ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
GuitarBob


Joined: 09 Jul 2006
Posts: 4385
Location: USA
Reply with quote
You wrote:

"BTW, out of curiosity, why do you bother creating a different subject (let alone a subject) to each of your posts?"

I just try to describe what I'm talking about--sometimes these posts get off subject.

Regards,
View user's profileSend private message
BTW
GuitarBob


Joined: 09 Jul 2006
Posts: 4385
Location: USA
Reply with quote
By the way, did you notice that Dr. Web and VBA have the same name/description for the malware? Get the idea they are sharing signatures? Dr. Web is a Russian product, and Virus Block Ada is in Belorussia.

Regards,
View user's profileSend private message
ermi


Joined: 28 Sep 2006
Posts: 4
Reply with quote
lwc wrote:
A new year has come upon us...

Heh, and I thought that I was waiting for a long time (it's been 10 days now since I submitted the virus...) Smile

Here's how VirusTotal scanned "my" virus:
http://files.myopera.com/ermi/files/VirusTotal.png http://files.myopera.com/ermi/files/VirusTotal.png
10 days later:
http://files.myopera.com/ermi/files/VirusTotal%2B10.png http://files.myopera.com/ermi/files/VirusTotal%2B10.png

You can see that only Panda "got it" in the mean time. It's interesting to note that also AVs with a good reputation like NOD 32 and Kaspersky fail...
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4385
Location: USA
Reply with quote
If you upload to VirusTotal or Jotti, Clam is in the loop to get a copy of their nondetected viruses from them, so they will get a crack at it if they want it. Some AVs still shy away from "nonviruses" like spyware, adware. It might be interesting to see the description of what you found. No one AV can cover everything completely, but Kaspersky does a good job of covering malware, and so does BitDefender. NOD 32 relies a lot upon its high powered engine to fill in the gaps. Clam usually has a quicker reaction time than most of the AVs, and they've really stepped up their signatures--guess they finally realized if you have only 1% heuristic detection (see http://winnow.oitc.com/avmalwarestats.php), you've got to rely heavily upon signatures.

Regards,
View user's profileSend private message
sherpya


Joined: 22 Mar 2006
Posts: 898
Location: Italy
Reply with quote
packer: themida, as b0ne said me themida is a very nasty packer that makes difficult even gathering executable informations
View user's profileSend private message
ermi


Joined: 28 Sep 2006
Posts: 4
Reply with quote
GuitarBob wrote:
It might be interesting to see the description of what you found.

I'm no expert. But the thing disabled my WinXP firewall and also the Task Manager (couldn't open it)... maybe something else, too. I ran Autoruns and this is what I saw:
http://files.myopera.com/ermi/files/virus.png
Notice the yellow icon for scvhost.exe? That's the same icon of the virus .exe file.

If someone's interested here's the virus, packed in a .rar:
Exclamation http://files.myopera.com/ermi/files/probably_a_virus.rar Exclamation (be careful! Wink)

Personally I trust no AV so I always keep a system image file for backup. That way I got my system back in a few minutes.
View user's profileSend private message
sherpya


Joined: 22 Mar 2006
Posts: 898
Location: Italy
Reply with quote
take a better look the process is not svchost but scvhost so it looks like a malware, delete from autorun, kill the process if you cannot do it because of task manager
use process explorer or install unlocker and remove it on the next reboot:
http://ccollomb.free.fr/unlocker/ http://ccollomb.free.fr/unlocker/
take care to not delete svchost (the system process)
View user's profileSend private message
ermi


Joined: 28 Sep 2006
Posts: 4
Reply with quote
Thanks, but as I wrote I got my system back already, with an image backup. Wink
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4385
Location: USA
Reply with quote
Clam has signatures for many ciadoor.13 variants, so it probably doesn't support the packer in which your malware was wrapped. Many of the Ciadoor variants appear to be spyware.

It appears to me that there is a 50% chance that anything packed (not zipped) has malware. Some kinds of packers are used mostly to hide malware, so anything packed with them probably has a 75% chance. If Clam can't unpack something, perhaps it should flag it for the user, who can then decide what to do--check it with VirusTotal, or consider where it came from and whether he/she is expecting the file and delete/ignore it. Right now, if an AV program can't upack something, you will never know about it!

Regards
View user's profileSend private message
A virus you can't detect
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 2 of 2  

  
  
 Reply to topic