Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: yvs on August 07, 2007, 06:45:28 PM
-
Here - http://www. yvs. makeevka. com/files/viruses.zip
two viruses. Password - virus.
Virus@avast.com not hear me one month.
Why?..
Heeeelp...
-
Please, don't post live links to infected files (even password protected).
After you have sent the samples to virus@avast.com you can try sending the files to Chest and, from there, resend to Alwil for analysis.
The preferred way for submitting samples is e-mail (or sending them from Chest). Although, you can use Alwil FTP server as a second way to transfer only big files. Upload them to ftp://ftp.avast.com/incoming (please, note that you won't have READ access to the ftp server, just write - so you won't even be able to see what you've just uploaded).
Anyway, this is not an excuse for not having improved the detection yet... Shame on virus analyst team...
-
File AUH5j6Ma.exe received on 08.07.2007 19:00:52 (CET)Antivirus Version Last Update Result
AhnLab-V3 2007.8.3.0 2007.08.07 -
AntiVir 7.4.0.57 2007.08.07 TR/Crypt.ULPM.Gen
Authentium 4.93.8 2007.08.07 -
Avast 4.7.1029.0 2007.08.07 -
AVG 7.5.0.476 2007.08.06 -
BitDefender 7.2 2007.08.07 GenPack:Win32.Worm.Luder.F
CAT-QuickHeal 9.00 2007.08.07 -
ClamAV 0.91 2007.08.07 -
DrWeb 4.33 2007.08.07 Trojan.Inject.351
eSafe 7.0.15.0 2007.07.31 suspicious Trojan/Worm
eTrust-Vet 31.1.5040 2007.08.07 -
Ewido 4.0 2007.08.07 -
FileAdvisor 1 2007.08.07 -
Fortinet 2.91.0.0 2007.08.07 -
F-Prot 4.3.2.48 2007.08.07 -
F-Secure 6.70.13030.0 2007.08.07 Trojan.Win32.Agent.avd
Ikarus T3.1.1.8 2007.08.07 Win32.SuspectCrc
Kaspersky 4.0.2.24 2007.08.07 Trojan.Win32.Agent.avd
McAfee 5092 2007.08.07 -
Microsoft 1.2704 2007.08.07 -
NOD32v2 2442 2007.08.07 -
Norman 5.80.02 2007.08.06 -
Panda 9.0.0.4 2007.08.07 W32/ZlFake.A.drp
Prevx1 V2 2007.08.07 Trojan.Lozyt
Rising 19.35.12.00 2007.08.07 -
Sophos 4.19.0 2007.08.01 Mal/HckPk-A
Sunbelt 2.2.907.0 2007.08.04 -
Symantec 10 2007.08.07 -
TheHacker 6.1.7.163 2007.08.07 -
VBA32 3.12.2.2 2007.08.07 Trojan.Win32.Small.oj
Webwasher-Gateway 6.0.1 2007.08.07 Trojan.Crypt.ULPM.Gen
File ZARAZA.DOC received on 08.07.2007 19:01:12 (CET)Antivirus Version Last Update Result
AhnLab-V3 2007.8.3.0 2007.08.07 -
AntiVir 7.4.0.57 2007.08.07 HEUR/Macro.Word97
Authentium 4.93.8 2007.08.07 could be infected with an unknown virus
Avast 4.7.1029.0 2007.08.07 -
AVG 7.5.0.476 2007.08.06 -
BitDefender 7.2 2007.08.07 Macro.VBA
CAT-QuickHeal 9.00 2007.08.07 -
ClamAV 0.91 2007.08.07 -
DrWeb 4.33 2007.08.07 W97M.VMPCK
eSafe 7.0.15.0 2007.07.31 O97M.GNcsin
eTrust-Vet 31.1.5040 2007.08.07 Word97Macro/Nid.A (weak rule) fa
Ewido 4.0 2007.08.07 -
FileAdvisor 1 2007.08.07 -
Fortinet 2.91.0.0 2007.08.07 -
F-Prot 4.3.2.48 2007.08.07 -
F-Secure 6.70.13030.0 2007.08.07 Possibly infected with an unknown virus
Ikarus T3.1.1.12 2007.08.07 Virus.MSWord.Zaraza.b
Kaspersky 4.0.2.24 2007.08.07 Virus.MSWord.Zaraza.b
McAfee 5092 2007.08.07 W97M/Generic
Microsoft 1.2704 2007.08.07 -
NOD32v2 2442 2007.08.07 a variant of W97M/Generic
Norman 5.80.02 2007.08.06 -
Panda 9.0.0.4 2007.08.07 W97M/Havix.A
Prevx1 V2 2007.08.07 Generic.Malware
Rising 19.35.12.00 2007.08.07 Unknown
Sophos 4.19.0 2007.08.01 -
Sunbelt 2.2.907.0 2007.08.04 -
Symantec 10 2007.08.07 W97M.VMPCK1.gen
TheHacker 6.1.7.163 2007.08.07 W97M/Generico
VBA32 3.12.2.2 2007.08.07 -
VirusBuster 4.3.26:9 2007.08.07 -
Webwasher-Gateway 6.0.1 2007.08.07 Heuristic.Macro.Word97
-
Well I have also sent them from the chest so lets see what happens.
