I have reported a Trojan 3 times now and it has yet to be added to the virus databases. What do I need to do to get this thing added?? I used the report tool and zipped the file with a password of "virus". The zip file name is setup3517.zip and the executable is setup3517.exe. This file is all over Usenet, posted by the 10's of thousands.

Here is the virustotal link https://www.virustotal.com/analisis/b34aa298e8d6f7a800b74baabfb91a3b279eb9ffa2dd207998470929e25e5436-1249807408 https://www.virustotal.com/analisis/b34aa298e8d6f7a800b74baabfb91a3b279eb9ffa2dd207998470929e25e5436-1249807408

ClamAv recognizes the Trojan,
ClamAV 0.94.1 2009.08.07 Trojan.Spy-57497

My old 7.5 version of AVG sees the trojan and its databases are from 4-30-09.

I have looked in this file with a hex editor and it is plainly a password stealer for many programs. I am using windows 98SE, manual scan from windows explorer.


Thor

You said that Clam AV recognizes the trojan. If that is the case, then there is no reason for Clam to add it to the database for Clam AV and ClamWin. Clam (and all AVs) may have their own names for viruses--they don't all use the same names all the time, so they are probably calling it something different than AVG, or Norton, or NOD32, etc.

Regards,

ClamWin does NOT recognize this trojan. ClamWin is what I use and I would like ClamWin to recognize this trojan. According to the virus total report ClamAV version 0.94.1 with a database dated 2009.08.07 recognizes the trojan as Trojan.Spy-57497, I do not have ClamAV, I understand that ClamWin uses a portion of ClamAV.

Moments ago I updated the virus database,

ClamAV update process started at Mon Sep 14 02:13:35 2009
main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
Downloading daily-9802.cdiff [100%]
Downloading daily-9803.cdiff [100%]
daily.cld updated (version: 9803, sigs: 77662, f-level: 43, builder: ccordes)
Database updated (622697 signatures) from database.clamav.net (IP: 194.109.6.97)

I just scanned the single known trojan,

Scan Started Mon Sep 14 02:14:21 2009
-------------------------------------------------------------------------------


----------- SCAN SUMMARY -----------
Known viruses: 622027
Engine version: 0.95.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 3.52 MB
Data read: 1.18 MB (ratio 2.98:1)
Time: 8.790 sec (0 m 8 s)

--------------------------------------
Completed
--------------------------------------


The file is named setup3517.exe and it is in fact a trojan and ClamWin , as you can plainly see, does not detect the trojan. Therefore, as ClamWin does not detect the trojan, it should be added to the database.



Thor

I'm sorry--I thought you said that the virus was already detected. I suggest you try one more time to submit it to Clam, and make sure you get the message at the end that says it was accepted. If your previous submissions were accepted, and no signature was prepared, something must have happened to keep them from preparing a signature. Did you ever get an email message about it (you can select on the form to be notified)? So please try one more time, and if you don't get an email in a couple of days, get back here. The email may be rather long, so you will have to look at the submission from our name.

ClamWin uses the scanning engine and signature database from Clam AV, so it is heavily dependent upon Clam AV.

Regards,

The virus reporting tool went as it should have, with the exception of a confirmation email. I don't think I would get confirmation if the virus is already in the databases though.

As it turns out the virus is already in the database. I went back a couple of versions and those detect the virus. Version 0.95.2 has some sort of issue, both the installable and the portable versions so I am now using version 0.95.1 for the time being. I will just have to be more careful about zips and rars with this version until the 0.95.2 bug gets ironed out.

Hmm, I stand corrected. I just zipped and rarred this file and the older versions do not detect it either, they do detect the raw exe. Version 0.95.2 did not detect the raw exe or an archive of this particular virus. I am using winzip version 7 and winrar 3.51 .

I just zipped and rarred three different viruses to three separate archives and they are all detected by all three of the versions of ClamWin I have, going back to 0.94.1. I also tried using pkzip command line version 2.04g on the original topic trojan and all versions still fail to detect the trojan. I looked at the trojan in my hex editor again and I just don't see what , if any, packer it is using.

What a nasty little trojan eh?


Thor

Did you send the exe file to Clam or the rar file? I guess it really shouldn't matter, though.

Regards,

Solved by the developers, alch ,I think?

ClamWin configuration. Limits, Do Not Extract More Than, change from 5 to 100, Sub-Archives.

Now almost everything works as it should. I have another thread on my other minor complaint about the scan summary not showing it skipped password protected files.

Thanks for the help,
Thor

Yes, I see. You don't often have something that is archived that deeply. Perhaps it is an email bomb. I have seen one, and it might be better to get a signature for the raw file in that case.

Regards,