Jump to content

Recommended Posts

swingspacers mentioned this resource back in June 2005. I've seen it crop up in discussion elsewhere from time to time (notably Mike Easter in the NGs). www.virustotal.com/en/indexx.html Submitted virus samples are checked against a raft of AV scanners and (default) your sample is forwarded to those that want it to test and update their definitions.

Despite the best efforts of the botnet recruiters not many viruses get through the layered defences of most users these days ;) . Needless to say, not every AV provider is right up to date on all threats and not every user is up to date with the latest definitions anyway. Thus the window of opportunity for the virus distributor. Here's one that made it to my inbox: http://www.spamcop.net/sc?id=z1179387135z3...;action=display

Copying "postcard.exe" into a file (don't do that unless you are confident the thing is NOT going to run off and execute) and loading it into VirusTotal produced mostly negatives except:

Fortinet 2.82.0.0 12.29.2006 suspicious

F-Prot 3.16f 12.29.2006 security risk named W32/Tibs.RA

Kaspersky 4.0.2.24 12.29.2006 Trojan-Downloader.Win32.Tibs.jy

Confirmation, as far as I am concerned, of the incipient foray of the recruiters. And a heap of AVs (would) have missed it.

Never open untrusted mail, never run untrusted executables (remembering all negatives from VirusTotal is NOT complete assurance) - but sometimes it is nice to know/ remind yourself what such discipline is all about.

Share this post


Link to post
Share on other sites
Never open untrusted mail, never run untrusted executables (remembering all negatives from VirusTotal is NOT complete assurance) - but sometimes it is nice to know/ remind yourself what such discipline is all about.-

Good advice

Aside from SpamCop email being virus scanned and then scanned again by my own scanner

IP 220.93.252.123 would not have made it through SpamCop filters to my inbox.

I never open email I don't know and send it to my held folder for viewing in text mode

So at least click my signature and Check your security NOW! Takes one to Symantec for both trojan (which are not viruses) and Virus check (most Virus programs look for trojans as well)

Share this post


Link to post
Share on other sites

A couple of days later and there are now 13 detections.

Antivirus	Version	Update	Result
AntiVir	7.3.0.21	12.30.2006	TR/Dldr.Tibs.jy
Authentium	4.93.8	12.30.2006	W32/Tibs.RA
Avast	4.7.892.0	12.30.2006	no virus found
AVG	386	12.30.2006	no virus found
BitDefender	7.2	12.30.2006	Win32.Worm.Luder.B
CAT-QuickHeal	8.00	12.30.2006	no virus found
ClamAV	devel-20060426	12.30.2006	no virus found
DrWeb	4.33	12.30.2006	Win32.Dref
eSafe	7.0.14.0	12.30.2006	suspicious Trojan/Worm
eTrust-InoculateIT	23.73.102	12.30.2006	no virus found
eTrust-Vet	30.3.3289	12.29.2006	no virus found
Ewido	4.0	12.30.2006	no virus found
Fortinet	2.82.0.0	12.30.2006	W32/Dref.JY!tr.dldr
F-Prot	3.16f	12.30.2006	security risk named W32/Tibs.RA
F-Prot4	4.2.1.29	12.30.2006	W32/Tibs.RA
Ikarus	T3.1.0.27	12.30.2006	Trojan-Downloader.Win32.Tibs.jy
Kaspersky	4.0.2.24	12.30.2006	Trojan-Downloader.Win32.Tibs.jy
McAfee	4929	12.29.2006	W32/Nuwar[at]MM
Microsoft	1.1904	12.30.2006	Win32/Nuwar.L[at]mm
NOD32v2	1949	12.30.2006	no virus found
Norman	5.80.02	12.29.2006	no virus found
Panda	9.0.0.4	12.30.2006	W32/Nuwar.B.worm
Prevx1	V2	12.30.2006	no virus found
Sophos	4.13.0	12.30.2006	no virus found
Sunbelt	2.2.907.0	12.18.2006	no virus found
TheHacker	6.0.3.139	12.29.2006	no virus found
UNA	1.83	12.29.2006	no virus found
VBA32	3.11.1	12.30.2006	no virus found
VirusBuster	4.3.19:9	12.30.2006	no virus found

NAV still gives it a clean bill of health (though the definititions are 27/121). All those baseline WinDoze/Outlook users seeing just "postcard". click. gotcha ...

1NAV with 30/12 definitions still misses it. Nice one Symantec.

Share this post


Link to post
Share on other sites
A couple of days later and there are now 13 detections

NAV still gives it a clean bill of health (though the definititions are 27/12). All those baseline WinDoze/Outlook users seeing just "postcard". click. gotcha ...

Postini has caught a bunch of these for my domain. My account and the admin/postmaster/abuse address have each gotten several, all with the attachment postcard.exe. I assume my users are seeing this as well, but I am on vacation this week, so officially don't care ;)

Subject: Welcome 2007!

Virus: AUTH-W32/Tibs.gen4

Subject: Happy New Year!

Virus: W32/Nuwar[at]MM

Subject: Happy New Year!

Virus: Downloader-ARL

Share this post


Link to post
Share on other sites
... but I am on vacation this week, ...
You and half the western world. Timing is everything to the struggling bot-herder - "Coming soon to an IRC channel near you." Someone should sool the English cricket team onto 'em - "When we find him we're stringing him up by his - erm - ding dang does, and we're chopping 'em off." (Matthew Hoggard)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×