ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
A virus you can't detect
lwc


Joined: 17 Apr 2006
Posts: 69
Reply with quote
When I saw you can't detect it, I submitted it to ClamAV but it has been a while and they didn't even confirm the submission to my e-mail!

So it's on the way to your e-mail (zipped and password protected).

To prove to myself my version of ClamWin is ok, I tried scanning this virus in your online scanner but I couldn't do it http://forums.clamwin.com/viewtopic.php?t=520 because it's dead. Nevertheless, http://www.virustotal.com indeed claims ClamAV is among the ones that don't detect it:

Quote:
Complete scanning result of "2.exe", received in VirusTotal at 08.23.2006, 11:26:40 (CET).

Antivirus Version Update Result
AntiVir 6.35.1.3 08.23.2006 HEUR/Trojan.PwdStealer
Authentium 4.93.8 08.22.2006 Possibly a new variant of W32/Trojan-Hupigon-based!Maximus
Avast 4.7.844.0 08.21.2006 Win32:MianCrypt-gen
AVG 386 08.22.2006 no virus found
BitDefender 7.2 08.23.2006 Backdoor.Pigeon.IP
CAT-QuickHeal 8.00 08.22.2006 no virus found
ClamAV devel-20060426 08.23.2006 no virus found
DrWeb 4.33 08.23.2006 BackDoor.Pigeon.36
eTrust-InoculateIT 23.72.104 08.22.2006 no virus found
eTrust-Vet 30.3.3035 08.23.2006 no virus found
Ewido 4.0 08.23.2006 Backdoor.Hupigon.36
Fortinet 2.77.0.0 08.23.2006 W32/Hupigon.BC!tr
F-Prot 3.16f 08.22.2006 Possibly a new variant of W32/Trojan-Hupigon-based!Maximus
F-Prot4 4.2.1.29 08.22.2006 W32/Trojan-Hupigon-based!Maximus
Ikarus 0.2.65.0 08.23.2006 no virus found
Kaspersky 4.0.2.24 08.23.2006 Backdoor.Win32.Hupigon.pv
McAfee 4835 08.22.2006 New Malware.w
Microsoft 1.1560 08.23.2006 no virus found
NOD32v2 1.1720 08.22.2006 no virus found
Norman 5.90.23 08.22.2006 no virus found
Panda 9.0.0.4 08.23.2006 Suspicious file
Sophos 4.08.0 08.23.2006 no virus found
Symantec 8.0 08.23.2006 no virus found
TheHacker 5.9.8.198 08.23.2006 no virus found
UNA 1.83 08.22.2006 no virus found
VBA32 3.11.0 08.22.2006 BackDoor.Pigeon.36
VirusBuster 4.3.7:9 08.22.2006 no virus found

Aditional Information
File size: 326656 bytes
MD5: dfb0088364e02414a01527b0ebd49214
SHA1: b89f5a81cafb6b0a59eb616b2e52ce5ae5d87a44
packers: Aspack


Where is NAV in this list?
Nav detects this virus as http://www.symantec.com/security_response/writeup.jsp?docid=2006-061009-4441-99 Bloodhound.NsAnti.


Last edited by lwc on Wed Nov 01, 2006 10:24 am; edited 2 times in total
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
please be patient, it takes some time to add a new virus. The priority is given to wider-spread variants, but your submission will get there.
View user's profileSend private message
lwc


Joined: 17 Apr 2006
Posts: 69
Reply with quote
What's going on...? I sent that message to clamwim at clamwin.com and got this in return:

Code:
Received: (qmail 12717 invoked from network); 23 Aug 2006 03:48:54 -0500
Received: from 216-55-183-18.dedicated.abac.net (216.55.183.18)
  by tsunami.riptideresearch.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 23 Aug 2006 03:48:52 -0500
Received: (qmail 28623 invoked for bounce); 23 Aug 2006 19:46:50 +1000
Date: 23 Aug 2006 19:46:50 +1000
From: MAILER-DAEMON@216-55-183-18.dedicated.abac.net
Subject: failure notice

Hi. This is the qmail-send program at 216-55-183-18.dedicated.abac.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
:
64.233.163.114 failed after I sent the message.
Remote host said: 552 5.7.0 Illegal Attachment r15si252831nza
--- Below this line is a copy of the message. ---
...
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
I got the message with the virus attached, thanks. I forward all mail to GMail and it doesn't like some of the attachment types.
View user's profileSend private message
lwc


