IPB

Welcome Guest ( Log In | Register )

2 Pages V   1 2 >  
Reply to this topicStart new topic
> False alert or real trojan ?, How to check
Adamsky
post 1.11.2005 22:52
Post #1


Advanced Member II
****

Group: Members
Posts: 225
Joined: 17.10.2005




Today I received a mail with an attachment called Rechnung.pdf.exe .... VERY SUSPICIOUS !!!
My host machine's AV (NOD32 2.5.45, latest sig's) detected no threat at all mellow.gif , whereas KIS beta 1 told me the following:

One of the AVs must be wrong unsure.gif
Now my question: How can I tell which one ???

PW for Rechnung.pdf.zip is trojanalert

EDIT: It seems, I can't put zip-files in the post, is there any way to upload it to KL ftp server in order to share it ??Attached File  KIS222b_Trojan_alert.JPG ( 76,28K ) Number of downloads: 133
Go to the top of the page
 
+Quote Post
grnic
post 1.11.2005 22:55
Post #2


KAV 6.0/8.0 project manager
*************

Group: Members
Posts: 4528
Joined: 16.04.2005




Please, send this file to the newvirus@kaspersky.com. But I am sure - this is a Trojan program.
Go to the top of the page
 
+Quote Post
Adamsky
post 1.11.2005 23:04
Post #3


Advanced Member II
****

Group: Members
Posts: 225
Joined: 17.10.2005




QUOTE(grnic @ Nov 1 2005, 08:55 PM)
Please, send this file to the newvirus@kaspersky.com. But I am sure - this is a Trojan program.
*


Done.
In case this is a real trojan and NOD32 couldn't detect it .... OOOUUUUCH !!!!

BTW: I know there are websites to which one can UL files in order to check them with different scanners, but I forgot all the URLs tongue.gif ... anyone ??
Go to the top of the page
 
+Quote Post
DonKid
post 1.11.2005 23:09
Post #4


Forum Elite
**************

Group: Moderators
Posts: 7163
Joined: 19.10.2005
From: São Paulo, Brazil




QUOTE(Adamsky @ Nov 1 2005, 04:04 PM)
Done.
In case this is a real trojan and NOD32 couldn't detect it .... OOOUUUUCH !!!!

BTW: I know there are websites to which one can UL files in order to check them with different scanners, but I forgot all the URLs  tongue.gif  ... anyone ??
*


Hi,

http://www.virustotal.com/flash/index_en.html

http://virusscan.jotti.org/


--------------------
When the humanity start to realize that there isn't race, creed, politics, money, our planet will be wonderful. Be always a humble person.

Antes de abrir um novo tópico Relatório GSI Suporte Técnico em Portugal Suporte Técnico no Brasil Threatpost Blog da Kaspersky
Go to the top of the page
 
+Quote Post
saso
post 1.11.2005 23:39
Post #5


Professional II
************

Group: Gold beta testers
Posts: 3111
Joined: 10.04.2005
From: ljubljana, slovenia




QUOTE(Adamsky @ Nov 1 2005, 09:04 PM)
In case this is a real trojan and NOD32 couldn't detect it .... OOOUUUUCH !!!!


welcome to the wonderfull world of kaspersky wink.gif


--------------------
Go to the top of the page
 
+Quote Post
DonKid
post 2.11.2005 00:01
Post #6


Forum Elite
**************

Group: Moderators
Posts: 7163
Joined: 19.10.2005
From: São Paulo, Brazil




QUOTE(saso @ Nov 1 2005, 04:39 PM)
welcome to the wonderfull world of kaspersky wink.gif
*


I agree.

When final version of KIS is ready, I'm going to compare resources, etc and probably I'll buy a license.


--------------------
When the humanity start to realize that there isn't race, creed, politics, money, our planet will be wonderful. Be always a humble person.

