SCR file being posted to usenet (detected by some AV's, but not all)

[Virus Guy]

For the hell of it, I submitted a copy of an SCR file to VirusTotal.
This file (which is probably an EXE) is being posted to some
newsgroups within the past few hours.

It's being ID'd as various versions of Hackarmy, SdBot,
Spybot.gen.worm, etc.

The following AV software is not detecting it:

Avast
CAT-Quickheal (says "suspicious")
ClamAV
eTrust-Vet
Fprot (says it "could be infected")
Nod32v2 (says "probably unknown NewHeur_PE")
Norman (says "W32/Malware" - what kind of ID is that?)
Sophos
Symantec
TheHacker

BTW, regarding the Total Commander crack that I submitted to VT last
week, it's still the same 3 vendors (Avast, Norman, and Symantec) that
are detecting it as mal-ware.

 

[Ian Kenefick]

Norman (says "W32/Malware" - what kind of ID is that?)

Heuristic detection by sandbox.

 

[Art]

For the hell of it, I submitted a copy of an SCR file to VirusTotal.
This file (which is probably an EXE) is being posted to some
newsgroups within the past few hours.

It's being ID'd as various versions of Hackarmy, SdBot,
Spybot.gen.worm, etc.

The following AV software is not detecting it:

Avast
CAT-Quickheal (says "suspicious")
ClamAV
eTrust-Vet
Fprot (says it "could be infected")
Nod32v2 (says "probably unknown NewHeur_PE")
Norman (says "W32/Malware" - what kind of ID is that?)
Sophos
Symantec
TheHacker

Four of those products _are_ detecting it (heuristically). They just
don't have sigs (yet). It's unfair to say they aren't detecting it
since users of those products will be warned.

Art

http://home.epix.net/~artnpeg

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Virus Guy wrote:

BTW, regarding the Total Commander crack that I submitted to VT last
week, it's still the same 3 vendors (Avast, Norman, and Symantec) that
are detecting it as mal-ware.

Explain to me why people who use cracks/key gens should be protected by
anti-virus software? It might just be that the other vendors have better
things to do with their time.

I certainly hope that an AV company /wouldn't/ add such a detection unless
it was being used elsewhere. Quality of a virus detection database means
efficient running, and an AV product protecting the crack/key gen using
leechers doesn't interest me.

My 2 flaming cents
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFEBa3M7uRVdtPsXDkRAiL3AKCj1nMQqsWVKsx0woYET3T7+EGPRwCfbiAF
9lZylFCNfS1rRo7gZdAIi6M=
=w6cL
-----END PGP SIGNATURE-----

 

[BoB]

For the hell of it, I submitted a copy of an SCR file to VirusTotal.
This file (which is probably an EXE) is being posted to some
newsgroups within the past few hours.

It's being ID'd as various versions of Hackarmy, SdBot,
Spybot.gen.worm, etc.

The following AV software is not detecting it:

Avast
CAT-Quickheal (says "suspicious")
ClamAV
eTrust-Vet
Fprot (says it "could be infected")
Nod32v2 (says "probably unknown NewHeur_PE")
Norman (says "W32/Malware" - what kind of ID is that?)
Sophos
Symantec
TheHacker

BTW, regarding the Total Commander crack that I submitted to VT last
week, it's still the same 3 vendors (Avast, Norman, and Symantec) that
are detecting it as mal-ware.

EZTrust, which I'll remove as soon as the subscriptions expire, did NOT
detect anything on the two .scr I saw in the NGs today. F-Prot said they
were both suspicious.

Both MWAV and BitDefender8 ID'd them.

infected by "Backdoor.Win32.Hackarmy.gen" Virus. Action Taken: File
Deleted.

BoB

 

[Virus Guy]

Explain to me why people who use cracks/key gens should be
protected by anti-virus software? It might just be that the
other vendors have better things to do with their time.

If it's the policy of any given AV company/software to be selective
when it comes to malware detection (ie to specifically NOT protect
against malware that is associated with hack/crack files) then they
should advertise that policy - and let that be a factor in how
consumers choose AV software.

Or do you think that AV vendors should NOT publicize their decision to
not protect against rogue cracks and key-gens, thereby keeping
consumers in the dark about the true compentency or capability of
their AV software?