Joined: 17 Apr 2006
Posts: 69
Reply with quote
Quote:
Complete scanning result of "virus.bak", received in VirusTotal at 11.01.2006, 11:18:20 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.34 10.31.2006 HEUR/Malware
Authentium 4.93.8 10.31.2006 Possibly a new variant of W32/Trojan-Hupigon-based!Maximus
Avast 4.7.892.0 10.31.2006 Win32:Hupigon-OH
AVG 386 11.01.2006 no virus found
BitDefender 7.2 11.01.2006 Backdoor.Pigeon.IP
CAT-QuickHeal 8.00 10.31.2006 no virus found
ClamAV devel-20060426 11.01.2006 no virus found
DrWeb 4.33 11.01.2006 BackDoor.Pigeon.36
eTrust-InoculateIT 23.73.42 11.01.2006 no virus found
eTrust-Vet 30.3.3172 11.01.2006 no virus found
Ewido 4.0 10.31.2006 Backdoor.Hupigon.36
Fortinet 2.82.0.0 11.01.2006 W32/Hupigon.BC!tr
F-Prot 3.16f 10.31.2006 Possibly a new variant of W32/Trojan-Hupigon-based!Maximus
F-Prot4 4.2.1.29 10.31.2006 W32/Trojan-Hupigon-based!Maximus
Ikarus 0.2.65.0 10.31.2006 no virus found
Kaspersky 4.0.2.24 11.01.2006 Backdoor.Win32.Hupigon.pv
McAfee 4885 10.31.2006 BackDoor-AWQ.b
Microsoft 1.1609 11.01.2006 no virus found
NOD32v2 1.1846 10.31.2006 no virus found
Norman 5.80.02 10.31.2006 W32/Hupigon.QOT
Panda 9.0.0.4 11.01.2006 Suspicious file
Sophos 4.10.0 10.26.2006 Troj/GrayBr-Gen
TheHacker 6.0.1.109 10.30.2006 no virus found
UNA 1.83 10.31.2006 Backdoor.Hupigon.A697
VBA32 3.11.1 10.31.2006 BackDoor.Pigeon.36
VirusBuster 4.3.15:9 10.31.2006 no virus found


Aditional Information
File size: 326656 bytes
MD5: dfb0088364e02414a01527b0ebd49214
SHA1: b89f5a81cafb6b0a59eb616b2e52ce5ae5d87a44
packers: ASPack
packers: ASPACK
packers: Aspack

It has been months and as you see this virus was added to some of the programs that didn't know about it back then. So what about ClamAV?

And again I ask where is NAV in this list (which does recognize it)?

Thanks!

P.S.
It doesn't matter (both for that online check and for WinClam itself) that I've renamed it from "2.exe" to "virus.bak" (so I wouldn't click on it by mistake), right?
View user's profileSend private message
Virus Submission
GuitarBob


Joined: 09 Jul 2006
Posts: 4376
Location: USA
Reply with quote
I believe ClamAV at one time had the capability for knowledgeable users to add to the virus signatures that is on their personal machines. I don't know if you can/could do this with ClamWin. If this capability still exists, and if ClamWin has it, you can add it to yours by using the proper procedures--if you could get the signature from VirusTotal or elsewhere.

Regards,
View user's profileSend private message
lwc


Joined: 17 Apr 2006
Posts: 69
Reply with quote
As you see in the line that opened this whole topic - I have sent the actual virus to ClamAV and later to alch, which is why I wonder why nothing changed all these months.
View user's profileSend private message
Why Virus Sigs Not Updated
GuitarBob


Joined: 09 Jul 2006
Posts: 4376
Location: USA
Reply with quote
Since we're not part of either the ClamAV or the ClamWin teams, we can't really tell why it hasn't been added. ClamAV is responsibe for the database, and they do a pretty good job. They have been updating like mad recently--with over 74,000 signatures now. They update more frequently than many of the commercial AV programs, but their time is limited, and as Alch said, they have to concentrate upon the most prevalent malware signatures. It might help the entire AV industry if there was a common naming scheme, and if the AV companies shared signature information. Otherwise, there is a lot of duplication of effort/cost as is the case now.

I noticed in the additional information at the end of your VirusTotal report that the malware may have been packed/compressed with something called "Aspack." If that's true, then perhaps ClamAV doesn't yet support it, and that is your reason. Each packer requires separate code, I believe, and there are so many different packing schemes around. They now support quite a few packers, and version 0.90 promises a few more.

I saw that VirusTotal used 27 different AV programs, and 10 of them, including ClamWin, didn't find the virus.

Hope this helps.

Regards,
View user's profileSend private message
lwc


Joined: 17 Apr 2006
Posts: 69
Reply with quote
Who's "we"? Thanks for the info, but do you know where's NAV in this list?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4376
Location: USA
Reply with quote
You were asking why the virus you found was included in the ClamAV database. "We" are you and I, so since we aren't on the Clam or ClamWin team, we can only guess as to the answer. I offered my best guess, but it certainly isn't an "official" answer.

You will have to check with the administrator of the site to which you submitted the virus sample to find out why certain antivirus software was omitted from their test. I can give you my best guess, but I don't think you want that--eh?

Regards,
View user's profileSend private message
lwc


Joined: 17 Apr 2006
Posts: 69
Reply with quote
A new year has come upon us (and I hope in one year I won't say "come and gone") and still ClamAV is among the only antiviruses that don't recognize this virus...

