Symantec shines

[Jari Lehtonen]

I sent a known infected file tha was spammed here in usenet yesterday
to jotti.org and virustotal.com online scanners. All other AV's than
Symantec found the infection. Virus names were quite different though.


AntiVir 6.31.0.7 06.29.2005 W32/Xorala
Avira 6.31.0.7 06.29.2005 W32/Xorala
BitDefender 7.0 06.29.2005 Win32.Swen.A@mm
ClamAV devel-20050501 06.29.2005 Worm.Gibe.F
DrWeb 4.32b 06.29.2005 Win32.HLLM.Gibe.2
eTrust-Iris 7.1.194.0 06.28.2005 Win32/Valla.2048
eTrust-Vet 11.9.1.0 06.29.2005 Win32.Valla.2048
Fortinet 2.36.0.0 06.29.2005 W32/Valla.A
Ikarus 2.32 06.28.2005 Email-Worm.Win32.Swen.A
Kaspersky 4.0.2.24 06.29.2005 Virus.Win32.Xorala
McAfee 4523 06.28.2005 W32/Valla.a
NOD32v2 1.1157 06.28.2005 Win32/Xorala.A
Norman 5.70.10 06.28.2005 W32/Valla.2048
Panda 8.02.00 06.28.2005 W32/Valla.2048
Sybari 7.5.1314 06.29.2005 I-Worm.Swen.A1

Symantec 8.0 06.29.2005 no virus found

TheHacker 5.8.2.062 06.29.2005 W32/Valla.A
VBA32 3.10.4 06.28.2005 Win32.Xoralda.2048
ArcaVir Found Worm.Swen
Avast Found Win32:Swen
AVG Antivirus Found Win32/Valla.2048
F-Prot Antivirus Found W32/Harmony.A

 

[David H. Lipman]

From: "Jari Lehtonen" <[email protected]>

| I sent a known infected file tha was spammed here in usenet yesterday
| to jotti.org and virustotal.com online scanners. All other AV's than
| Symantec found the infection. Virus names were quite different though.
|
| AntiVir 6.31.0.7 06.29.2005 W32/Xorala
| Avira 6.31.0.7 06.29.2005 W32/Xorala
| BitDefender 7.0 06.29.2005 Win32.Swen.A@mm
| ClamAV devel-20050501 06.29.2005 Worm.Gibe.F
| DrWeb 4.32b 06.29.2005 Win32.HLLM.Gibe.2
| eTrust-Iris 7.1.194.0 06.28.2005 Win32/Valla.2048
| eTrust-Vet 11.9.1.0 06.29.2005 Win32.Valla.2048
| Fortinet 2.36.0.0 06.29.2005 W32/Valla.A
| Ikarus 2.32 06.28.2005 Email-Worm.Win32.Swen.A
| Kaspersky 4.0.2.24 06.29.2005 Virus.Win32.Xorala
| McAfee 4523 06.28.2005 W32/Valla.a
| NOD32v2 1.1157 06.28.2005 Win32/Xorala.A
| Norman 5.70.10 06.28.2005 W32/Valla.2048
| Panda 8.02.00 06.28.2005 W32/Valla.2048
| Sybari 7.5.1314 06.29.2005 I-Worm.Swen.A1
|
| Symantec 8.0 06.29.2005 no virus found
|
| TheHacker 5.8.2.062 06.29.2005 W32/Valla.A
| VBA32 3.10.4 06.28.2005 Win32.Xoralda.2048
| ArcaVir Found Worm.Swen
| Avast Found Win32:Swen
| AVG Antivirus Found Win32/Valla.2048
| F-Prot Antivirus Found W32/Harmony.A
|

One of the *biggest* problems in the idustry is the naming convention problem. { sigh }

 

[Mal]

I sent a known infected file tha was spammed here in usenet yesterday
to jotti.org and virustotal.com online scanners. All other AV's than
Symantec found the infection. Virus names were quite different though.

From looking at this, it appears the file was a standard W32/Swen.A@MM
executable (also known as Gibe) which was then infected with a parasitic
virus known as Valla/Xorala.

Interesting Symantec missed it.

 

[Roger Wilco]

From looking at this, it appears the file was a standard W32/Swen.A@MM
executable (also known as Gibe) which was then infected with a parasitic
virus known as Valla/Xorala.

Interesting Symantec missed it.

I was thinking the same thing. I wonder if it (they) were viable. Is the
posted subject "Symantec shines" an indication that Jari agrees with
Symantec's findings?

 

[Peter]

I'm really not impressed with Symantec's speed to update their definitions.
I'm a Sys Admin for a school with approx 300 workstations. A couple of
months ago, a Mytob variant started getting through our SAV protected
gateway.
I sent copies of it to Symantec for their analysis....they said it was
clean. Even free AVAST said from word go that it was Mytob.
A couple of weeks later (yes....a couple of weeks!!), Symantec agreed it was
a Mytob variant and posted appropriate definitions. If you submit a virus
report to Symantec, it goes through their "robot" which appears to ignore
all the symptoms and other information you spend time submitting. SAV really
needs todo better than weekly updates and needs to "sack" it's robot and
replace it with people who can read supplied information.

