimalware application, you can also upload
it to:
<http://www.uploadmalware.com/>
It will then get a bit of help from those who can move it along.
S
Shadow
You didn't understand. Avast now plays all the sirens when IShadow said:now recognizes it. Wow.
[]'s
But not on virustotal.
How strange
If you had sent a suspected malware file to VT and it was positive, or
positive with any other antimalware application, you can also upload
it to:
<http://www.uploadmalware.com/> OK, I will.
It will then get a bit of help from those who can move it along.
tell it to scan the file,
"AutoIt:Balero-A [Wrm]" has been found in
"C:\Recycled\Dc1.exe\AutoIt.script" file
but when I upload same file to virustotal, the virus is not
recognized by avast.. They should give the same results.
http://www.virustotal.com/analisis/...dd318e0259b63be4e9d4287200797f6f7e-1250796304
S
Shadow
Sorry, I lied, I won't. It requires an email address andOK, I will.
identification.
[]'s
D
David H. Lipman
From: "Shadow" <Sh@dow>
| Sorry, I lied, I won't. It requires an email address and
| identification.
| []'s
No it doesn't. You do NOT have to enter an email address nor ID as the are not required.
| Sorry, I lied, I won't. It requires an email address and
| identification.
| []'s
No it doesn't. You do NOT have to enter an email address nor ID as the are not required.
B
Buffalo
WTF?FromTheRafters said:[...]
"AutoIt:Balero-A [Wrm]" has been found in
"C:\Recycled\Dc1.exe\AutoIt.script" file
but when I upload same file to virustotal, the virus is not
recognized by avast.. They should give the same results.
Why?
The one on your computer and one on their's may not be configured the
same - even if the engine versions are the same.
D
David H. Lipman
From: "Buffalo" <[email protected]>
Different signature revisions albeit VT should get multiple updates.
| WTF?| FromTheRafters said:[...]Why?"AutoIt:Balero-A [Wrm]" has been found in
"C:\Recycled\Dc1.exe\AutoIt.script" file
but when I upload same file to virustotal, the virus is not
recognized by avast.. They should give the same results.
The one on your computer and one on their's may not be configured the
same - even if the engine versions are the same.
Different signature revisions albeit VT should get multiple updates.
F
FromTheRafters
Buffalo said:WTF?[...]
"AutoIt:Balero-A [Wrm]" has been found in
"C:\Recycled\Dc1.exe\AutoIt.script" file
but when I upload same file to virustotal, the virus is not
recognized by avast.. They should give the same results.
Why?
The one on your computer and one on their's may not be configured the
same - even if the engine versions are the same.
What heuristic level does VT use with the Avast! scanning engine as
opposed to what a desktop machine might use?
Besides, VT doesn't have the luxury of possible (ancillary) context
scanning.
M
Max Wachtel
now recognizes it. Wow.But not on virustotal.How strange
The malware submission at Avast is being upgraded and will be finished
soon.
F
FromTheRafters
Buffalo said:WTF?[...]
"AutoIt:Balero-A [Wrm]" has been found in
"C:\Recycled\Dc1.exe\AutoIt.script" file
but when I upload same file to virustotal, the virus is not
recognized by avast.. They should give the same results.
Why?
The one on your computer and one on their's may not be configured the
same - even if the engine versions are the same.
Differences in definitions, the "engine" doesn't exist in a vacuum - it
is more like a "engine/definitions" set that may contain disparity
despite the engines being the same.
A submitted file scanner wouldn't have the luxury of context. I wouldn't
expect identical results from an installation of Avast! against an
Avast! file submission scanner.
Okay, so I don't know how Avast! works, but it would be possible that
the "program" does some preparatory work (such as unpacking archives )
prior to giving the "engine" a go at the results. If this is the case,
even more reason to expect variance.
Sometimes, a file's contents changes subtly during transmission - maybe
not that often anymore...
S
Shadow
From: "Shadow" <Sh@dow>
| Sorry, I lied, I won't. It requires an email address and
| identification.
| []'s
No it doesn't. You do NOT have to enter an email address nor ID as the are not required.
OK , so I lied the second time, not the first.
qpqdcj.virus.exe.zip
The name I uploaded it up as. Play around with it, but it is
certainly nasty.
Loved the site. Amazingly, did not need javascript. How did it
access a file deep down on my PC ?
[]'s
D
David H. Lipman
| Sorry, I lied, I won't. It requires an email address and<http://www.uploadmalware.com/>
OK, I will.
| identification.
| []'s
No it doesn't. You do NOT have to enter an email address nor ID as the are not
required.
| OK , so I lied the second time, not the first.
| qpqdcj.virus.exe.zip
| The name I uploaded it up as. Play around with it, but it is
| certainly nasty.
| Loved the site. Amazingly, did not need javascript. How did it
| access a file deep down on my PC ?
| []'s
Got it -- Thanx !
