From what I understand, Community Watch collects statistics about malware and submits information about malware to Symantec for analysis...

Now, Artermis is a 1 on 1 connection with the McAfee servers. The client's copy of McAfee sends some info to the servers, and the servers determine if the file is malicious. Or not. 

---

orla_cox wrote:

Hello,

First of all, my apologies for coming so late to this thread. The file spyprotector_install_4173.exe (21ad8edb7a3437e37600f37d91f1e25c) is now detected as "AntiVirus2008".

This is a relatively new variant of this misleading application and isn't too widespread, hence it managed to fly under our radar. We've invested a lot of work in the past few months into better detecting these misleading AV programs and their associated malware, but this sample managed to evade these detections. The generic and heuristic detections we create tend to have a limited lifespan before the authors determine how to evade our detections. An unfortunate side-effect of VirusTotal and similar tools is that they allow the authors of these applications to verify whether their handiwork is detected before releasing it to the wild. We're looking at our detections now to see what changes can be made to ensure that any new releases of this misleading AV are proactively detected.

If you run LiveUpdate later today you'll get the updated detection. You should have already received an email with this information.

 

Regards

 

Orla

Symantec Security Response

---

• I went to the link I posted in the first post. I downloaded the file again. I scanned with NAV09. Nothing.
• The file name is exactly the same;  spyprotector_install_4173.exe
• The MD5, however is different. It is a8ad8adeb5e5153173e9cccbbf3bcdeb

http://www.virustotal.com/analisis/4b39d02c5ee53b017ba3ffe4be566a2f

I would suspect that the site realized that there was a detection for the file by Norton, which has over 65 million users, and hence altered the file slightly to escape heruistic detection.

I would appreicate if you could add the MD5 of the modified/altered file to the AntiVirus2008 detections.

And I believe you should create a Intrusion Prevention detection; it is a rouge, fake, online virus scanner.

http://www.threatexpert.com/report.aspx?md5=a8ad8adeb5e5153173e9cccbbf3bcdeb

The file creates a file called scrmss.exe, which Symantec detects as malicious =\. That raises questions about just how deep Bloodhound scans...

I am planning on executing the file with NAV09 enabled to see what happens ... hopefully it flags it =\

On my Virtual PC .. of course! I learned my lesson last time! 

Anyone?

I used the MD5 of the latest sample, and found it on Offensive Computing; I uploaded it eariler. 

Still not detected by Norton ^.-

---

Dieselman743 wrote:
4 out of 38. Nothing to worry about. Hell even top dog Avira doesn't see it. Your point is?

---

And I don't trust Avira anymore; it missed Infostealer.Gampass; so much for heruistics. 24/37 flagged it, except for Avira and other minor AV programs. 

---

Dieselman743 wrote:
Why don't you just make your own av since you think Symantec and Avira cannot.

---

I rather not start from scratch; I would rather build on what Symantec's got already.