Jump to content
adi_bun

A little bit disappointed of KL virus researchers

Recommended Posts

Some days ago I sent many samples, suspicious of malware executables, to newvirus@kaspersky.com . For one sample ( Punisher Trojan Client.exe ) I`m sure that it`s realy a trojan, since other a-v softwares detects it . I recived an answer that it`s not :

 

KL : Hello,

 

funny.exe, Yahoo_Online_Offline.exe, YMAR.exe, YMSG12ENCRYPT.dll, BoringPMSender.exe, Bots.txt, MSWINSCK.OCX, Read Me.txt, YMSG12ENCRYPT.dll, getpass.exe, Read Me.txt, actskin4.ocx, Sharp IP Getter.exe, Open.wav, Bot List.txt, LVBUTTONS.OCX, mod de folosire.txt, MSWINSCK.OCX, Read Me.txt, YMSG12ENCRYPT.dll, Punisher Trojan Client.exe, MSCOMCTL.OCX, MSWINSCN.OCX, TABCTL3N.OCX, svchosts.exe, update.exe, YaError Gold Edition.exe, SerVer DEMO.exe, Servers.txt, setup.exe, skull2.ani, HackerzBot 1.1.exe, KewlButtonz.oca, KewlButtonz.ocx, mswinsck.ocx, Names.txt, RAMCheat.cnt, RAMCheat.exe, RAMCht-d.cnt, RAMCht-f.cnt

 

No malicious code were found in these files.

 

... so I insisted :

 

ME : Punisher Trojan Client.exe " no malicious code were found in these files " ? Please check again, because other a-v already sais that it`s a trojan , on virustotal.com .

 

I didn`t get any answer ... so I insisted again :) :

 

ME: Considering that in firest place you said that this sample ( Punisher Trojan Client.exe ) doesn`t contain any malicious code , although other a-v softare detected it ( as you can see in my printscreen attached )

and at second e-mail you didn`t answered me, I`m forced to send it for analyse again, and I will send it over and over to you until you will add signatures for it . I hope this time I will get an answer ! Thanks ! adi_bun

 

I know that KL virus researcher are to busy , but this is not the first time that I have get an answer " no malicious software was found " although the samples was viruses , and I had to insist for adding signatures. At list this time I hope to get the corect answer :)

post-40434-1196204125_thumb.jpg

post-40434-1196204141_thumb.jpg

Share this post


Link to post
Some days ago I sent many samples, suspicious of malware executables, to newvirus@kaspersky.com . For one sample ( Punisher Trojan Client.exe ) I`m sure that it`s realy a trojan, since other a-v softwares detects it . I recived an answer that it`s not :

 

KL : Hello,

 

funny.exe, Yahoo_Online_Offline.exe, YMAR.exe, YMSG12ENCRYPT.dll, BoringPMSender.exe, Bots.txt, MSWINSCK.OCX, Read Me.txt, YMSG12ENCRYPT.dll, getpass.exe, Read Me.txt, actskin4.ocx, Sharp IP Getter.exe, Open.wav, Bot List.txt, LVBUTTONS.OCX, mod de folosire.txt, MSWINSCK.OCX, Read Me.txt, YMSG12ENCRYPT.dll, Punisher Trojan Client.exe, MSCOMCTL.OCX, MSWINSCN.OCX, TABCTL3N.OCX, svchosts.exe, update.exe, YaError Gold Edition.exe, SerVer DEMO.exe, Servers.txt, setup.exe, skull2.ani, HackerzBot 1.1.exe, KewlButtonz.oca, KewlButtonz.ocx, mswinsck.ocx, Names.txt, RAMCheat.cnt, RAMCheat.exe, RAMCht-d.cnt, RAMCht-f.cnt

 

No malicious code were found in these files.

 

... so I insisted :

 

ME : Punisher Trojan Client.exe " no malicious code were found in these files " ? Please check again, because other a-v already sais that it`s a trojan , on virustotal.com .

 

I didn`t get any answer ... so I insisted again :) :

 

ME: Considering that in firest place you said that this sample ( Punisher Trojan Client.exe ) doesn`t contain any malicious code , although other a-v softare detected it ( as you can see in my printscreen attached )

and at second e-mail you didn`t answered me, I`m forced to send it for analyse again, and I will send it over and over to you until you will add signatures for it . I hope this time I will get an answer ! Thanks ! adi_bun

 

I know that KL virus researcher are to busy , but this is not the first time that I have get an answer " no malicious software was found " although the samples was viruses , and I had to insist for adding signatures. At list this time I hope to get the corect answer :)

"correct answer" or the "answer you want" there could be a difference!:-just because other AV's detect it as malicious doesn't mean it is,could be FP's

Edited by steve195527

Share this post


Link to post
"correct answer" or the "answer you want" there could be a difference!

