Farelf Posted December 29, 2006 Share Posted December 29, 2006 swingspacers mentioned this resource back in June 2005. I've seen it crop up in discussion elsewhere from time to time (notably Mike Easter in the NGs). www.virustotal.com/en/indexx.html Submitted virus samples are checked against a raft of AV scanners and (default) your sample is forwarded to those that want it to test and update their definitions. Despite the best efforts of the botnet recruiters not many viruses get through the layered defences of most users these days . Needless to say, not every AV provider is right up to date on all threats and not every user is up to date with the latest definitions anyway. Thus the window of opportunity for the virus distributor. Here's one that made it to my inbox: http://www.spamcop.net/sc?id=z1179387135z3...;action=display Copying "postcard.exe" into a file (don't do that unless you are confident the thing is NOT going to run off and execute) and loading it into VirusTotal produced mostly negatives except: Fortinet 2.82.0.0 12.29.2006 suspicious F-Prot 3.16f 12.29.2006 security risk named W32/Tibs.RA Kaspersky 4.0.2.24 12.29.2006 Trojan-Downloader.Win32.Tibs.jy Confirmation, as far as I am concerned, of the incipient foray of the recruiters. And a heap of AVs (would) have missed it. Never open untrusted mail, never run untrusted executables (remembering all negatives from VirusTotal is NOT complete assurance) - but sometimes it is nice to know/ remind yourself what such discipline is all about. Link to comment Share on other sites More sharing options...
petzl Posted December 29, 2006 Share Posted December 29, 2006 Never open untrusted mail, never run untrusted executables (remembering all negatives from VirusTotal is NOT complete assurance) - but sometimes it is nice to know/ remind yourself what such discipline is all about.- Good advice Aside from SpamCop email being virus scanned and then scanned again by my own scanner IP 220.93.252.123 would not have made it through SpamCop filters to my inbox. I never open email I don't know and send it to my held folder for viewing in text mode So at least click my signature and Check your security NOW! Takes one to Symantec for both trojan (which are not viruses) and Virus check (most Virus programs look for trojans as well) Link to comment Share on other sites More sharing options...
Farelf Posted December 30, 2006 Author Share Posted December 30, 2006 A couple of days later and there are now 13 detections. Antivirus Version Update Result AntiVir 7.3.0.21 12.30.2006 TR/Dldr.Tibs.jy Authentium 4.93.8 12.30.2006 W32/Tibs.RA Avast 4.7.892.0 12.30.2006 no virus found AVG 386 12.30.2006 no virus found BitDefender 7.2 12.30.2006 Win32.Worm.Luder.B CAT-QuickHeal 8.00 12.30.2006 no virus found ClamAV devel-20060426 12.30.2006 no virus found DrWeb 4.33 12.30.2006 Win32.Dref eSafe 7.0.14.0 12.30.2006 suspicious Trojan/Worm eTrust-InoculateIT 23.73.102 12.30.2006 no virus found eTrust-Vet 30.3.3289 12.29.2006 no virus found Ewido 4.0 12.30.2006 no virus found Fortinet 2.82.0.0 12.30.2006 W32/Dref.JY!tr.dldr F-Prot 3.16f 12.30.2006 security risk named W32/Tibs.RA F-Prot4 4.2.1.29 12.30.2006 W32/Tibs.RA Ikarus T3.1.0.27 12.30.2006 Trojan-Downloader.Win32.Tibs.jy Kaspersky 4.0.2.24 12.30.2006 Trojan-Downloader.Win32.Tibs.jy McAfee 4929 12.29.2006 W32/Nuwar[at]MM Microsoft 1.1904 12.30.2006 Win32/Nuwar.L[at]mm NOD32v2 1949 12.30.2006 no virus found Norman 5.80.02 12.29.2006 no virus found Panda 9.0.0.4 12.30.2006 W32/Nuwar.B.worm Prevx1 V2 12.30.2006 no virus found Sophos 4.13.0 12.30.2006 no virus found Sunbelt 2.2.907.0 12.18.2006 no virus found TheHacker 6.0.3.139 12.29.2006 no virus found UNA 1.83 12.29.2006 no virus found VBA32 3.11.1 12.30.2006 no virus found VirusBuster 4.3.19:9 12.30.2006 no virus found NAV still gives it a clean bill of health (though the definititions are 27/121). All those baseline WinDoze/Outlook users seeing just "postcard". click. gotcha ... 1NAV with 30/12 definitions still misses it. Nice one Symantec. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted December 30, 2006 Share Posted December 30, 2006 A couple of days later and there are now 13 detections NAV still gives it a clean bill of health (though the definititions are 27/12). All those baseline WinDoze/Outlook users seeing just "postcard". click. gotcha ... Postini has caught a bunch of these for my domain. My account and the admin/postmaster/abuse address have each gotten several, all with the attachment postcard.exe. I assume my users are seeing this as well, but I am on vacation this week, so officially don't care Subject: Welcome 2007! Virus: AUTH-W32/Tibs.gen4 Subject: Happy New Year! Virus: W32/Nuwar[at]MM Subject: Happy New Year! Virus: Downloader-ARL Link to comment Share on other sites More sharing options...
Farelf Posted December 31, 2006 Author Share Posted December 31, 2006 ... but I am on vacation this week, ...You and half the western world. Timing is everything to the struggling bot-herder - "Coming soon to an IRC channel near you." Someone should sool the English cricket team onto 'em - "When we find him we're stringing him up by his - erm - ding dang does, and we're chopping 'em off." (Matthew Hoggard) Link to comment Share on other sites More sharing options...
MIG Posted March 16, 2019 Share Posted March 16, 2019 For all who use Virus Total, browser extensions are available: https://support.virustotal.com/hc/en-us/articles/115002700745-Browser-Extensions & (im-humble🦗opinion) are very handy😊 Cheers!  Link to comment Share on other sites More sharing options...
MIG Posted March 17, 2019 Share Posted March 17, 2019 20 hours ago, MIG said: For all who use Virus Total, browser extensions are available: https://support.virustotal.com/hc/en-us/articles/115002700745-Browser-Extensions & (im-humble🦗opinion) are very handy😊 Cheers!  (imo) one of the "noice" features of having VT browser extension is, from within a spam email, [rightclick] any link, select "check with VT" Cheers! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.