The way I see it, any AV vendor can certainly choose whether to
include or exclude malware detection within known hack/crack/key-gen
files, but there is no coherent argument that can be raised (other
than pure pettiness or malice) for not making end-users aware of such
a corporate-level decision.

I will continue to post the results of malware detection (or lack
thereof) within hack/crack files to establish if any particular AV
vendor does indeed show a policy of detection-avoidance for such
files.

This raises another point: The use of rogue hacks and cracks would
drop if they were detected as trojan/viral/what-ever. You could argue
that anyone who seeks out and installs a keygen or crack (which does
what it's advertized to do) deserves the (possible) infection they
get. I could argue that the internet-at-large has become more
"polluted" because of the infected user, and the vendor for which the
hack/crack was used against has experienced some (perhaps small)
tangible loss because of the crack - so an AV policy of
detection-avoidance has accomplished nothing in this case, and
arguably it has led to the worse of two possible outcomes.

Besides, the incorporation of a given piece of mal-ware into a
hack/crack file doesn't mean that same mal-ware won't migrate to other
types of delivery mechanisms or payloads. For this reason, good AV
software should be blind to the source (or intention) of a piece
mal-ware and just focus on (and protect against) the threat.

 

[Jake Dodd]

For the hell of it, I submitted a copy of an SCR file to VirusTotal.
This file (which is probably an EXE)...

No, it's an SCR file (probably a screensaver or script with that extension)

An SCR (screensaver) file is executable just as an EXE (executable) file is.
A script file is executable through the scripting engine.

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>

| Adam Piggott wrote:
||
| If it's the policy of any given AV company/software to be selective
| when it comes to malware detection (ie to specifically NOT protect
| against malware that is associated with hack/crack files) then they
| should advertise that policy - and let that be a factor in how
| consumers choose AV software.

< snip >

Sophos is selective. If I submit to them an "adware" class of malware sample I'll get back
an email indicating that signatures will NOT be added per their policy.

 

[Virus Guy]

No, it's an SCR file (probably a screensaver or script with
that extension)

SCR scripts are typically no larger than 2k in size (and are fully
readable text, and do not have the DOS stub at the start of the file
where the first 2 characters of the file are "MZ" followed nearby with
"This program can't be run in DOS mode").

The file in question is 17 kb in size and does start with "MZ" and
(unlike a script) contains mostly binary code.

An SCR (screensaver) file is executable just as an EXE
(executable) file is.

You can take any non-script SCR file, rename it to EXE, and run it
with no apparent difference in functionality. The properties of an
SCR file will show "Type: Application" when renamed to an EXE file.
It's not clear that there is anything inside a (legit) executable SCR
file that actually differentiates it as an SCR file vs an EXE file.

In other words, if I took a legit executable SCR file and renamed it
to EXE and handed it to you, could you determine (by file or header
analysis) that it was originally an SCR file?

Speculation is that executable screen savers were given .SCR file
names to allow windows to distinguish which files are screen savers
for the display properties (screen-saver) drop-down list.

 

[Virus Guy]

Sophos is selective. If I submit to them an "adware" class of
malware sample I'll get back an email indicating that signatures
will NOT be added per their policy.

Does "adware" qualify as a true infective threat? That is, a piece of
code that attempts self-propagation to other systems or opens a
back-door to the system or modifies system settings to allow the
intrusion of other mal-ware?

If what you're saying is that Sophos does not perform the same
scanning and detection that "AdAware" does, well, that's fine because
I don't consider most of the stuff that AdAware finds as active
malware in a true infective sense.

AdAware is funny, because it seems to claim to also be AV software (it
claims to detect trojans). When I had it scan my Virus directory, it
found this:

Name:NetCat
Category:Vulnerability
Object Type:File
Size:59392 Bytes
Description:Remote control tool

VirusTotal results for that file:

AntiVir SPR/RemoteAdmin.Net
Avast no virus found
AVG no virus found
Avira SPR/RemoteAdmin.Net
BitDefender Application.NTSniff.110
CAT-QuickHeal RiskWare.RemoteAd (Not a Virus)
ClamAV devel-2 no virus found
DrWeb 4.33 no virus found
eTrust-InoculateIT no virus found
eTrust-Vet no virus found
Ewido 3.5 Backdoor.Ncx.a
Fortinet RAT/NT110.A-tr
F-Prot 3.16c no virus found
Ikarus Trojan-Dropper.Win32.Small.DW
Kaspersky no virus found
McAfee no virus found
NOD32v2 no virus found
Norman no virus found
Panda HackTool/NetCat.A
Sophos no virus found
Symantec no virus found
TheHacker Aplicacion/RemAdm.Netcat
UNA 1.83 no virus found
VBA32 no virus found

