11-05-2010 08:44 AM - edited 11-05-2010 08:45 AM
all malware samples are not detected by nowadays updated Norton 2011 with aggressive switch of heuristic engine.
Norton which is in VT detect 2010-10-08 MDL trojan SpyEye setup.exe but cammed from my hard drive is not.
apparently WS.Reputation.1 detection method based on original location of files (where it is came from) too.
I saw another examples of that.
thats why such files heuristically detected on VT, but on user's computers are not - not enough heuristic/suspicious characteristics to suppose that this file can be malware
11-14-2010 11:15 PM - edited 11-14-2010 11:33 PM
We have processed your submission (Tracking #18214173) and your submission
is now closed. The following is a report of our findings for the files in
Determination: This file is detected as 'Trojan.FakeAV!gen29, ' with our
existing Rapid Release definition set.
Nice Wares is not so nice...
!self-appeared! on my desktop (Win XP SP3 all updates installed + updated Norton with both heur. and SONAR engines in aggressive modes, 14-Nov-2010)
Your submission has been sent Sun Nov 14 23:16:02 PST 2010.
12-16-2010 10:53 PM - edited 12-16-2010 11:00 PM
In [stop ignore MalwareDomainList.com] October-2010 pack
12-16-2010 11:13 PM - edited 12-16-2010 11:18 PM
Little November-2010 submission:
All was found as alone (I think copied by themselves) on a one of our local network servers in free-to-upload SMB shared folder. By the way: if they spreading by replicating themselves, than by Symantec they are sitiated in the Worms class?
2010-11-18 MDL rapport.exe
2010-10-18 forum for all tvxoqx.exe
In additional: tvxoqx.exe (file with icon) is recognized as heuristic malware, but did not blacklisted for a 1 month from starting it.
But, product (NIS 18.1) Norton Community Watch Sample Submission is always was every my samples rescan procedure. strange
12-17-2010 01:07 AM - edited 12-17-2010 01:08 AM
Apologies for the delay and as always thanks for bringing this to our attention.
The files in the earlier submission (PDF and EXE) have been truncated in the middle of the file, effectively rendering them harmless. For the PDF files, the corrupted part is TrueType Font which can sometimes lead security vendors to suspect the files might exploit a vulnerability and add detection just in case. However when opened they only display error messages.
12-17-2010 01:27 AM - edited 12-17-2010 02:01 AM
Will be interesting topic:
Norton Trusted Files versus Virus Total Antiviruses: 7 files accidentally observed
12-17-2010 01:58 AM - edited 12-17-2010 02:08 AM
Thanks for detailed report, JohnM!
All was clear and understand by me
Unfortunately, main father file in this criminal band named "ZASRAKOMONDOHUI31338.EXE" at this moment was not found on the servers. Now detectable file was moved to my collection much more early - a month ago and probably was deleted by other admins or other security suite installed on the servers.
Mm.. and tell us that You thing about tvxoqx.exe (file with icon) detection, is it a malware?
Thanks for cooperation!
by the way: file named "ZASRAKOMONDOHUI31338.EXE" can be submitted via Norton Community Watch (NCW) Component of Norton lines products. Just such rule of NCW must be added and downloaded with nearest LiveUpdate session. I think with such method it will be catched fast if file name will be unique (probably is) and this name is not randomly changing by that malware
12-17-2010 03:37 PM
The Trojan appears to be downloaded on PC's infected with some of the variants of the Zbot family
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportMgmtService.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportService.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportMgmtService.exe] Debugger = "ZASRAKOMONDOHUI31338.EXE" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportService.exe] Debugger = "ZASRAKOMONDOHUI31338.EXE"
By doing the above the infection can block or intercept any request it is meant to, But does the file "ZASRAKOMONDOHUI31338.EXE" actually exist or is the file name a just that in the registry. Meaning the file is actally another name or just doesn't exist.
Which would be something like Trojan:Win32/Killav.EL