S
Shadow
YW| The name I uploaded it up as. Play around with it, but it is
| certainly nasty.
| Loved the site. Amazingly, did not need javascript. How did it
| access a file deep down on my PC ?
| []'s
Got it -- Thanx !
Did you figure out why virustotal's avast does not detect it
while my desktop free version does ?
[]'s
1
1PW
Shadow said:YW| The name I uploaded it up as. Play around with it, but it is
| certainly nasty.
| Loved the site. Amazingly, did not need javascript. How did it
| access a file deep down on my PC ?
| []'s
Got it -- Thanx !
Did you figure out why virustotal's avast does not detect it
while my desktop free version does ?
[]'s
It's probably a question of context. VT's Avast looks at the file's
contents all alone. Avast in your system looks at the whole dynamics
of your OS.
D
David H. Lipman
From: "Shadow" <Sh@dow>
| On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"
| Did you figure out why virustotal's avast does not detect it
| while my desktop free version does ?
| []'s
No but I will discuss with someone at Virus Total.
| On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"
| YW| said:| The name I uploaded it up as. Play around with it, but it is
| certainly nasty.
| Loved the site. Amazingly, did not need javascript. How did it
| access a file deep down on my PC ?
| []'s
Got it -- Thanx !
| Did you figure out why virustotal's avast does not detect it
| while my desktop free version does ?
| []'s
No but I will discuss with someone at Virus Total.
D
David H. Lipman
From: "Shadow" <Sh@dow>
| On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"
| Did you figure out why virustotal's avast does not detect it
| while my desktop free version does ?
| []'s
I should ask...
Are you SURE the file C:\Recycled\Dc1.exe is what you posted to UploadMalware as;
csrcs.exe ?
| On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"
| YW| said:| The name I uploaded it up as. Play around with it, but it is
| certainly nasty.
| Loved the site. Amazingly, did not need javascript. How did it
| access a file deep down on my PC ?
| []'s
Got it -- Thanx !
| Did you figure out why virustotal's avast does not detect it
| while my desktop free version does ?
| []'s
I should ask...
Are you SURE the file C:\Recycled\Dc1.exe is what you posted to UploadMalware as;
csrcs.exe ?
S
Shadow
I disabled my antivirus and I uploaded C:\Documents andFrom: "Shadow" <Sh@dow>
| On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"
| YW| said:| The name I uploaded it up as. Play around with it, but it is
| certainly nasty.
| Loved the site. Amazingly, did not need javascript. How did it
| access a file deep down on my PC ?
| []'s
Got it -- Thanx !
| Did you figure out why virustotal's avast does not detect it
| while my desktop free version does ?
| []'s
I should ask...
Are you SURE the file C:\Recycled\Dc1.exe is what you posted to UploadMalware as;
csrcs.exe ?
Settings\nemesis\Meus documentos\qpqdcj.virus.exe.zip. I used pathcopy
and pasted in the whole path. I don't follow your logic. It's exactly
the same file I posted to virustotal. Try and see.
The csrcs.exe file is what the virus becomes when it is
loaded in memory. It is written with that name to system32 folder. On
the pendrive it adopts at least 4 different names. The csrcs is a type
of memory-resident thingy that writes to any pendrive introduced into
the machine. It also tries to connect to the internet, messes around
with some share (registry) permissions, alters the explorers shell
command so you cannot see it in a browser, and dunno what else. The
virus csrcs.exe (inside the zip) has an md5 of:
3DE68324891964BDD2227141474797BB
and exactly 725.796 bytes.
Ooops, was that dangerous ? I had to turn my AV off to give
you that ....
If your virus is NOT what I uploaded, I will upload again. Or
I'll post it to you, zip-password protected and with the extension
renamed to txt to allow my mail servers to pass it through.
PS you can see it on the pendrive with the old dos command dir
/a from a command prompt.
PPS I just picked the virus up again at the local library. It
is now called kejmii.exe. Funny thing is they are running Avira
there,(the one with the red icon). According to virustotal, avira sees
it, avast does not. Real life is exactly the opposite. Go figure.
