12-05-2008 07:49 PM
From what I understand, Community Watch collects statistics about malware and submits information about malware to Symantec for analysis...
Now, Artermis is a 1 on 1 connection with the McAfee servers. The client's copy of McAfee sends some info to the servers, and the servers determine if the file is malicious. Or not.
12-07-2008 01:45 PM - edited 12-07-2008 02:20 PM
First of all, my apologies for coming so late to this thread. The file spyprotector_install_4173.exe (21ad8edb7a3437e37600f37d91f1e25c) is now detected as "AntiVirus2008".
This is a relatively new variant of this misleading application and isn't too widespread, hence it managed to fly under our radar. We've invested a lot of work in the past few months into better detecting these misleading AV programs and their associated malware, but this sample managed to evade these detections. The generic and heuristic detections we create tend to have a limited lifespan before the authors determine how to evade our detections. An unfortunate side-effect of VirusTotal and similar tools is that they allow the authors of these applications to verify whether their handiwork is detected before releasing it to the wild. We're looking at our detections now to see what changes can be made to ensure that any new releases of this misleading AV are proactively detected.
If you run LiveUpdate later today you'll get the updated detection. You should have already received an email with this information.
Symantec Security Response
I would suspect that the site realized that there was a detection for the file by Norton, which has over 65 million users, and hence altered the file slightly to escape heruistic detection.
I would appreicate if you could add the MD5 of the modified/altered file to the AntiVirus2008 detections.
And I believe you should create a Intrusion Prevention detection; it is a rouge, fake, online virus scanner.
The file creates a file called scrmss.exe, which Symantec detects as malicious =\. That raises questions about just how deep Bloodhound scans...
I am planning on executing the file with NAV09 enabled to see what happens ... hopefully it flags it =\
On my Virtual PC .. of course! I learned my lesson last time!
12-12-2008 04:10 PM - edited 12-12-2008 04:14 PM
I used the MD5 of the latest sample, and found it on Offensive Computing; I uploaded it eariler.
Still not detected by Norton ^.-
12-12-2008 07:16 PM
4 out of 38. Nothing to worry about. Hell even top dog Avira doesn't see it. Your point is?
And I don't trust Avira anymore; it missed Infostealer.Gampass; so much for heruistics. 24/37 flagged it, except for Avira and other minor AV programs.