Author Topic: Samples missed by avast (VirusTotal links only!) (Read 387282 times)

DavidR · « **Reply #405 on:** August 15, 2011, 03:13:14 AM »

Quote from: Meszarosbence on August 15, 2011, 02:05:08 AM

http://www.virustotal.com/url-scan/report.html?id=94986b54cc7a3a6e3abbd5f0b63a9bea-1313356410

Sorry if I'm wrong about it, I'm new to Virustotal.

This surely has nothing to do with missed samples, e.g. files not detected and your VT results relates to a site check rather than a file ?

Pondus · « **Reply #406 on:** August 15, 2011, 10:03:29 AM »

Quote

This surely has nothing to do with missed samples, e.g. files not detected and your VT results relates to a site check rather than a file ?

yea......but infected website is not detected

VirusTotal - html scan
http://www.virustotal.com/file-scan/report.html?id=009bdd5924e151b71cbaf5d3d37bc9bd7e6c3d0ccb0ccf300fd737be81b601a6-1313364210

DavidR · « **Reply #407 on:** August 15, 2011, 02:18:40 PM »

Which again isn't a sample and not one which you can submit. Surely the whole purpose of this topic was/is to post the link and send the sample to avast for analysis.

Personally I still feel this topic a waste of time as there is zero follow up by the poster when the sample is detected. So you might as well cut out the topic middle man and just send it to avast.

Well going directly to the remote source (superpuperdomain.com/count.php) rather than the suspect origin site it becomes less and less clear cut, and would need to be reported to avast for further analysis. The script tag after the closing html tag is possibly where the suspicion is but Sucuri isn't to detailed on exactly what it finds.

See image of complete follow through from the script tag after the closing html tag (on all pages), to the final javascript file in the chain in adsshownow.com.

http://www.virustotal.com/file-scan/report.html?id=ff99d5233e40b1ba7e897172dacf3eae8fd436e3b65e251976ef5a7997f477d3-1313408365

http://www.virustotal.com/file-scan/report.html?id=e0f41a7a5fca244e5d2f3c98a94a39d665f21cca86c89c90662d4f89deaffbaa-1313409355

http://www.virustotal.com/file-scan/report.html?id=c15dd1360da706e839a14a224d4484b43bce90aaa1a7b01ba1aa9df87f16e39d-1313174208

polonus · « **Reply #408 on:** August 20, 2011, 03:17:24 PM »

Facebook trojan missed

See: http://www.virustotal.com/url-scan/report.html?id=cb239244dc34713ace6ef1b04f61525c-1313837626
and: http://www.virustotal.com/file-scan/report.html?id=f13d7e4d0581c3797a6d3e4a32ee15b4889132b4b854f050d51efb0f075b73b2-1313845400

reported to virus AT avast dot com

polonus

Lisandro · « **Reply #409 on:** August 20, 2011, 08:53:02 PM »

Thanks for helping improving detection Polonus.

polonus · « **Reply #410 on:** August 20, 2011, 10:28:34 PM »

And this one, trojan not detected, see: http://www.virustotal.com/url-scan/report.html?id=0dd880b4802f5fdecd01bb5d82489473-1313863942
and
http://www.virustotal.com/file-scan/report.html?id=90d7cfe213e3b284572ffe97a258fd33524fc212f007f8bdf565d1a6a30ae6f0-1313871146
not found here: http://wepawet.iseclab.org/view.php?hash=0dd880b4802f5fdecd01bb5d82489473&t=1313871598&type=js
suspicious here: http://wepawet.iseclab.org/view.php?hash=19b0fe1cc91d2779f4762c8aec2eb34c&t=1313872016&type=js (avast detects as Win32:Malware-gen)
reported to virus AT avast dot com

polonus

polonus · « **Reply #411 on:** August 22, 2011, 09:49:41 PM »

