Author Topic: Dropper.Gen and others  (Read 11381 times)

0 Members and 1 Guest are viewing this topic.

Offline josh000

  • Newbie
  • *
  • Posts: 8
Dropper.Gen and others
« on: June 22, 2008, 02:53:21 AM »
Avast does not detect this, more than 12 month, annoying MSN virus? I had to download avira to detect and get rid of it. I recommend Avast to everyone, so it is a bit disappointing that such a well known worm is not detected. Is it a problem with updates or the heuristics engine?

Anyway, here are the avira details:

http://www.avira.com/en/threats/section/details/id_vir/3647/tr_dropper.gen.html
http://www.avira.com/en/threats/section/details/id_vir/3666/html_crypted.gen.html
http://www.avira.com/en/threats/section/details/id_vir/3684/html_infected.webpage.gen.html


Offline josh000

  • Newbie
  • *
  • Posts: 8
Re: Dropper.Gen and others
« Reply #1 on: June 22, 2008, 09:44:02 AM »
So Avast is not detecting viruses, and I can provide information on what it ignores, and not so much as na reason or excuse is provided?

Offline josh000

  • Newbie
  • *
  • Posts: 8
Re: Dropper.Gen and others
« Reply #2 on: June 22, 2008, 02:37:43 PM »
Here is a link to a virus(sent by the virus), detected by avira but not avast.

hXXp://cruesquarders.com/2cn5rwfkux7lbv.gif
« Last Edit: June 23, 2008, 04:21:53 PM by kubecj »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85942
  • No support PMs thanks
Re: Dropper.Gen and others
« Reply #3 on: June 22, 2008, 05:09:14 PM »
There is a possibility that this is a false positive detection as only three scanners detect it out of 33 at virus total and one of those is suspicious (likely heuristic detection). So I would say the jury is still out as I also believe that the .gen suffix of the other two detections might indicate generic detections.

http://www.virustotal.com/analisis/1f892971c77e845d196fa19c8ffbc9ff
Quote from: VT Results
File foto-226.jpeg_ozecomplover_hotmai received on 06.22.2008 17:03:25 (CET)
Antivirus   Version   Last Update   Result
AhnLab-V3   2008.6.22.0   2008.06.22   -
AntiVir   7.8.0.59   2008.06.21   TR/Dropper.Gen
Authentium   5.1.0.4   2008.06.21   -
Avast   4.8.1195.0   2008.06.21   -
AVG   7.5.0.516   2008.06.22   -
BitDefender   7.2   2008.06.22   -
CAT-QuickHeal   9.50   2008.06.20   (Suspicious) - DNAScan
ClamAV   0.93.1   2008.06.22   -
DrWeb   4.44.0.09170   2008.06.22   -
eSafe   7.0.15.0   2008.06.22   -
eTrust-Vet   31.6.5892   2008.06.21   -
Ewido   4.0   2008.06.22   -
F-Prot   4.4.4.56   2008.06.21   -
F-Secure   7.60.13501.0   2008.06.20   -
Fortinet   3.14.0.0   2008.06.22   -
GData   2.0.7306.1023   2008.06.22   -
Ikarus   T3.1.1.26.0   2008.06.22   -
Kaspersky   7.0.0.125   2008.06.22   -
McAfee   5322   2008.06.20   -
Microsoft   1.3604   2008.06.22   -
NOD32v2   3207   2008.06.22   -
Norman   5.80.02   2008.06.20   -
Panda   9.0.0.4   2008.06.22   -
Prevx1   V2   2008.06.22   -
Rising   20.49.62.00   2008.06.22   -
Sophos   4.30.0   2008.06.22   -
Sunbelt   3.0.1153.1   2008.06.15   -
Symantec   10   2008.06.22   -
TheHacker   6.2.92.358   2008.06.21   -
TrendMicro   8.700.0.1004   2008.06.20   -
VBA32   3.12.6.7   2008.06.21   -
VirusBuster   4.3.26:9   2008.06.12   -
Webwasher-Gateway   6.6.2   2008.06.22   Trojan.Dropper.Gen
Additional information
File size: 238592 bytes
MD5...: 266b2bc03fa450885bf19b29c3e97ab4
SHA1..: 79d2d897f5b8e1a20ce5b7bfc5f0a42ed7e5b088
SHA256: 6a2daaac2bdd5549b7584461113ebaaa19e96f02918e43999544cc80feb87103
SHA512: f5e79f2caebcc767787ff55977a7fc926b692acc0f7ba01427d0eb78d6b59104<br>63a1ad97234580175889d134f7e56335e5417987d753918c4d3e60ac8f4c0258
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x4010db<br>timedatestamp.....: 0x47245f05 (Sun Oct 28 10:05:57 2007)<br>machinetype.......: 0x14c (I386)<br><br>( 4 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x508 0x600 5.87 8155f2af9607c0485034f1124f8afe52<br>.rdata 0x2000 0x2d0 0x400 3.76 92bb15335120da2937fd49edaf921d5b<br>.data 0x3000 0x2a2d8 0x2a400 8.00 9e7969e31b96e753f57968869095949a<br>.data0 0x2e000 0xf022 0xf200 7.90 0aebfa8ae8b60e84d0b4eca4e2e86f9b<br><br>( 3 imports ) <br>&gt; KERNEL32.dll: GetProcessWorkingSetSize, WriteConsoleInputA, LocalHandle, IsValidCodePage, FindResourceA, GetProcAddress, WriteConsoleOutputAttribute<br>&gt; USER32.dll: GetMessageTime, DdeGetData, SetWindowPos, UnregisterClassW, GetForegroundWindow, CheckRadioButton, ReleaseCapture, GetWindowRgn, CallWindowProcA, GetMenuCheckMarkDimensions<br>&gt; GDI32.dll: CancelDC, SetPolyFillMode, CopyMetaFileA, ModifyWorldTransform<br><br>( 0 exports ) <br>

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline josh000

  • Newbie
  • *
  • Posts: 8
Re: Dropper.Gen and others
« Reply #4 on: June 22, 2008, 05:14:14 PM »
No,

No jury is out, it is a virus.