Antes de abrir um novo tópico Relatório GSI Suporte Técnico em Portugal Suporte Técnico no Brasil Threatpost Blog da Kaspersky
Go to the top of the page
 
+Quote Post
Adamsky
post 2.11.2005 00:02
Post #7


Advanced Member II
****

Group: Members
Posts: 225
Joined: 17.10.2005




QUOTE(DonKid @ Nov 1 2005, 09:09 PM)
Thanks Donkid ... online analysis turned out VERY mixed results:

Attached File  results_jotti.JPG ( 239,3K ) Number of downloads: 114
Attached File  results_virustotal.jpg ( 134,58K ) Number of downloads: 107


Finally, I was able to zip & upload Rechnung.pdf.exe, so you can see for yourself: (PW is trojanalert)
[attachment=2193:attachment]

Any comments welcome !!!!

//EDIT: (Graf) attachment was removed. Read my post http://forum.kaspersky.com/index.php?showt...indpost&p=34720
Go to the top of the page
 
+Quote Post
RejZoR
post 2.11.2005 00:21
Post #8


Advanced Member III
*****

Group: Members
Posts: 511
Joined: 23.05.2005
From: Europe\Slovenia\Ljubljana




Adamsky, whats up with the archive? I can't open it so i could submit this sample to ESET.

Could you please re-upload it here http://www.rapidshare.de and this time use password "infected"

Thanks (i hope KL guys don't mind).
Go to the top of the page
 
+Quote Post
Adamsky
post 2.11.2005 00:27
Post #9


Advanced Member II
****

Group: Members
Posts: 225
Joined: 17.10.2005




@ RejZoR:

I used Winzip 9 SR-1 & 256bit AES Encryption to build the archive ... no problem to open it over here huh.gif

EDIT: OK, edited URL above, PW for archive is now "infected"

//EDIT: (Graf) link was removed. Read my post http://forum.kaspersky.com/index.php?showt...indpost&p=34720
Go to the top of the page
 
+Quote Post
Leo Max
post 2.11.2005 00:29
Post #10


Kaspersky Fan I
********

Group: Gold beta testers
Posts: 1363
Joined: 26.05.2005
From: California, USA




QUOTE(Adamsky @ Nov 1 2005, 01:27 PM)
I used Winzip 9 SR-1 & 256bit AES Encryption to build the archive ... no problem to open it over here  huh.gif
*


That's because old version sometimes don't work with new ones. Like I did ones used maximum compression and some guys could not open with older versions. wink.gif
Go to the top of the page
 
+Quote Post
RejZoR
post 2.11.2005 00:30
Post #11


Advanced Member III
*****

Group: Members
Posts: 511
Joined: 23.05.2005
From: Europe\Slovenia\Ljubljana




WinZIP 10 is crating weird archives. I'm using 7-zip (4.29 beta) which is constantly having problems just with WinZIP 10 archives...

EDIT:
And some WinZIP 9 archives too...

Just upload it in uncompressed form and i'll deal with it anyway...
Go to the top of the page
 
+Quote Post
Adamsky
post 2.11.2005 00:34
Post #12


Advanced Member II
****

Group: Members
Posts: 225
Joined: 17.10.2005




Rejzor, here comes the uncompressed AND PROBABLY INFECTED version:

//EDIT: (Graf) link was removed. Read my post http://forum.kaspersky.com/index.php?showt...indpost&p=34720
Go to the top of the page
 
+Quote Post
RejZoR
post 2.11.2005 00:36
Post #13


Advanced Member III
*****

Group: Members
Posts: 511
Joined: 23.05.2005
From: Europe\Slovenia\Ljubljana




It's still not working. Nevermind, i'll download WInZIP 10 trial to deal with this one... thanks for your time smile.gif

EDIT:
Ok, thanks for the sample. I already submitted it to ESET smile.gif
Go to the top of the page
 
+Quote Post
Adamsky
post 2.11.2005 00:59
Post #14


Advanced Member II
****

Group: Members
Posts: 225
Joined: 17.10.2005




Thank you for your support ...
Now I'm definitely curious if it's malware or not (if so, I'll be loosing most of my faith in NOD32, but let's first see what happens dry.gif)
Go to the top of the page
 
+Quote Post
DonKid
post 2.11.2005 01:29
Post #15


Forum Elite
**************

Group: Moderators
Posts: 7163
Joined: 19.10.2005
From: São Paulo, Brazil




As Grnic said, it´s a trojan.