The file in question (nc.exe) was part of an archive package that I
believe was designed to be a hidden FTP server (TFC-FXP PubStro). I
submitted the entire archive to Kaspersky in Feb/2005 and at that time
it identified "nc.exe" as being infected with
"not-a-virus:RiskWare.RemoteAdmin.NetCat". As the recent scan (above)
indicates, Kaspersky is no longer ID'ing the file as a threat (?).

AdAware also found this in a different file:

Name:Win32.Torvil
Category:Malware
Object Type:File
Size:62464 Bytes
Description:Worm

All AV software on VirusTotal ID's that file as various versions of
Torvil (A, B or D).

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>

| "David H. Lipman" wrote:
||
| Does "adware" qualify as a true infective threat? That is, a piece of
| code that attempts self-propagation to other systems or opens a
| back-door to the system or modifies system settings to allow the
| intrusion of other mal-ware?
|
| If what you're saying is that Sophos does not perform the same
| scanning and detection that "AdAware" does, well, that's fine because
| I don't consider most of the stuff that AdAware finds as active
| malware in a true infective sense.

< snip >

Adware can make modifications. To what level and if it should be handled by the vendor is
subjective.

There is much overlap between anti malware applications. As noted Ad-aware and SpyBot may
pick notorious viruses. Kaspersky and McAfee may get much adware. However that overlap is
still insufficient and requires multiple anti malware applications to cover the full range
of malware from viruses to non-viral malware.

 

[kurt wismer]

Virus Guy wrote:


Explain to me why people who use cracks/key gens should be protected by
anti-virus software?

this thing we're on is called the internet... we're *all* connected to
it... ask not for whom the bell tolls...

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If it's the policy of any given AV company/software to be selective
when it comes to malware detection (ie to specifically NOT protect
against malware that is associated with hack/crack files) then they
should advertise that policy - and let that be a factor in how
consumers choose AV software.

I wouldn't say they would be selective, but rather prioritising. If there
is a lot of work due to variants of a fast-spreading worm to be detected
then the likes of crack viruses would probably be put down the "to-do list".

Or do you think that AV vendors should NOT publicize their decision to
not protect against rogue cracks and key-gens, thereby keeping
consumers in the dark about the true compentency or capability of
their AV software?

A computer's security measures (not just AV) are only as good as the user
behind them, as the user has the power to bring in all manner of infected
goods despite the fact they know the dangers.

The way I see it, any AV vendor can certainly choose whether to
include or exclude malware detection within known hack/crack/key-gen
files, but there is no coherent argument that can be raised (other
than pure pettiness or malice) for not making end-users aware of such
a corporate-level decision.

I suppose one would have to investigate the nature of crack viruses. I
can't say from experience but suppose that the vast majority are unique
"one-off" viruses - what's the point in protecting against them? The
chances are by the time someone who gives a monkey's and sends in a sample,
a considerable number of other users have already been exposed, and in a
year's time the crack will be obsolete due to a new version of the program
coming out, or the crack being repackaged with a new unique virus.

If this /is/ the case then it's a pointless cat-and-mouse game...well,
moreso than it currently is in the non-crack virus world

This raises another point: The use of rogue hacks and cracks would
drop if they were detected as trojan/viral/what-ever.

I think you'll find that the viruses are put into cracks for a good reason,
and just because some AV vendors were really hot on detections for them
wouldn't give the infecters a reason to stop - especially if the above
assumption that most people using cracks aren't likely to submit a nasty
one to an AV vendor, thus increasing the time to detection,

You could argue that anyone who seeks out and installs a keygen or crack
(which does what it's advertized to do) deserves the (possible)
infection they get. I could argue that the internet-at-large has become
more "polluted" because of the infected user, and the vendor for which
the hack/crack was used against has experienced some (perhaps small)
tangible loss because of the crack - so an AV policy of
detection-avoidance has accomplished nothing in this case, and arguably
it has led to the worse of two possible outcomes.

