D
David H. Lipman
Recently I came across a post where someone was boasting they have a virus they would
provide to anyone who wanted it. I indicated I would take a copy and I provided an email
address in which it could be sent to. A few days later, on Monday Oct. 10, I received the
infector with the following text...
"Hello,
You said on that chat thingy that you wanted a copy of this. It's four files on obviously is
the virus which is LOADER.EXE. Unless you are prepaired to format your computer dont click
on it. It does work i have tried it on a couple of computers just to make sure and they dont
work any more. Anyway all yours."
So I uploaded it to Virus Total. Not one vendor recognized the infector. However, I tried
McAfee VirusScan v7.1E, ENGINE v5000 Beta and DAT v4597 (?) and under Heuristic detection it
was flagged by McAfee as "New Malware.h". I then proceeded to submit a sample to all AV
companies. DrWeb, Panda and Kaspersky were the first to respond.
DrWeb -- Trojan Mygot
Panda -- Trj/ForSpok.A
Kaspersky -- "File is clean"
I replied back to Kaspersky under the ticket number that I was assigned and I queried how
the analyst came to that "File is clean" conclusion when McAfee flagged it using Heuristics
scanning and DrWeb and Panda found it to be a malicious Trojan.
The reply from the same Kaspersky analyst was "We already analyzed this." I found this
strange and I thought this was a faux conclusion and I sent a copy to Ian Kenefick. He
examined it and he also concluded it was malicious and thought that the Kaspersky conclusion
was ludicrous. He then submitted a copy to Kaspersky and he got a different virus
researcher. This time it was concluded that it was indeed malicious and the infector was
called Trojan.Win32.Agent.JZ
I later received an email message back from the virus researcher I had communicated with
earlier with the following text...
"Hello!
Ok, we bad analyze this.
Malicious software was found in the attached file.
It's detection was included in the next update. Thank you for your help."
provide to anyone who wanted it. I indicated I would take a copy and I provided an email
address in which it could be sent to. A few days later, on Monday Oct. 10, I received the
infector with the following text...
"Hello,
You said on that chat thingy that you wanted a copy of this. It's four files on obviously is
the virus which is LOADER.EXE. Unless you are prepaired to format your computer dont click
on it. It does work i have tried it on a couple of computers just to make sure and they dont
work any more. Anyway all yours."
So I uploaded it to Virus Total. Not one vendor recognized the infector. However, I tried
McAfee VirusScan v7.1E, ENGINE v5000 Beta and DAT v4597 (?) and under Heuristic detection it
was flagged by McAfee as "New Malware.h". I then proceeded to submit a sample to all AV
companies. DrWeb, Panda and Kaspersky were the first to respond.
DrWeb -- Trojan Mygot
Panda -- Trj/ForSpok.A
Kaspersky -- "File is clean"
I replied back to Kaspersky under the ticket number that I was assigned and I queried how
the analyst came to that "File is clean" conclusion when McAfee flagged it using Heuristics
scanning and DrWeb and Panda found it to be a malicious Trojan.
The reply from the same Kaspersky analyst was "We already analyzed this." I found this
strange and I thought this was a faux conclusion and I sent a copy to Ian Kenefick. He
examined it and he also concluded it was malicious and thought that the Kaspersky conclusion
was ludicrous. He then submitted a copy to Kaspersky and he got a different virus
researcher. This time it was concluded that it was indeed malicious and the infector was
called Trojan.Win32.Agent.JZ
I later received an email message back from the virus researcher I had communicated with
earlier with the following text...
"Hello!
Ok, we bad analyze this.
Malicious software was found in the attached file.
It's detection was included in the next update. Thank you for your help."