I have submitted some files to Eset last week and until now, they didn´t add them to database.
I knew KAV a long time ago, and when I started testing KIS, I found a trojan at my job (those one that steals your bank account) and another called open connection.
I must say KL support was great and since then, I´m testing this beta.
I don´t want to compare both AV, but I really hope KIS will improve about resources, so in may, when my NOD32´s license will expire, I can buy a new one from KL.

Can anyone tell me if KIS or KAV, detects lots of virus using AH or their database is the main success ?

P.S. I don´t mind if KIS or KAV are in English version, but if could have a Brazilian version or more marketing here, maybe KL can sell more licenses here biggrin.gif

Best Regards,

DonKid.


--------------------
When the humanity start to realize that there isn't race, creed, politics, money, our planet will be wonderful. Be always a humble person.

Antes de abrir um novo tópico Relatório GSI Suporte Técnico em Portugal Suporte Técnico no Brasil Threatpost Blog da Kaspersky
Go to the top of the page
 
+Quote Post
saso
post 2.11.2005 01:34
Post #16


Professional II
************

Group: Gold beta testers
Posts: 3111
Joined: 10.04.2005
From: ljubljana, slovenia




QUOTE(Adamsky @ Nov 1 2005, 10:59 PM)
Thank you for your support ...
Now I'm definitely curious if it's malware or not (if so, I'll be loosing most of my faith in NOD32, but let's first see what happens  dry.gif)
*


you should not be to critical, it is actualy quite normal for any AV


--------------------
Go to the top of the page
 
+Quote Post
DonKid
post 2.11.2005 01:37
Post #17


Forum Elite
**************

Group: Moderators
Posts: 7163
Joined: 19.10.2005
From: São Paulo, Brazil




QUOTE(saso @ Nov 1 2005, 06:34 PM)
you should not be to critical, it is actualy quite normal for any AV
*


You are right.
I have seen this a lot of time.Sometimes NOD32 by AH is ahead and sometimes KAV is ahead.


--------------------
When the humanity start to realize that there isn't race, creed, politics, money, our planet will be wonderful. Be always a humble person.

Antes de abrir um novo tópico Relatório GSI Suporte Técnico em Portugal Suporte Técnico no Brasil Threatpost Blog da Kaspersky
Go to the top of the page
 
+Quote Post
Leo Max
post 2.11.2005 01:46
Post #18


Kaspersky Fan I
********

Group: Gold beta testers
Posts: 1363
Joined: 26.05.2005
From: California, USA




QUOTE(DonKid @ Nov 1 2005, 02:37 PM)
You are right.
I have seen this a lot of time.Sometimes NOD32 by AH is ahead and sometimes KAV is ahead.
*


Most of the time KAV is at the top smile.gif
Go to the top of the page
 
+Quote Post
Adamsky
post 2.11.2005 01:48
Post #19


Advanced Member II
****

Group: Members
Posts: 225
Joined: 17.10.2005




QUOTE
you should not be to critical, it is actualy quite normal for any AV

I know, I know ... but a single real life experience sometimes has more impact than reading 1000 test results (especially when your own system is about to go to hell)

Admittedly not a very scientific approach, but I bet you know what I mean wink.gif
Go to the top of the page
 
+Quote Post
DonKid
post 2.11.2005 02:12
Post #20


Forum Elite
**************

Group: Moderators
Posts: 7163
Joined: 19.10.2005
From: São Paulo, Brazil




QUOTE(Leo Max @ Nov 1 2005, 06:46 PM)
Most of the time KAV is at the top smile.gif
*


I agree with you too.
That´s why I´m waiting to see the resources at the final version. biggrin.gif


--------------------
When the humanity start to realize that there isn't race, creed, politics, money, our planet will be wonderful. Be always a humble person.

Antes de abrir um novo tópico Relatório GSI Suporte Técnico em Portugal Suporte Técnico no Brasil Threatpost Blog da Kaspersky
Go to the top of the page
 
+Quote Post

2 Pages V   1 2 >
Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 22.10.2014 05:34