I had a completely clean system, and clicked on a link similar to what I posted, and then contracted the virus. There is now a hidden msn windows which sends out similar links to people in my contact list. This is a real threat(albeit minor), and not open for interpretation. I am surprised so few of the virus scanners detect it though, is it perhaps a very new variant?

Offline josh000

  • Newbie
  • *
  • Posts: 8
Re: Dropper.Gen and others
« Reply #5 on: June 22, 2008, 05:16:40 PM »
In fact more than 3 virus scanners detect it, at least 5

http://www.virustotal.com/analisis/90e2da27dc2cb3f06d6fccb2f90b7cb9

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85942
  • No support PMs thanks
Re: Dropper.Gen and others
« Reply #6 on: June 22, 2008, 05:22:59 PM »
Well that is the file you uploaded now that isn't the virus you are talking about but what it sends and what it sends I have uploaded that to VT and from those results the jury is most certainly out on what it sends.

You need to upload the actual virus to VT or submit it to avast as I have said in the the other topic you started.

Not to mention if it is truly a virus then the link you provided 'could' infect the unwary, so you should modify the post so the link isn't active, e.g. hXXp://cruesquarders.com/2cn5rwfkux7lbv.gif the XX replacing the tt will break an active link but allow humans to access it if required.

That is two more and 1 of those is also suspicious, as I keep banging on, send the sample to avast.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33369
  • malware fighter
Re: Dropper.Gen and others
« Reply #7 on: June 22, 2008, 05:28:09 PM »
Hi josh000,

The difficulty here is that it is generic detection routine:
"TR/Dropper.Gen

Description:
A generic detection routine designed to detect common family characteristics shared in several variants.

This special detection routine was developed in order to detect unknown variants and will be enhanced continuously."

   _fsntfs.sys
    014[1].exe
    0712301.exe
    0801011.exe
    1.exe
    33.exe
    76022_164338_load.exe
    76038_788837_newad.exe
    76046_8295707_2.exe
    anjwsoinhj.exe
    bot.exe
    darkskp1007.exe
    explorer.exe
    fk[1].exe
    gift_vip_net_VideoAccessCodecInstall.exe
    herjt384.exe
    iergkj.exe
    img604.jpg_jesusmillan160@hotmail.com
    it.exe
    loader.exe
    postal_gusanito.exe
    rising95.exe
    syskiuf.exe
    tcmsetup.dll
    Tempmbroit.exe
    test.exe
    timplatform.exe
    tmhcsgbbcf.exe
    tmp3595029.exe
    tmp608194.exe
    vv18.exe

In Grid Unlocker it is a FP, so make an analysis if the above can be found on your system,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline josh000

  • Newbie
  • *
  • Posts: 8
Re: Dropper.Gen and others
« Reply #8 on: June 23, 2008, 03:15:01 AM »
Well that is the file you uploaded now that isn't the virus you are talking about but what it sends and what it sends I have uploaded that to VT and from those results the jury is most certainly out on what it sends.

You need to upload the actual virus to VT or submit it to avast as I have said in the the other topic you started.

Not to mention if it is truly a virus then the link you provided 'could' infect the unwary, so you should modify the post so the link isn't active, e.g. hXXp://cruesquarders.com/2cn5rwfkux7lbv.gif the XX replacing the tt will break an active link but allow humans to access it if required.

That is two more and 1 of those is also suspicious, as I keep banging on, send the sample to avast.

David,

What I uploaded is the virus, the executable code that infects and starts spreading itself. I have uploaded the virus, the jury is not out, please do not make excuses. It is clear from the context that the link is a virus, but if you don't think it is there is nothing to worry about.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85942
  • No support PMs thanks
Re: Dropper.Gen and others
« Reply #9 on: June 23, 2008, 04:08:23 PM »
why would I make excuses, I'm an avast user like yourself and I make my comments based on what evidence I see nothing else, you only need to check the forums to see that.

You still haven't modified the active link, so if you are concerned about the fact avast doesn't detect this then you should avoid accidental exposure to other avast users.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: Dropper.Gen and others
« Reply #10 on: June 23, 2008, 04:13:01 PM »
You still haven't modified the active link, so if you are concerned about the fact avast doesn't detect this then you should avoid accidental exposure to other avast users.
Josh, please, edit the live link to malware.
Alwil, please, improve detection.
The best things in life are free.

Offline josh000

  • Newbie
  • *
  • Posts: 8
Re: Dropper.Gen and others
« Reply #11 on: June 25, 2008, 04:13:14 AM »
No reply from the avast devs?

I know this is a generic routine, but it is a simple variant of a virus over a year old, so it should still be detected. Avast does not detect vundo as well, iirc.

Offline Jazhawk

  • Jr. Member
  • **
  • Posts: 44
    • Jazhawk's Forums
Re: Dropper.Gen and others
« Reply #12 on: July 12, 2008, 12:40:21 AM »
This is disturbing to say the least.  I've used this anti-virus for years and it cannot detect this?  Not good fellas.  Not good at all.  And nothing from the developers huh?

Got to drop it then.  I need to trust my anti virus.

« Last Edit: July 12, 2008, 12:43:19 AM by Jazhawk »