yes no one is perfect but i show this to make clear that the Detection to this File is Important and Symantec can also analyse Why Sonar do nothing and Why this File have a good Reputation...
This is again as in old Days, Symantec WebSubmit is nonens because nothing is being processed until today. I have no detection on submitted Threats after 3 Days.
But i try a Retest today with NIS2012 Beta , this Sonar can detect the Threats better as you can see.
We have processed your submission (Tracking #20956784) and your submission is now closed. The following is a report of our findings for the files in your submission: -------------------------------------------------------------------------- File: The Self Help Guide For Women.exe Machine: Machine Determination: Please see the developer notes. --------------------------------------------------------------------------- Developer Notes --------------------------------------------------------------------------- The Self Help Guide For Women.exe Our automation was unable to identify any malicious content in this submission. The file will be stored for further human analysis --------------------------------------------------------------------------- This message was generated by Symantec Security Response automation.
ThreatExpert belongs to Symantec since 2008, why the Company not use this to "identify any malicious content" ?
Sorry but the automatic email messages are not helpful where it says "we could not find anything" , if the solution is only one Mouse click away. Do you not think so? .
The Question is, is the automatic virus detection system so much worse than ThreatExpert and SONAR ?
Found a new dropper "updatedrv.exe" that can bypass both SONAR (NIS2011 and NIS2012) . Sonar only found partially infections, but not all. there are remainig in the memory , see Picture. No Antivirus on Virustotal found a Virus (0/43) but the ThreatExpert log is pretty convincing !
Found on this russian site many new undetected "xxx.avi.exe" threats hxxp://porevopremiumclass.ru , there are russian extortions. after install SONAR found nothing , this threat reboot immediately the PC and after Reboot this PC is closed and unusable. this message inside this blocked PC say "pay within 24h or your Windows and bios will be destroyed" , see picture .
Both Sonar (NIS2011/NIS2012) missing again a running threat "windowsupdate.exe" , see Pictures...these shows reputation scan with running objects in the memory..
signed Malware ! werping.exe have a digital verisign certificate .
Symantec Reputation Good , 1 green point.
Malwarebytes found as Adware.Werping , 10 entries.
HKEY_CLASSES_ROOT\CLSID\{AA4E73CB-0853-41F1-98FF-8425F1FAF463} (Adware.WerPing) -> No action taken. HKEY_CLASSES_ROOT\TypeLib\{F9EC55CA-A59A-4707-9549-D7888F33EFD2} (Adware.WerPing) -> No action taken. HKEY_CLASSES_ROOT\Interface\{BA757198-9CBC-49E1-A504-EBBD2BA03978} (Adware.WerPing) -> No action taken. HKEY_CLASSES_ROOT\WebManager.ExplorerManager.1 (Adware.WerPing) -> No action taken. HKEY_CLASSES_ROOT\WebManager.ExplorerManager (Adware.WerPing) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA4E73CB-0853-41F1-98FF-8425F1FAF463} (Adware.WerPing) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\werping (Adware.Werping) -> Value: werping -> No action taken.
c:\WINDOWS\system32\werping.exe (Adware.Werping) -> No action taken. c:\WINDOWS\system32\werping.dll (Adware.WerPing) -> No action taken. c:\dokumente und einstellungen\Jens\Desktop\werping.exe (Adware.Werping) -> No action taken.
Do you know that Symantec detects trojware by hash per sample. What does this mean? They create hashes from samples you sent and put them into virus db. This sort of signatures is useless against new variants of the same malware.
I don't even imagine how they will protect users from some types of Trojan-Droppers which write the timestamp at the end of the each dropped file. So, in every unique moment of time this timestamp will be unique and consequently file hash must be unique too.
Symantec Security Response is currently investigating this threat and will post more information as it becomes available.
I have more Information to your Investigating.
Digitask.de , This company is involved in the development of Spyware and Trojan software for dubious governmental surveillance. Their products are suspected of deliberately violating the directives of the Federal Constitutional Court of Germany. Their products are also suspected of knowingly violating the BSD license of the Speex audio codec.
They developed software that captures audio data and sends it to the attacker through a U.S. server without user knowledge. It is used by the german state police in Bavaria last 3 Years. In a Case 2009 this State Trojan captures 60000 Screenshots and sends to the Bavarian Police , this was not allowed by directives of the Federal Constitutional Court of Germany.