-
Please, don't post live links to infected files
Why?
Now these viruses in known, and user can find infected files with the help of any file manager.
For example: find *.doc files with string "c:\windows\system\sys_z.drv".
Dangerous is not a virus, dangerous is slow virus analyst team. :'(
-
Whilst this link is to a zip file (not an executable), it is still clickable allowing for accidental exposure by those not so well equipped to deal with a possible infection, more so one not detected by avast.
So it is better to break any link and those of us who don't feel it a problem can still get at it without much of a problem, but it is a step that keeps the unwary and inquisitive away, e.g. http :// www . yvs.makeevka.com/files/viruses.zip.
So please modify you link so it isn't clickable, it is just good practive to avoid accidental exposure.
-
Dangerous is not a virus, dangerous is slow virus analyst team. :'(
For the other users, dangerous is the infection due to virus link exposure and a slow virus analyst team.
-
please modify you link so it isn't clickable
Modified.
-
After you have sent the samples to virus@avast.com you can try sending the files to Chest and, from there, resend to Alwil for analysis.
...
use Alwil FTP server as a second way
:o
Why?...
File AUH5j6Ma.exe i was send to Alvil (virus@avast.com) and to DrWeb (http://www.drweb.ru/newvirus/).
Alvil not hear me.
From DrWeb i was recive immediately confirm e-mail message with special ID for meeting about this virus if i want. After some hours i recive e-mail with thanks and with name of virus added to database.
I like Avast. Why Avast not like me...
Sorry for my french.
-
For me, some kind of response from the Alwil team would be appropriate. This is not the first time they have been accused of being slow. Not really acceptable, as the product doesn't have heuristics to fall back on...
-
Why?...
File AUH5j6Ma.exe i was send to Alvil (virus@avast.com) and to DrWeb (http://www.drweb.ru/newvirus/).
Alvil not hear me.
It's a problem of the virus analyst team... hope they hurry up with (more) this sample.
-
Not to hijack the thread/topic but will Avast have heuristics added in future updates?
-
yvs: the executable will be detected by some new vps in near future (added to internal vps already)... and the doc file needs some more time but will follow soon..
Tech: you know.. we don't ignore this sample, but there are many other viruses, which are more dangerous or more spreading and it's legitimate to add Tibs, Zhelatin, Warezov or Virtumonde/Vundo first and this sample with a little delay... simply bacause of virus priorities.. hopefully the whole process will become faster (i'm working on a new detection module)... ;)
-
Tech: you know.. we don't ignore this sample, but there are many other viruses, which are more dangerous or more spreading and it's legitimate to add Tibs, Zhelatin, Warezov or Virtumonde/Vundo first and this sample with a little delay... simply bacause of virus priorities.. hopefully the whole process will become faster (i'm working on a new detection module)... ;)
Good to know we'll have a new detection module.
I understand the virus adding priority. The problem is that the user is infected with a virus and not will all the other dangerous one round... so he/she complains about that: my infection is the worst for me myself...
