Author Topic: Samples missed by avast (VirusTotal links only!)  (Read 414209 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #420 on: September 15, 2011, 10:52:36 PM »
Hi Burkoff,

Do you have a MD5 hash of this variant, normally it is seen as safe: http://www.prevx.com/filenames/X461520440149902130-X1/NBA2K9.EXE.html
Well if you mean MD5 d3d5f0c4d959cb24a9b9194213a7a146 , well it is classified malware;
avast does not have detection for it yet: http://www.virustotal.com/file-scan/report.html?id=4a44b4445a4913ccff3df0a13f1fa7aec1e353970af38d2e833d78db121fc3cf-1315640051

polonus

P.S. If you have a block there, you could always go via the google cache file to get to the results,

D
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
« Last Edit: September 23, 2011, 07:21:59 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Samples missed by avast (VirusTotal links only!)
« Reply #424 on: September 23, 2011, 08:10:10 PM »
If you haven't already done so send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update. Note: manually adding to the chest doesn't remove them from the original location, so they still have to be dealt with in that location.
Or
Send the sample to virus (at) avast (dot) com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #425 on: September 23, 2011, 08:43:44 PM »
As DavidR says in his reply the malware should be reported to virus AT avast dot com before posting the VT (non)-detection link here, so a sample should be sent for avast analysis first.

If a MD5 hash exits other reports could be helpful, as in this case these scan results came up: reported 3defcb296fef1ac8a2c78ba83ff6bb07 = http://camas.comodo.com/cgi-bin/submit?file=a27944ab233975b0d36c8306dceeebeb1ceda67fd1bf50691ebcf61cc1f9445b&iframe=
Malware reported:
Thu, 22 Sep 2011 18:29:55 +0200   MD5: 3defcb296fef1ac8a2c78ba83ff6bb07
SHA1: fa98a481e32bf1c0d10b30e01ba8d64f78241341      0/43 (0%)
2011-09-22 16:10:54 (UTC) DrWeb detects as Trojan.DownLoader4.61543

Also take care to follow up and check the VT link afterwards for avast added detection. If not it could mean the malware is no longer available, e.g. up and alive (happens a lot, because malcreants are ready to comply with complaints when filed or malware is found up and then they migrate their malcreations out somewhere else, even hopping bulletproof servers on all continents and high seas) or the malware should be reported again or is found not to be genuine malware. This is another reason to get hold of a sample and send that to virus AT avast dot com....

polonus
« Last Edit: September 23, 2011, 08:51:27 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
« Last Edit: September 25, 2011, 12:55:28 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #427 on: September 25, 2011, 02:58:05 PM »
Malware not detected: http://www.virustotal.com/url-scan/report.html?id=67d13f4f1935b57232f9e608ccb1b797-1316946995
Found safe here: http://urlquery.net/report.php?id=3531
Bundle.php; these bundles can open both their own malware code as well as the desired real application whilst conserving the look and feel of the real data....classtype: trojan-activity,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #428 on: September 27, 2011, 02:50:54 PM »
Not detected by avast:
http://www.virustotal.com/url-scan/report.html?id=1824e7b0824027d9c2216e5931e6a15e-1317120057
and
http://www.virustotal.com/file-scan/report.html?id=f3c44f46ce20e60cf5fd5a30333ed748ef831ddcf675758428a9655c2eb1493d-1317127265
See: http://www.threatexpert.com/report.aspx?md5=a388dc7bc083bd22d3dec5520a29fc6d
infected with Trojan.AVKill.2
see: http://anubis.iseclab.org/?action=result&task_id=14d685be4054f05544db5f8a9e7792661
Nice with this Anubis Analysis is to search here for entities,
for instance because of this found in Reg Values read:

HKLM\​SOFTWARE\​CLASSES\​MIME\​DATABASE\​CONTENT TYPE\​IMAGE/X-WMF    Image Filter CLSID    {607fd4e8-0a03-11d1-ab1d-00c04fc9b304}
then we find:
http://www.internetsecurityzone.com/Entities/?_{607fd4e8-0a03-11d1-ab1d-00c04fc9b304}
CLSID leads to "NPROC SERVER:    %SYSTEM%\mshtml.dll",

pol
« Last Edit: September 27, 2011, 03:08:14 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!


Offline danny96

  • Malware Fighter
  • Advanced Poster
  • **
  • Posts: 668
  • No-malware!
Real-time protection and Firewall: COMODO Internet Security 12.0.0.6810 -- Additional Protection: Web Of Trust, Ublock, NoScript, Malwarebytes Premium, Avast! Online Security, Hitman Pro -- OS: Windows 10

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Samples missed by avast (VirusTotal links only!)
« Reply #433 on: October 03, 2011, 03:59:20 PM »
Quote
1: I think it is false positive
maybe.....but sure looks suspicious

First seen: 2011-10-02 14:26:45
Last seen : 2011-10-03 12:22:53

sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned