|
Posted by Dustin Cook on September 7, 2007, 1:11 am
If you were Registered and logged in, you could reply and use other advanced thread options
> This is really sad.
>
> I've got a sample of hidr.exe (06/24/2005) and it's only detected by
> 21 of the 32 AV packages on VirusTotal.
The sample you have, is it just a variant of a something already known?
And how well has it spread? If it hasn't done so well, that may explain
why many of the virus scanners don't bother to detect it.
and of course, you have the often overlooked scenario: they just don't
have a signature for that variant and the hueristics if used aren't
picking it up either.
Since you submitted it to virustotal, they should eventually all get
samples of the file in question. This is why I advocate sending
suspicious files to the vendors directly if at all possible. If you find
something that is missed and you think it shouldn't be, send it to your
favorite antivirus/antimalware company (and send it to myself too! You'll
be contributing to the growing BugHunter userbase). The faster the
samples arrive, the sooner products will have the required information to
identify and possibly remove them.
> Here's the results if you want to see them:
>
> http://www.virustotal.com/resultado.html?
4ffb71ab220a0c3600b76166b2b2b33f
> And for Symantec, this lack of detection is undefensible.
> Why doesn't VT show the packing used, or the Norman sandbox details?
VT may not know the packer used; it could be a known packer but slightly
modified to evade automated detection.
That url expires shortly after being created. :(
--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2d
Email.: bughunter.dustin@gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt
| 
XML site map