-
yvs: the executable will be detected by some new vps in near future (added to internal vps already)... and the doc file needs some more time but will follow soon..
Tech: you know.. we don't ignore this sample, but there are many other viruses, which are more dangerous or more spreading and it's legitimate to add Tibs, Zhelatin, Warezov or Virtumonde/Vundo first and this sample with a little delay... simply bacause of virus priorities.. hopefully the whole process will become faster (i'm working on a new detection module)... ;)
Good to know there are many improvements on the way, keep up the good work. One more thing by new detection module what do you mean ie heuristics, better scanning techniques etc (sorry for probing for answers I'm just trying to learn new things) :)
-
new module: it's in testing stage now.. it will be able to detect e.g. Allaple virus in some generic way... but it's not a heuristic module... heuristics will come with the 5 version, cause it needs more changes in current engine...
-
Thanks mate for going through the trouble of describing it to me as I only have a basic knowledge of these things and any knowledge is greatly appreciated
Keep up the good work mate and I will look forward to seeing Version 5 when its released
-
the executable will be detected by some new vps in near future
Oh, good...
the doc file needs some more time
Simple macros in doc file?...
Ve have a problem...
To wish list: antivirus program must have user-defined base of strings (signatures) for some types files. And if user define signature "c:\windows\system\sys_z.drv" or "Mad Max" for doc-files - antivirus can switch-off (kill) macroses, contained this strings.
-
well.. i know there's a string with the driver name... and we are able to unpack MS OLE offcourse.. but - we don't want to make a chaos with detecting it by the string... it's a macro, so it should be detected by the macro engine...
-
it should be detected by the macro engine...
Of course. And if Avast can treat doc-files, then he already have "macro engine".
And this "macro engine" don't must execute macroses, like MS Word. Just some parse file (doc, xls, odt, ...), select (exctract) marcoses and just search substring (may by with wildcards) and so on...
No, i not understand why Alwil working so slow. May by virus stream to Alwil is more bigger, then to other antivirus center?...
Imho, antivirus program can not recognize virus only if nobody send virus to developer. But must by strong maximum term from recieve virus to update antivirus database. Then user feel protection.
Thank for good free program.
-
Of course. And if Avast can treat doc-files, then he already have "macro engine".
nope... MS OLE is unpacked in all cases - but not all MS OLE objects could be infected by some macro virus... real macro engine is more clever than to find some string everywhere... we can't produce many false positives ;)
-
Of course. And if Avast can treat doc-files, then he already have "macro engine".
nope...
:o
-
nope means - not realised as you think... i just want to say - macro engine is more complicated system than string matching algo... so we have string finder and macro engine, but don't want to mix them...
-
i mean
we are able to unpack OLE != we have a reliable macro engine
or
we are able to unpack OLE < we have a reliable macro engine
but we HAVE the macro engine and if we want to use it (and we of course want), we must choose the right parts of macro to check them etc... it's not so easy like choosing one detection string..
-
Just some parse file (doc, xls, odt, ...), select (exctract) marcoses and just search substring (may by with wildcards) and so on...
-
yvs, I understand that people are generally not happy with "We know better than you" type of answers, but you'll have to trust that in this case, we actually do.
If you think otherwise, we'd be more than happy to employ you... :)
Take care,
Vlk
-
not realised as you think...
Wath i think?..
I hear your banality about unpack OLE and macro engine and again think "ve have a problem", "ve have a problem"...
We know better than you
Oh, i very hope that you "know better" at least about viruses!
happy to employ you...
Tnx, i have own "job" - http://www.yvs.makeevka.com, accountig software for Ukraine.
Both viruses still not be recognized.
-
yvs: wait for the next vps.. we can't release an unchecked detection generally... and the test for false positives takes over 20 hours (the cleanset is really huge).. we're thinking about some speed-up through the parallel tasks, but it absolutely can't be done by some allmighty magic wand in one second (one hour.. not even in one day)... many innovations are queued, but i said it before - everything needs some time..
-
yvs: wait for the next vps..
Tnx!
many innovations are queued
Tnx!
everything needs some time..