Peter

I'm afraid

 

[Robert Baer]

I'm really not impressed with Symantec's speed to update their definitions.
I'm a Sys Admin for a school with approx 300 workstations. A couple of
months ago, a Mytob variant started getting through our SAV protected
gateway.
I sent copies of it to Symantec for their analysis....they said it was
clean. Even free AVAST said from word go that it was Mytob.
A couple of weeks later (yes....a couple of weeks!!), Symantec agreed it was
a Mytob variant and posted appropriate definitions. If you submit a virus
report to Symantec, it goes through their "robot" which appears to ignore
all the symptoms and other information you spend time submitting. SAV really
needs todo better than weekly updates and needs to "sack" it's robot and
replace it with people who can read supplied information.

Peter

I'm afraid

BUT....BUT....motorboat.
They *shine* in buggy programs, in bloated software, and most
especially in their lack of customer support!
Are you trying to say they have yet to meet the Micro$oft standards
of "excellence"???

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm really not impressed with Symantec's speed to update their definitions.
I'm a Sys Admin for a school with approx 300 workstations. A couple of
months ago, a Mytob variant started getting through our SAV protected
gateway.
I sent copies of it to Symantec for their analysis....they said it was
clean. Even free AVAST said from word go that it was Mytob.
A couple of weeks later (yes....a couple of weeks!!), Symantec agreed it was
a Mytob variant and posted appropriate definitions. If you submit a virus
report to Symantec, it goes through their "robot" which appears to ignore
all the symptoms and other information you spend time submitting. SAV really
needs todo better than weekly updates and needs to "sack" it's robot and
replace it with people who can read supplied information.

I've had that problem with Symantec as well. Sent it twice to SARC and they
swore blind there was nothing wrong with a file which I knew was viral.
Third time lucky...although it took over a week. What irks me is that
through NAV's Quarantine interface you can only send one submission per
day, so I tend to use their stand-alone submission program.

- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCw8cQ7uRVdtPsXDkRAuX6AJ44jhJKfJfX22yd89cQ1MnULclbdwCfaXIW
uD6NHDDmCTFuGAgAjo/yEeY=
=L2bH
-----END PGP SIGNATURE-----

 

[* * Chas]

| I'm really not impressed with Symantec's speed to update their
definitions.
| I'm a Sys Admin for a school with approx 300 workstations. A couple of
| months ago, a Mytob variant started getting through our SAV protected
| gateway.
| I sent copies of it to Symantec for their analysis....they said it was
| clean. Even free AVAST said from word go that it was Mytob.
| A couple of weeks later (yes....a couple of weeks!!), Symantec agreed
it was
| a Mytob variant and posted appropriate definitions. If you submit a
virus
| report to Symantec, it goes through their "robot" which appears to
ignore
| all the symptoms and other information you spend time submitting. SAV
really
| needs todo better than weekly updates and needs to "sack" it's robot
and
| replace it with people who can read supplied information.
|
| Peter

It seems that the AV companies respond to those threats that are running
amok or threats that are intellectually interesting but not yet (perhaps
never to be) in the wild yet.

Last year I got hit with some malware that overwrote the MS Notepad.exe
file in 2 PCs on my network, a Win98SE box and a Win2k box.

NAV, F-Prot and KAV didn't find the culprit but an old copy of the last
release of Dr. Solomons heuristic function did. I still kept the copy of
Dr. Solys on one of the PCs - I guess for sentimental value.

A month or two later, NAV and F-prot released definitions for the
critter. I don't remember the exact malware.

Chas.

 

[Jari Lehtonen]

I was thinking the same thing. I wonder if it (they) were viable. Is the
posted subject "Symantec shines" an indication that Jari agrees with
Symantec's findings?

I was trying to be sarcastic. Such a big name as Symantec being the
only one not recognizing this infection is really a major disaster.
SAV is considered in this group a decent av (opposite to Norton av),
but not finding swen is not very convincing.
Jari

 

[Roger Wilco]

I was trying to be sarcastic. Such a big name as Symantec being the
only one not recognizing this infection is really a major disaster.
SAV is considered in this group a decent av (opposite to Norton av),
but not finding swen is not very convincing.

It would be nice if a worm executable would still be detected after
being modified by a parasitic infector, but I really wouldn't expect it
from a scanner (they are primarily geared toward the normal instances).
I wonder why the parasitic infector itself was missed though. If the
parasite were "cleaned" I wonder how virustotal et al would do with the
remaining swen executable.

Anyway - an interesting thread.