Author Topic: Samples missed by avast (VirusTotal links only!) (Read 415784 times)

true indian · « **Reply #960 on:** June 13, 2013, 02:49:52 PM »

Good find Pol,show how fast these things spread

true indian · « **Reply #961 on:** June 15, 2013, 11:56:20 AM »

Again FUD autorun sample

https://www.virustotal.com/en/file/3ff323e2bd69cab9f2a015f1df6402c96477c6591625bcb73c6defa597f0d6e7/analysis/1371289602/
https://www.virustotal.com/en/file/a293e9a0edb0c34de2b348ffa053a2ee4c965a5b678fd545a81ea16414494dc4/analysis/1371289603/

submitted to avast.

EDIT: WTF one of the sample is 4 days old and still FUD,no AV vendor see's it yet

:

First submission 2013-06-11 08:24:31 UTC ( 4 days, 1 hour ago )

polonus · « **Reply #962 on:** June 15, 2013, 01:53:17 PM »

These samples were found here: http://forums.malwarebytes.org/index.php?showtopic=127787
and also sunmitted here: http://support.emsisoft.com/topic/11569-true-indians-submissions/
i04040.js for instance should be detected by avast as HTML:Iframe-MS [Trj]

polonus

true indian · « **Reply #963 on:** June 24, 2013, 05:32:39 PM »

Bad Boys gathered from USB

https://www.virustotal.com/en/file/c379ef4ffe8bd8abd5a3cb31a76c55de6946a1756a62d26398d27c3222f54e5b/analysis/1372086166/
https://www.virustotal.com/en/file/96b11e12f04062130ae4155d7dc6395735f61d829fa3b4eaf371af89e4acf944/analysis/1372086268/
https://www.virustotal.com/en/file/42257f704c68bb9bb4b10e3a670d859551d971c9addc1e126a8543daebcb5595/analysis/1372086319/
https://www.virustotal.com/en/file/c7bd252296272693d8ad658295de6ca89c6c0dd42c054ebb58f571aad1d8cc1f/analysis/1372086748/

Sent to avast and reported to MBAM.

DavidR · « **Reply #964 on:** June 24, 2013, 06:15:42 PM »

There should be no distribution of samples via this forum, it is a support forum and not a quasi malware distribution service.

true indian · « **Reply #965 on:** June 24, 2013, 06:19:10 PM »

Quote from: DavidR on June 24, 2013, 06:15:42 PM

There should be no distribution of samples via this forum, it is a support forum and not a quasi malware distribution service.

Oops! many apologizes david..I have removed that from my reply I was only saying that because if anyone else wants to circulate the samples to some other AV vendors but I will take a note of that.

TheBeateMaker · « **Reply #966 on:** July 08, 2013, 07:12:40 PM »

TheBeateMaker · « **Reply #967 on:** July 08, 2013, 07:17:31 PM »

TheBeateMaker · « **Reply #968 on:** July 08, 2013, 07:29:20 PM »

true indian · « **Reply #969 on:** July 10, 2013, 06:17:02 PM »

TheBeateMaker,Are you sending all samples to avast via virus@avast.com through e-mail,if not then posting links here will be of no use.

polonus · « **Reply #970 on:** July 10, 2013, 07:50:35 PM »

See for various posted there is avast detection now, e.g.
https://www.virustotal.com/de/file/164864255d356996cd8111dd74b5b2733fa578a60081a433eb6ff8ee70315281/analysis/
https://www.virustotal.com/de/file/83eac1bc7aa643e82215911f7fc5bbae1e9c0bf290d02f1ba2783c264891d60a/analysis/

polonus

Michael (alan1998) · « **Reply #971 on:** July 11, 2013, 02:34:15 PM »

https://www.virustotal.com/en/file/1a7f702a9b5a88d2f0e1047f4be6a37a52b8c3a95ab156db389e6a509c409277/analysis/1373544700/

PUP-File. deemed Safe by Essex

polonus · « **Reply #972 on:** July 11, 2013, 02:54:52 PM »

IDS flagged it here: http://urlquery.net/report.php?id=3533128
loaded will be kernel32.dll (where IsDebuggerPresent is located)
The circumvention is for a particular code example !
mov eax,dword ptr fs:[18]
mov eax,dword ptr ds:[EAX+30]
mov byte ptr ds:[eax+2],0

This will patch the IsPresent flag, ensuring IsDebuggerPresent always returns 0
(credits go to kuba on reverse engineering)

Adware - two detect in latest scan: https://www.virustotal.com/en/file/411240f7d25a1a63a68b0874eb8d122c3b2c2e0bddb94eee55818b6a535b6915/analysis/ (installer detection -> Global\Phoenix_Installer (failed) & RasPbFile (failed), this issue is a class of bug called a "Token Leak"....

polonus

Michael (alan1998) · « **Reply #973 on:** July 18, 2013, 12:37:49 PM »

https://www.virustotal.com/en/file/619531aa8bf0000586f23549475d523b36ac70a0f916ba17ddf9586137d532f4/analysis/1374143415/

Adware. It was "Supposed" to be a movie. I noticed the .exe part at the end. I figured it'd be malicous, thought I'd see what I could do to help. This seems like a good place.

true indian · « **Reply #974 on:** July 18, 2013, 12:41:26 PM »

Quote from: alan1998 on July 18, 2013, 12:37:49 PM

https://www.virustotal.com/en/file/619531aa8bf0000586f23549475d523b36ac70a0f916ba17ddf9586137d532f4/analysis/1374143415/

Adware. It was "Supposed" to be a movie. I noticed the .exe part at the end. I figured it'd be malicous, thought I'd see what I could do to help. This seems like a good place.

send the file to virus@avast.com via mail,dont report it here it is not going to help avast in anyway

Author Topic: Samples missed by avast (VirusTotal links only!) (Read 415784 times)

true indian

Re: Samples missed by avast (VirusTotal links only!)

true indian

Re: Samples missed by avast (VirusTotal links only!)

polonus

Re: Samples missed by avast (VirusTotal links only!)

true indian

Re: Samples missed by avast (VirusTotal links only!)

DavidR

Re: Samples missed by avast (VirusTotal links only!)

true indian

Re: Samples missed by avast (VirusTotal links only!)

TheBeateMaker

Re: Samples missed by avast (VirusTotal links only!)

TheBeateMaker

Re: Samples missed by avast (VirusTotal links only!)

TheBeateMaker

Re: Samples missed by avast (VirusTotal links only!)

true indian

Re: Samples missed by avast (VirusTotal links only!)

polonus

Re: Samples missed by avast (VirusTotal links only!)

Michael (alan1998)

Re: Samples missed by avast (VirusTotal links only!)

polonus

Re: Samples missed by avast (VirusTotal links only!)

Michael (alan1998)

Re: Samples missed by avast (VirusTotal links only!)

true indian

Re: Samples missed by avast (VirusTotal links only!)