I think that you/we are going off a tangent here, especially on one of the
points that I was trying to put across - it's not that the AV vendors would
especially /not/ try to protect crack users because they're stealing, but
rather because there are more pressing viruses to attend to that are more
important and widespread. As the AV vendors have a finite staff and length
of time they have to prioritise tightly.

Besides, the incorporation of a given piece of mal-ware into a
hack/crack file doesn't mean that same mal-ware won't migrate to other
types of delivery mechanisms or payloads. For this reason, good AV
software should be blind to the source (or intention) of a piece
mal-ware and just focus on (and protect against) the threat.

That's very true indeed - I did mention that in my reply, but with the
prevalence of virus-writing tools it's not hard for a script kiddie to
generate their own new virus for every crack they release and protecting
against this (via detections rather than heuristics) would be polluting the
databases IMO.

Thanks for an interesting discussion

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFEBvWO7uRVdtPsXDkRAtdEAJ9qYgf0lopYmg5G4Ey9uEevtO7kbACfXGxf
ffy2B3cQENMKJhyNE/drWwU=
=zPDl
-----END PGP SIGNATURE-----

 

[Virus Guy]

I wouldn't say they would be selective, but rather prioritising.

A delay in incorporating protection against a certain "class" of
malware (trojan/virus/worm) is one thing.

A complete avoidance (because of corporate policy) to include
protection against a certain class (originating from hacks and cracks)
is another.

Do you advocate for the delay, or the corporate policy of avoidance?

If you advocate for the delay - how long a delay? When does a delay
turn into avoidance?

A computer's security measures (not just AV) are only as good...

Don't change the subject. We're talking purely about AV software
here.

I think you'll find that the viruses are put into cracks for a
good reason, and just because some AV vendors were really hot
on detections for them wouldn't give the infecters a reason to
stop

So you're saying that someone who obtains a crack, and scans it with
their AV software, and is found to be viral, would still use or run
the crack? I don't think so.

- especially if the above assumption that most people using
cracks aren't likely to submit a nasty one to an AV vendor,
thus increasing the time to detection,

I bet individual vendor submission links and others (like virustotal)
experience their single largest load from people who ARE submitting
recently acquired hacks and cracks from people eager to use them, but
suspicious of their origin. If there's one class of malware that AV
vendors could be reasonably expected to be "up-to-date" on, it's
malware within hacks/cracks (assuming they treat submissions with some
degree of care and competency).

I think that you/we are going off a tangent here, especially on
one of the points that I was trying to put across - it's not that
the AV vendors would especially /not/ try to protect crack users
because they're stealing, but rather because there are more
pressing viruses to attend to that are more important and
widespread.

I think it's wrong to downplay the extent to which hacks and cracks
are sought out by internet users at large, especially as exploits in
Windows and other software are getting patched.

As the AV vendors have a finite staff and length of time they
have to prioritise tightly.

A hash or MD5 of a suspect file can be incorporated into AV definition
files very easily.

 

[Jake Dodd]

SCR scripts are typically no larger than 2k in size (and are fully
readable text, and do not have the DOS stub at the start of the file
where the first 2 characters of the file are "MZ" followed nearby with
"This program can't be run in DOS mode").

The file in question is 17 kb in size and does start with "MZ" and
(unlike a script) contains mostly binary code.

It's a bad habit to confuse filename extension with filetype. An SCR file
will become an EXE file when the extension is renamed. If renamed to
TXT it will become a TXT file. Filetype is determined by the contents
of the file not by the name.

You can take any non-script SCR file, rename it to EXE, and run it
with no apparent difference in functionality.

Both are probably Windows PE files.

The properties of an
SCR file will show "Type: Application" when renamed to an EXE file.

The renaming only effects how the OS treats the file by association with
the extension.

It's not clear that there is anything inside a (legit) executable SCR
file that actually differentiates it as an SCR file vs an EXE file.

I believe they're identical. DLL's are close too, as are some font files.

In other words, if I took a legit executable SCR file and renamed it
to EXE and handed it to you, could you determine (by file or header
analysis) that it was originally an SCR file?

Yes, highly likely.

Speculation is that executable screen savers were given .SCR file
names to allow windows to distinguish which files are screen savers
for the display properties (screen-saver) drop-down list.

Look at a legit screensaver file and a legit PE application file with an editor
and search for the string "screensaver". Most likely the legit screensaver
will have many occurences and none for the 'normal' PE.

The same loader is capable though.