D
David H. Lipman
From: "Shadow" <Sh@dow>
| I disabled my antivirus and I uploaded C:\Documents and
| Settings\nemesis\Meus documentos\qpqdcj.virus.exe.zip. I used pathcopy
| and pasted in the whole path. I don't follow your logic. It's exactly
| the same file I posted to virustotal. Try and see.
| The csrcs.exe file is what the virus becomes when it is
| loaded in memory. It is written with that name to system32 folder. On
| the pendrive it adopts at least 4 different names. The csrcs is a type
| of memory-resident thingy that writes to any pendrive introduced into
| the machine. It also tries to connect to the internet, messes around
| with some share (registry) permissions, alters the explorers shell
| command so you cannot see it in a browser, and dunno what else. The
| virus csrcs.exe (inside the zip) has an md5 of:
| 3DE68324891964BDD2227141474797BB
| and exactly 725.796 bytes.
| Ooops, was that dangerous ? I had to turn my AV off to give
| you that ....
| If your virus is NOT what I uploaded, I will upload again. Or
| I'll post it to you, zip-password protected and with the extension
| renamed to txt to allow my mail servers to pass it through.
| PS you can see it on the pendrive with the old dos command dir
| /a from a command prompt.
| PPS I just picked the virus up again at the local library. It
| is now called kejmii.exe. Funny thing is they are running Avira
| there,(the one with the red icon). According to virustotal, avira sees
| it, avast does not. Real life is exactly the opposite. Go figure.
Yes, I have;
MD5: 0x3DE68324891964BDD2227141474797BB
SHA-1: 0x5DAE0941F1818E6127729FC15897F12539ED6D5E
Filesize: 725,796 bytes
| I disabled my antivirus and I uploaded C:\Documents and
| Settings\nemesis\Meus documentos\qpqdcj.virus.exe.zip. I used pathcopy
| and pasted in the whole path. I don't follow your logic. It's exactly
| the same file I posted to virustotal. Try and see.
| The csrcs.exe file is what the virus becomes when it is
| loaded in memory. It is written with that name to system32 folder. On
| the pendrive it adopts at least 4 different names. The csrcs is a type
| of memory-resident thingy that writes to any pendrive introduced into
| the machine. It also tries to connect to the internet, messes around
| with some share (registry) permissions, alters the explorers shell
| command so you cannot see it in a browser, and dunno what else. The
| virus csrcs.exe (inside the zip) has an md5 of:
| 3DE68324891964BDD2227141474797BB
| and exactly 725.796 bytes.
| Ooops, was that dangerous ? I had to turn my AV off to give
| you that ....
| If your virus is NOT what I uploaded, I will upload again. Or
| I'll post it to you, zip-password protected and with the extension
| renamed to txt to allow my mail servers to pass it through.
| PS you can see it on the pendrive with the old dos command dir
| /a from a command prompt.
| PPS I just picked the virus up again at the local library. It
| is now called kejmii.exe. Funny thing is they are running Avira
| there,(the one with the red icon). According to virustotal, avira sees
| it, avast does not. Real life is exactly the opposite. Go figure.
Yes, I have;
MD5: 0x3DE68324891964BDD2227141474797BB
SHA-1: 0x5DAE0941F1818E6127729FC15897F12539ED6D5E
Filesize: 725,796 bytes
D
David H. Lipman
From: "Shadow" <Sh@dow>
| On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"
| Did you figure out why virustotal's avast does not detect it
| while my desktop free version does ?
| []'s
The answer from VT...
"Well, it seems that there's something weird, as besides Avast, GData also doesn't detect
it here (using the Avast engine) so it could be a limitation of the command line scanner,
or maybe they detect it with an AV feature I don't have here :?"
| On Mon, 24 Aug 2009 17:54:00 -0400, "David H. Lipman"
| YW| said:| The name I uploaded it up as. Play around with it, but it is
| certainly nasty.
| Loved the site. Amazingly, did not need javascript. How did it
| access a file deep down on my PC ?
| []'s
Got it -- Thanx !
| Did you figure out why virustotal's avast does not detect it
| while my desktop free version does ?
| []'s
The answer from VT...
"Well, it seems that there's something weird, as besides Avast, GData also doesn't detect
it here (using the Avast engine) so it could be a limitation of the command line scanner,
or maybe they detect it with an AV feature I don't have here :?"
F
FromTheRafters
I disabled my antivirus and I uploaded C:\Documents and
Settings\nemesis\Meus documentos\qpqdcj.virus.exe.zip. I used pathcopy
and pasted in the whole path. I don't follow your logic. It's exactly
the same file I posted to virustotal. Try and see.
The csrcs.exe file is what the virus becomes when it is
loaded in memory. It is written with that name to system32 folder. On
the pendrive it adopts at least 4 different names. The csrcs is a type
of memory-resident thingy that writes to any pendrive introduced into
the machine. It also tries to connect to the internet, messes around
with some share (registry) permissions, alters the explorers shell
command so you cannot see it in a browser, and dunno what else. The
virus csrcs.exe (inside the zip) has an md5 of:
3DE68324891964BDD2227141474797BB
and exactly 725.796 bytes.
Ooops, was that dangerous ? I had to turn my AV off to give
you that ....
Some on-access scanners will even alert when the file is accessed for
icon information for displaying in a filesystem browser. It is not
dangerous to open a file for other than execution, but if the AV scans
on "open" it will alert even though your action posed no real risk.