Help - Search - Members - Calendar
Full Version: VirusTotal
SpamCop Discussion > Discussions & Observations > Suggested Tools and Applications
Farelf
Dec 29 2006, 12:45 AM
swingspacers mentioned this resource back in June 2005. I've seen it crop up in discussion elsewhere from time to time (notably Mike Easter in the NGs). www.virustotal.com/en/indexx.html Submitted virus samples are checked against a raft of AV scanners and (default) your sample is forwarded to those that want it to test and update their definitions.

Despite the best efforts of the botnet recruiters not many viruses get through the layered defences of most users these days wink.gif . Needless to say, not every AV provider is right up to date on all threats and not every user is up to date with the latest definitions anyway. Thus the window of opportunity for the virus distributor. Here's one that made it to my inbox: http://www.spamcop.net/sc?id=z1179387135z3...;action=display

Copying "postcard.exe" into a file (don't do that unless you are confident the thing is NOT going to run off and execute) and loading it into VirusTotal produced mostly negatives except:
QUOTE(received in VirusTotal at 12.29.2006 @ 05:59:40 (CET).)
Fortinet 2.82.0.0 12.29.2006 suspicious
F-Prot 3.16f 12.29.2006 security risk named W32/Tibs.RA
Kaspersky 4.0.2.24 12.29.2006 Trojan-Downloader.Win32.Tibs.jy
Confirmation, as far as I am concerned, of the incipient foray of the recruiters. And a heap of AVs (would) have missed it.

Never open untrusted mail, never run untrusted executables (remembering all negatives from VirusTotal is NOT complete assurance) - but sometimes it is nice to know/ remind yourself what such discipline is all about.
petzl
Dec 29 2006, 04:50 AM
QUOTE(Farelf @ Dec 29 2006, 05:45 AM) *
Never open untrusted mail, never run untrusted executables (remembering all negatives from VirusTotal is NOT complete assurance) - but sometimes it is nice to know/ remind yourself what such discipline is all about.-

Good advice

Aside from SpamCop email being virus scanned and then scanned again by my own scanner
IP 220.93.252.123 would not have made it through SpamCop filters to my inbox.
I never open email I don't know and send it to my held folder for viewing in text mode

So at least click my signature and Check your security NOW! Takes one to Symantec for both trojan (which are not viruses) and Virus check (most Virus programs look for trojans as well)
Farelf
Dec 30 2006, 05:43 PM
A couple of days later and there are now 13 detections.
CODE
Antivirus Version Update Result
AntiVir 7.3.0.21 12.30.2006 TR/Dldr.Tibs.jy
Authentium 4.93.8 12.30.2006 W32/Tibs.RA
Avast 4.7.892.0 12.30.2006 no virus found
AVG 386 12.30.2006 no virus found
BitDefender 7.2 12.30.2006 Win32.Worm.Luder.B
CAT-QuickHeal 8.00 12.30.2006 no virus found
ClamAV devel-20060426 12.30.2006 no virus found
DrWeb 4.33 12.30.2006 Win32.Dref
eSafe 7.0.14.0 12.30.2006 suspicious Trojan/Worm
eTrust-InoculateIT 23.73.102 12.30.2006 no virus found
eTrust-Vet 30.3.3289 12.29.2006 no virus found
Ewido 4.0 12.30.2006 no virus found
Fortinet 2.82.0.0 12.30.2006 W32/Dref.JY!tr.dldr
F-Prot 3.16f 12.30.2006 security risk named W32/Tibs.RA
F-Prot4 4.2.1.29 12.30.2006 W32/Tibs.RA
Ikarus T3.1.0.27 12.30.2006 Trojan-Downloader.Win32.Tibs.jy
Kaspersky 4.0.2.24 12.30.2006 Trojan-Downloader.Win32.Tibs.jy
McAfee 4929 12.29.2006 W32/Nuwar[at]MM
Microsoft 1.1904 12.30.2006 Win32/Nuwar.L[at]mm
NOD32v2 1949 12.30.2006 no virus found
Norman 5.80.02 12.29.2006 no virus found
Panda 9.0.0.4 12.30.2006 W32/Nuwar.B.worm
Prevx1 V2 12.30.2006 no virus found
Sophos 4.13.0 12.30.2006 no virus found
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.139 12.29.2006 no virus found
UNA 1.83 12.29.2006 no virus found
VBA32 3.11.1 12.30.2006 no virus found
VirusBuster 4.3.19:9 12.30.2006 no virus found
NAV still gives it a clean bill of health (though the definititions are 27/121). All those baseline WinDoze/Outlook users seeing just "postcard". click. gotcha ...

1NAV with 30/12 definitions still misses it. Nice one Symantec.
StevenUnderwood
Dec 30 2006, 06:57 PM
QUOTE(Farelf @ Dec 30 2006, 05:43 PM) *
A couple of days later and there are now 13 detections

NAV still gives it a clean bill of health (though the definititions are 27/12). All those baseline WinDoze/Outlook users seeing just "postcard". click. gotcha ...

Postini has caught a bunch of these for my domain. My account and the admin/postmaster/abuse address have each gotten several, all with the attachment postcard.exe. I assume my users are seeing this as well, but I am on vacation this week, so officially don't care wink.gif

Subject: Welcome 2007!
Virus: AUTH-W32/Tibs.gen4

Subject: Happy New Year!
Virus: W32/Nuwar[at]MM

Subject: Happy New Year!
Virus: Downloader-ARL
Farelf
Dec 30 2006, 09:49 PM
QUOTE(StevenUnderwood @ Dec 31 2006, 08:57 AM) *
... but I am on vacation this week, ...
You and half the western world. Timing is everything to the struggling bot-herder - "Coming soon to an IRC channel near you." Someone should sool the English cricket team onto 'em - "When we find him we're stringing him up by his - erm - ding dang does, and we're chopping 'em off." (Matthew Hoggard)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.