Quote:
Antivirus Version Update Result
AntiVir 7.3.0.21 01.09.2007 BDS/Pigeon.IP
Authentium 4.93.8 01.12.2007 Possibly a new variant of W32/Trojan-Hupigon-based!Maximus
Avast 4.7.936.0 01.13.2007 Win32:Hupigon-OH
AVG 386 01.15.2007 no virus found
BitDefender 7.2 01.15.2007 Backdoor.Pigeon.IP
CAT-QuickHeal 9.00 01.12.2007 no virus found
ClamAV devel-20060426 01.15.2007 no virus found
DrWeb 4.33 01.15.2007 BackDoor.Pigeon.775
eSafe 7.0.14.0 01.15.2007 suspicious Trojan/Worm
eTrust-InoculateIT 23.73.113 01.13.2007 no virus found
eTrust-Vet 30.3.3329 01.15.2007 no virus found
Ewido 4.0 01.14.2007 Backdoor.Hupigon.36
Fortinet 2.82.0.0 01.13.2007 W32/Hupigon.BC!tr
F-Prot 3.16f 01.12.2007 Possibly a new variant of W32/Trojan-Hupigon-based!Maximus
F-Prot4 4.2.1.29 01.12.2007 W32/HupigonX.JUN
Ikarus T3.1.0.27 01.09.2007 Backdoor.Win32.Hupigon.pv
Kaspersky 4.0.2.24 01.15.2007 Backdoor.Win32.Hupigon.pv
McAfee 4938 01.12.2007 BackDoor-AWQ.b
Microsoft 1.1904 01.15.2007 no virus found
NOD32v2 1980 01.15.2007 no virus found
Norman 5.80.02 01.15.2007 W32/Hupigon.QOT
Panda 9.0.0.4 01.14.2007 Suspicious file
Prevx1 V2 01.15.2007 no virus found
Sophos 4.13.0 01.13.2007 Troj/GrayBr-Gen
Sunbelt 2.2.907.0 01.12.2007 no virus found
TheHacker 6.0.3.148 01.14.2007 no virus found
UNA 1.83 01.12.2007 Backdoor.Hupigon.8C6A
VBA32 3.11.2 01.15.2007 BackDoor.Pigeon.36
VirusBuster 4.3.19:9 01.15.2007 no virus found
View user's profileSend private message
Undetected Virus
GuitarBob


Joined: 09 Jul 2006
Posts: 4376
Location: USA
Reply with quote
I see that Microsoft, NOD 32, and E-Trust still don't detect the virus either. If you want to help Clam get it into its database, I suggest that you send a zipped sample of the virus to ClamAV. Go to Web page http://cgi.clamav.net/sendvirus.cgi.

Regards,
View user's profileSend private message
lwc


Joined: 17 Apr 2006
Posts: 69
Reply with quote
Quote:
I suggest that send a zipped sample of the virus to ClamAV.

Hmm...here's the line the opened up this entire topic...
Quote:
When I saw you can't detect it, I submitted it to ClamAV but it has been a while and they didn't even confirm the submission to my e-mail!


Quote:
I see that Microsoft, NOD 32, and E-Trust still don't detect the virus either.

All the more reason to detect it. You want to be one of the best, not one of the worst.
View user's profileSend private message
Unrecognized Virus
GuitarBob


Joined: 09 Jul 2006
Posts: 4376
Location: USA
Reply with quote
'Peers to me that ClamAV is oriented toward large capacity email service providers. It looks like they get first preference.

If that is true, it might be a good reason for ClamWin to have a separate signature database specific to Windows PC users, but that would be hard to do--where do you draw the line and avoid duplication?

It also 'peer to me that the antivirus industry would be better off using a common signature database. It would certainly eliminate some confusion and make sure they are all on the right page. Why don't they all contribute to a World Wide Signature Effort. But that might put a lot of virus signature maintenance people out of jobs--eh?

If you want to go to the time/trouble, you can learn to update the signatures yourself. According to bOne, Clam can use MD5 hashes, and I believe VIRUSTOTAL provides an MD5 hash.

Regards,
View user's profileSend private message
lwc


Joined: 17 Apr 2006
Posts: 69
Reply with quote
What bothers me is the lack of NAV in this list (at least I can't spot it) as while it may be an annoying program it's still mainstream enough to find info based on its brand names for viruses.

Anyway, you're certainly not the first one to realize that, and there were many articles about it, but so far they can't come to an agreement. Kind of like DVD+, DVD- and DVD-RAM, which is so insane that while they're fighting, even newer formats keep coming out like HD-DVD and Blu-ray Disc. I guess the days of VHS vs. Beta, when the loser dissapeared pretty quickly and without a trace, are gone. Then again, maybe it's easier to support multiple types of digital media (especially in a computer drive) than it was to support multiple types of analog media.

BTW, out of curiosity, why do you bother creating a different subject (let alone a subject) to each of your posts? Smile
View user's profileSend private message
A virus you can't detect
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  

  
  
 Reply to topic