See: http://www.virustotal.com/url-scan/report.html?id=953cadfb513f918a346d33515e928f5b-1314034094
and http://www.virustotal.com/file-scan/report.html?id=0259afbf7d09dc04b605cb379fa9f1d41801dcaecf722129b4c381aa7ba8b6f9-1314041844
Not detected by avast yet, also see: http://anubis.iseclab.org/?action=result&task_id=1e7ea79dfb6ffbee4b14069f6af09e177&call=first

reported to virus AT avast dot com

polonus

Burkoff · « **Reply #412 on:** September 10, 2011, 10:01:05 AM »

http://www.virustotal.com/file-scan/report.html?id=4a44b4445a4913ccff3df0a13f1fa7aec1e353970af38d2e833d78db121fc3cf-1315640051

Pondus · « **Reply #413 on:** September 10, 2011, 10:20:59 PM »

hmmmmmm........Only the lonley $:-\$ did you upload the sample Burkoff ?......if not i have

or is everyone wrong and avast! correct ?

sigcheck:
publisher....: Hades.net.cn
copyright....: Hades
product......: NBA 2K9 Mini Editor
description..: NBA 2K9 Mini Editor
original name: n/a
internal name: n/a
file version.: 1.0.0.0
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Well ThreatExpert say:

Quote

Contains characteristics of an identified security risk. - Severity Level High

http://www.threatexpert.com/report.aspx?md5=d3d5f0c4d959cb24a9b9194213a7a146

polonus · « **Reply #414 on:** September 10, 2011, 10:53:25 PM »

Hi Pondus,

Or possibly it could not be executed: According to the Unix file command your file is of the following type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit.......
See: http://wepawet.iseclab.org/view.php?hash=381aae8fcce7f9f82278615c4d054d36&t=1315687363&type=js
& http://www.prevx.com/filenames/X461520440149902130-X1/NBA2K9.EXE.html
& http://siteinspector.comodo.com/public/reports/329355

Finally got anubis analysis via direct url scan:
http://anubis.iseclab.org/?action=result&task_id=144bac9e65818aaf415500f4821117490&format=html

polonus

Pondus · « **Reply #415 on:** September 10, 2011, 11:06:47 PM »

Malwarebytes detect it as Virus.Alman

so i guess the detection is good......MBAM fp is rare

polonus · « **Reply #416 on:** September 10, 2011, 11:18:51 PM »

Hi Pondus,

Forwarded all info to virus at avast dot com, my friend. There still could be a remote possibility the protective Unix packer is being flagged by the rest of the "av pack", but I tend towards a non-detect more than to a FP.
Good we all helped out again and our initial thanks go out to Burkoff naturally for reporting this. Well, you could see, this non-detect blew his emoticon right out of proportion

polonus

polonus · « **Reply #417 on:** September 14, 2011, 04:50:01 PM »

See: http://www.virustotal.com/url-scan/report.html?id=5a9486f19c2f21434130ef542ff57332-1316003623
See: http://r.virscan.org/4b95ea748e3582f7adf6b3d2bfc8a903

Avast does not detect this Fake AV? Spyware Preventer
http://wepawet.iseclab.org/view.php?hash=5a9486f19c2f21434130ef542ff57332&t=1316011037&type=js
See: https://safeweb.norton.com/report/show?name=junye.us
Here it is not being flagged: http://www.garyshood.com/virus/results.php?r=e74784f6379cbbf107b64fc99c4c7eb6
But found a high risk page here: http://siteinspector.comodo.com/public/reports/345610

reported to virus at avast dot com

polonus

polonus · « **Reply #418 on:** September 15, 2011, 06:05:19 PM »

See: http://www.virustotal.com/url-scan/report.html?id=87589ce08721ebaf557afcc4767018d7-1316094314
Missed variant of a variant of Win32/Kryptik.SVN
see: http://www.virustotal.com/file-scan/report.html?id=63f11e6373b489e0a44abd84d03c98a8307c5a09d2d14fa3ac1a0bede3e19588-1316101979
Also see Wepawet Scan: http://wepawet.iseclab.org/view.php?hash=87589ce08721ebaf557afcc4767018d7&t=1316102196&type=js (verdict suspicious)
and accompaning Anubis report: http://anubis.iseclab.org/?action=result&task_id=1695760ed51c6881445779f1ebb3a872f
Now added to avast detection,
polonus

Burkoff · « **Reply #419 on:** September 15, 2011, 08:37:43 PM »

Hi, polonus

NBA2K9.exe No added !

China url block.