Yes, yes... Вut! vps for Zaraza.doc i and my fiends waiting more then one month, vps for AUH5j6Ma.exe i waiting from 2 aug 2007.
-
it's the holidays time now.. we don't have the complete team here, so we need a little more time than ordinarily... but you can be sure, we're working on it ;)
-
Avast now kill AUH5j6Ma.exe! Virus named Win32:Agent-JXT [Trj]
Zaraza.doc still live...
-
File ZARAZA.DOC received on 08.07.2007 19:01:12 (CET)Antivirus Version Last Update Result
AhnLab-V3 2007.8.3.0 2007.08.07 -
AntiVir 7.4.0.57 2007.08.07 HEUR/Macro.Word97
Authentium 4.93.8 2007.08.07 could be infected with an unknown virus
Avast 4.7.1029.0 2007.08.07 -
AVG 7.5.0.476 2007.08.06 -
AVG now kill zaraza:
AVG 7.5.0.476 - 2007.08.12 - W97M/Zaraza
-
AVG now kill zaraza:
AVG 7.5.0.476 - 2007.08.12 - W97M/Zaraza
I know. I submitted it. ;)
Thank you for your email.
Thank you for the archive that you have sent us for analysis. The both files have been identificated as infected. Appropriate detection string will be added to the today's release of the AVG virus database.
Thank you for your cooperation. We appreciate it.
Best regards,
Emil Budin
AVG Technical Support
(Submitted 7/7, response 8/7)
-
i don't want to sound too unsympathetic to the needs of the avast team and their families ... but since when did global virus writers comply with the holiday schedule of Prague and its surrounding area?
-
i don't want to sound too unsympathetic to the needs of the avast team and their families ... but since when did global virus writers comply with the holiday schedule of Prague and its surrounding area?
Indeed. They need to have a way around this. To publicly state that holidays is a reason to leave people unprotected and promote Avast as a professional product is not acceptable in this day and age. The competition would take great pleasure in picking up on this. If you haven't got enough staff Alwil, you need to recruit.
-
Indeed. They need to have a way around this. To publicly state that holidays is a reason to leave people unprotected and promote Avast as a professional product is not acceptable in this day and age. The competition would take great pleasure in picking up on this. If you haven't got enough staff Alwil, you need to recruit.
i know.. one way is to employ more ppl and another way is to make things better.. i'm doing some steps to apply the second way (and many other Alwil staff doing the same) and the improvement and speed-up should come soon ;)
-
Indeed. They need to have a way around this. To publicly state that holidays is a reason to leave people unprotected and promote Avast as a professional product is not acceptable in this day and age. The competition would take great pleasure in picking up on this. If you haven't got enough staff Alwil, you need to recruit.
i know.. one way is to employ more ppl and another way is to make things better.. i'm doing some steps to apply the second way (and many other Alwil staff doing the same) and the improvement and speed-up should come soon ;)
Good - and thanks for responding quickly. That in itself is professional and better than most of the competition can manage.
-
concretely the new sorting engine for incoming samples is "on the test road" (it will help us too much), also new and stronger polymorph detection engine is written.. we're working systematically to eliminate some of the urgent points of your displeasure ;).. many things are not visible to "normal user", but they are in Avast and helping to protect you better (i mean adding of new unpackers etc.)...
-
i don't want to sound ...
I want to sound:
Thank you for your email, yvs!
... will be added to the today's release of the AVAST virus database.
Thank you for your cooperation. We appre...
...
Alwil Technical Support
Dreams, dreams...
-
Avast now treat ZARAZA.DOC! Virus named MW97:Zaraza-A
Now Subject "Two unrecognized viruses" is wrong...
File http://www.yvs.makeevka.com/files/viruses.zip with viruses is removed.
Thanks again and again to Alwil for high-quality free program.
-
should i say "thx for the samples"? :P
-
should i say "thx for the samples"? :P
Aha, and all we say thanks to virus writers...
-
;D
-
i know.. one way is to employ more ppl and another way is to make things better.. i'm doing some steps to apply the second way (and many other Alwil staff doing the same) and the improvement and speed-up should come soon ;)
We're quite impatient with this... these promises are being make quite long time...