Author Topic: Win32:Mapson [Wrm] detection problem  (Read 2959 times)

0 Members and 1 Guest are viewing this topic.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9365
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Win32:Mapson [Wrm] detection problem
« on: May 23, 2005, 11:50:44 AM »
I have some funny problem with this worm. It is not detected On-Access and not in the Chest (if i use Scan feature). But it is detected if i scan it with ashQuick (right-click).
Can anyone from Alwil contact me,so i'll send you this problematic sample.

I'm using latest avast! 4.6.665 with VPS 0520-4
Visit my webpage Angry Sheep Blog

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11798
    • AVAST Software
Re: Win32:Mapson [Wrm] detection problem
« Reply #1 on: May 23, 2005, 12:04:18 PM »
You can send it to me ;)
Thanks.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9365
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Win32:Mapson [Wrm] detection problem
« Reply #2 on: May 23, 2005, 12:12:48 PM »
Sample sent :)
Visit my webpage Angry Sheep Blog

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11798
    • AVAST Software
Re: Win32:Mapson [Wrm] detection problem
« Reply #3 on: May 23, 2005, 12:39:03 PM »
The sample is heavily corrupted (well, "heavily"... the first 4 bytes of the file were overwritten, so it's not a valid executable file anymore).
So, ashQuick detects it (since it has the "Scan whole files" flag set), but the resident protection does not because it (correctly) decides that it is not an executable file, so it doesn't scan the file parts it would scan if it was an executable.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9365
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Win32:Mapson [Wrm] detection problem
« Reply #4 on: May 23, 2005, 12:55:06 PM »
Thats odd. At first it was detected On-Acess and even in Chest,but i don't know what happend later. I'll try to dig the original sample again...
Visit my webpage Angry Sheep Blog

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9365
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Win32:Mapson [Wrm] detection problem
« Reply #5 on: May 23, 2005, 12:59:41 PM »
Sorry for confusion. File was ideed corruped when i found it again.
You can delete this topic so it won't confuse other users...
Visit my webpage Angry Sheep Blog