Reporting a new malware sample

  • Thread starter Thread starter Gotde T Shirt
  • Start date Start date
G

Gotde T Shirt

How can I report a new malware-infected file without having to trawl
through the various individual vendors' sites? Are there central reporting
sites, or maybe a distribution list?

(I've tried various searches but only found out-of-date or vendor-specific
info)
 
From: "Gotde T Shirt" <[email protected]>

| How can I report a new malware-infected file without having to trawl
| through the various individual vendors' sites? Are there central reporting
| sites, or maybe a distribution list?

| (I've tried various searches but only found out-of-date or vendor-specific
| info)


Please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition Virus
Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.
Click to expand...

David,

How's about answering my question?

NB: Identifying that it's infected isn't the problem. Fixing it isn't the
problem. I've done both, two days ago.

I confirmed that it was infected via upload to the virustotal.com,
virscan.org and virus.org sites. I've since re-uploaded/scanned it on those
sites: it is clear that the various vendors either aren't hooked into them
at all or are very slow in updating their definitions because there are
still only a minority recognising it.

Here's today's virustotal report FYI:
File beep.sys received on 10.08.2008 10:46:07 (CET)Antivirus Version Last
Update Result
AhnLab-V3 2008.10.3.2 2008.10.08 Win-Trojan/Agent.16896.LN
AntiVir 7.8.1.34 2008.10.08 TR/Rootkit.Agent.NFK.1
Authentium 5.1.0.4 2008.10.08 -
Avast 4.8.1248.0 2008.10.08 -
AVG 8.0.0.161 2008.10.07 Agent.AETS
BitDefender 7.2 2008.10.08 Trojan.Rootkit.Agent.NFK
CAT-QuickHeal 9.50 2008.10.08 -
ClamAV 0.93.1 2008.10.08 -
DrWeb 4.44.0.09170 2008.10.08 -
eSafe 7.0.17.0 2008.10.07 -
eTrust-Vet 31.6.6135 2008.10.08 -
Ewido 4.0 2008.10.07 -
F-Prot 4.4.4.56 2008.10.07 -
F-Secure 8.0.14332.0 2008.10.08 Rootkit.Win32.Agent.efs
Fortinet 3.113.0.0 2008.10.08 -
GData 19 2008.10.08 Trojan.Rootkit.Agent.NFK
Ikarus T3.1.1.34.0 2008.10.08 Trojan.Rootkit.Agent.NFK
K7AntiVirus 7.10.487 2008.10.07 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2008.10.08 Rootkit.Win32.Agent.efs
McAfee 5400 2008.10.07 -
Microsoft 1.4005 2008.10.08 -
NOD32 3502 2008.10.07 -
Norman 5.80.02 2008.10.07 -
Panda 9.0.0.4 2008.10.07 Generic Trojan
PCTools 4.4.2.0 2008.10.07 -
Prevx1 V2 2008.10.08 Malicious Software
Rising 20.65.21.00 2008.10.08 -
SecureWeb-Gateway 6.7.6 2008.10.08 Trojan.Rootkit.Agent.NFK.1
Sophos 4.34.0 2008.10.08 Troj/Agent-HVP
Sunbelt 3.1.1708.1 2008.10.08 -
Symantec 10 2008.10.08 Trojan Horse
TheHacker 6.3.1.0.103 2008.10.07 -
TrendMicro 8.700.0.1004 2008.10.08 -
VBA32 3.12.8.6 2008.10.07 -
ViRobot 2008.10.8.1411 2008.10.08 -
VirusBuster 4.5.11.0 2008.10.07 -
 
From: "Gotde T Shirt" <[email protected]>



| David,

| How's about answering my question?

My reply clearly stated "In addition Virus Total will provide the sample to all
participating vendors."
Click to expand...

You did indeed, sorry I missed that bit.

I've just checked again and the report still shows only 14 of 36 hits. It
was first uploaded (by someone else) on 30-Sep-2008. So after 8 days, 22
vendors' definitions still do not appear to have been updated with its
signature. Are the participating vendors *that* snowed under with samples
to process?
You weren't specific as to what vendors. I have a laundry list of submission addresses.
Click to expand...
The virustotal report I posted shows the vendors.
 
From: "Gotde T Shirt" <[email protected]>



| The virustotal report I posted shows the vendors.

I meant, you weren't specific as to what vendors you should contact to send the sample
submission.

I'll tell you what. Send me a sample and I will get it distributd ASAP. I have direct
contact with numerous anti malware vendors.

Send it to me in a password proected ZIP file with the password being; infected
{ password = infected }

Just remove ~nospam~ from my posting email address.
Click to expand...

On its way to you. Thanks for your help.
 
NB: Identifying that it's infected isn't the problem. Fixing it isn't
the problem. I've done both, two days ago.

I confirmed that it was infected via upload to the virustotal.com,
virscan.org and virus.org sites. I've since re-uploaded/scanned it on
those sites: it is clear that the various vendors either aren't hooked
into them at all or are very slow in updating their definitions
because there are still only a minority recognising it.
Click to expand...

If you will send this file to us at http://uploads.malwarebytes.org I will
get a look at it that day and get it's detection and removal added to
MalwareBytes if we don't already know it.
 
David said:
I'll tell you what. Send me a sample and I will get it distributd ASAP. I have direct
contact with numerous anti malware vendors.
Click to expand...

I thought soliciting virii was a no-no in this venue, unless of course
you happen to be the very guy that harangues others accordingly.
 
You mean you don't know? That file has been in mine for a few months now.
Click to expand...

Nope, as I have no way of knowing what the file really is by name alone.
Our software isn't batch or script based.
 
Back
Top