Virus submisions

[Eddy]

It's not up to Technical, me or anybody. Alwil has its own policy for adding things to the vps and that won't change if I or someone else sends something to a different email as the rest of the users.

On this board are several people who have submitted and example that not (yet?) has been added to the vps. Alwil is very open to its users. Other are not. It may just seem that it takes Alwil quite a lot of time to add something. Another thing is that Alwil is a small company compared to Symantec, McAfee and some others. They just can't assign as many people as the others just to update the vps as the larger companies can.

It may take some time, but if the send in samples are truly harmfull and if they contain the entire malware code, it will be added to the vps.

[Lisandro]

Sorry I think you may have misunderstood me. I did not mean send samples to you. I meant for people like you and eddy who come across samples to send them to avast via a diferent address from the normal user eg straight to Pavel etc as they will know the malware they have received is likely to be real malware and can deal with more quickly.

Oh, I see  
If Pavel give us the honor  

Other issue: some time ago I asked for a @avast.com email address but they say it's only an internal server that could not be reach by the users... So, we won't have an @avast.com email  :'(

[Jlo]

Cheers Eddy and Technical for your feedback.

One thing which does leave avast from the rest is that it is free for the home user (apart from AVG), Great forum and they do get VPS our for fast spreading viruses, even on the weekend and during the night!

Anyway I am getting of topic now!

Best Wishes

Jlo

[Jlo]

Hi,

Just to give you an update on the virus submission sent in on the 22nd Nov. Check this link http://forum.avast.com/index.php?board=4;action=display;threadid=9046

I am sorry to report that even though this file had infected a user on this forum and I had sent the file to avast twice the file still is not detected by avast :'(

Kav and Dr Web detected on the same day (I sent the file to all the main AV vendors) and bitdefender soon after. When I first scanned the file on Jotti scanner no AV showed imalware.

I think that this has been to long since the 22nd Nov to not have been added by Avast. Please sort it out. I love your product otherwise but am loosing my confidence if malware is not added!

Cheers

Jlo

See Jotti report below run 5th Dec

AntiVir  BDS/Banito.S.1 (0.15 seconds taken)
Avast  No viruses found (1.53 seconds taken)
BitDefender  Backdoor.Banito.S (0.34 seconds taken)
ClamAV  No viruses found (0.39 seconds taken)
Dr.Web  BackDoor.Bandito (0.50 seconds taken)
F-Prot Antivirus  virus dropper (0.06 seconds taken)
Kaspersky Anti-Virus  Backdoor.Win32.Banito.s (0.59 seconds taken)
mks_vir  Trojan.Banito.S (0.20 seconds taken)
NOD32  Win32/Banito.S (0.37 seconds taken)
Norman Virus Control  No viruses found (10.97 seconds taken)

[TAP]

I think maybe ALWIL team have more prior things to do or they consider this malware is not urgent case so it may add later.

AVG FE can detect this malware too.

[Jlo]

Thanks Tap,

Yes I sent the file on the 22nd Nov to AVG as well as avast and the other main AV vendors.. Good to see they have added it.

I think Avast is very quick at 'in the wild fast spreading viruses' and many of us have witnessed several VPS updates in one day with beagle outbreaks etc and I am sure they make other malware, trojans low priority.

I think Norman AV work on the same lines. They have hardly added any malware submission I have sent and I don't think they will get added unless they receive multiple submissions from different users.

Maybe Avast does the same thing.

Cheers

Jlo

[Eddy]

Jlo,

since it was a backdoor you submitted, I doubt it will be on the priority list to add to the vps. Most backdoors are already stopped by a good firewall, and there is more destructive malware than that.

[Jlo]

Hi Eddy,

Thanks for your post. I do agree with you that a good firewall will stop a backdoor but you still have to go to the trouble to get rid of it of your system when you have executed the file on your computer.

Whilst I apreciate that there is more malicous malware about out there I still want to be protected from this type of threat. Some of us are not as experianced as you as manually removing malware.

Cheers

Jlo

[lee16]

Ok, back on the subject of virus submissions again, how much detail should you give in the email about the malware submissions?

I sent some more off today but was not sure if i gave enough info on the files.

Copy of email below:

Inside the attached encrypted file are three variants of a suspected virus (mostly known as ‘Swizzor ‘).
I found them on a mate’s computer and they all add iexplorer.exe processes to Task manager (even when IE is not open), which pop right back up as the process is killed.
I believe they came from the ‘wares P2P manager, he uses.
Nucyezqr.exe and t were tofdfogg.exe were found in ‘C:\Documents and Settings\Kieron\Local Settings\Temp’ and Flap 2.exe in ‘C:\Documents and Settings\All Users\Application Data\Gris bolt.
They also added Start-up items to the registry.

To open the encrypted/zipped file the password is virus

OS = Windows XP Home
Avast 4.5 VPS 0453-0 (does not detect the viruses).

--Lee

Is that enough Info?

--lee

[RejZoR]

I have submited so many samples that i've established a special tracking method of marking submission emails.
Samples are also always encrypted the same way,mail structure is always the same or very similar,subject filed is always formatted same way,mail carries signature with date and sequence number...
I belive it's easier for Alwil guys to deal with nicely done mails than some quickly made hard-to-read mails...
Yeah,i took it pretty serious hehe

[lee16]

LOL, sorry for the stupidity, but are you saying there is too much info or not enough.  

Thanks for the help

--lee

[Max M.Wachtel III]

I also send in malware that I see posted in USENET.
Newest is xp.exe. I encrypt it a zip format with a password.
I never thought of including any info,I just send the file.
What should I state in my message?
-max

[RejZoR]

I usually check files with Kaspersky (also shows used packers along malware name) so the job is easier for Alwil guys to identify specific piece of malware.