There is an old romanian proverb " When 3 persons sais that you are drunk, go to sleep " , so I will say : When 18 of 32 a-v sais that it`s a trojan, it`s a trojan :) It couldn`t be a FP because as you see, in most cases, it`s detected by their bases, not by proactivity , so that means that they realy analyzed it :)

Edited by adi_bun

Share this post


Link to post
There is an old romanian proverb " When 3 persons sais that you are drunk, go to sleep " , so I will say : When 18 of 32 a-v sais that it`s a trojan, it`s a trojan :) It couldn`t be a FP because as you see, in most cases, it`s detected by their bases, not by proactivity , so that means that they realy analyzed it :)

 

Just because one person disagrees with a crowd doesn't always make them wrong(a proverb I just made up!)

KLabs aren't slow(or bad) at analysing samples or adding sigs,if they are genuine threats I have confidence they will be added with out you "insisting" on it!

Share this post


Link to post

You're right steve. Sometimes when I upload a file to virustotal and even if more than 20 scanners says a file is infected, and Kaspersky doesn't, I trust Kaspersky.

 

However, in this case I'd like to differ. Just look at the names. The trojan was flagged with signitures. Also FileAdvisor has detected it. As far as I can remember, it only keeps files that are absolutely known to be safe/malicious in their database. Another thing is Symantec has also flagged it. As much as people bash it, in almost all tests of av-comparatives, it didn't have any FPs at all.

Share this post


Link to post

Hi again

They might be genuine threats,all I was trying to point out is that there could be a possibility that they aren't,if they are genuine threats I am confident that KLabs will add them,thing that has me wondering is Web-Washer detects it:-and that is notorious for FP's along with it very high(best of all)detection rate

Share this post


Link to post

Hello,

 

It appears that VirustAnalysts had become quite sleepy. Please ensure that you write down a little bit more description detaling the problem and why do you think those files are malicious. If you are still getting "no virus found in this file" verdict, please PM me those samples in a password protected archives and I will see what I can do.

Share this post


Link to post
Hello,

 

It appears that VirustAnalysts had become quite sleepy. Please ensure that you write down a little bit more description detaling the problem and why do you think those files are malicious. If you are still getting "no virus found in this file" verdict, please PM me those samples in a password protected archives and I will see what I can do.

Thanks Whizard ! You`re the only one that realy help me and not trying to say that I`m wrog.I can`t write a little bit more description, because I`m not a virus analyst, so I don`t know what those samples realy do . I got them from a romanian hacking site , and there it`s not a detailed description.For example they say that svchosts.exe it`s a keylogger and update.exe they say that it`s a yahoo scamm . Still waiting for KL answer...

post-40434-1196233162_thumb.jpg

Edited by adi_bun

Share this post


Link to post

Very curious to see where this ends. I too always trust Kaspersky in these cases but yet again they are all human beings

Share this post


Link to post
Just because one person disagrees with a crowd doesn't always make them wrong(a proverb I just made up!)

KLabs aren't slow(or bad) at analysing samples or adding sigs,if they are genuine threats I have confidence they will be added with out you "insisting" on it!

Sometimes it`s good to insist . Look : I sended an e-mail on 14 JUL 2007, and `cause I didn`t get any answer , I sended a new one , on 20 JUL 2007 , and for this last one, I have received an answer on 21 JUL 2007 :

 

ME: This is the second time that I send you this undetected by kaspersky

virus , because I didn`t get any answer from you . First time I sended

you on jul 14 2007 . I have those .exe from a site and they say that

is a " joke " and it will delete your windows with one click, after

restart . I didn`t try it, but a friend of mine did it and ... relay

deletes windows ( and this is not the only effect ) ! The archive`s password

is test . Wait for your answer !

 

KL: Hello,

 

folder.exe_,

setup.exe_,

winamp.exe_ - Trojan.Win32.KillWin.da

 

New malicious software was found in these files. Detection will be

included in the next update. Thank you for your help.

 

Please quote all when answering.

 

--

Best regards, Dmitry Shvetsov

Virus analyst, Kaspersky Lab.

e-mail: newvirus@kaspersky.com

 

As Sjoeii said, I understand them because we all are human beings ...

Edited by adi_bun

Share this post


Link to post
Thanks Whizard ! You`re the only one that realy help me and not trying to say that I`m wrog.

 

i also fully support you here, it has happened also to me several times. sometimes i continue and send the samples again, sometimes i simple don't care, i don't always have the time to argue about some samples. there was one time where i got in a bit of a fight with one analyst who has said if i send one more email my address will be baned. on the other hand i sometimes take the time and provide more detailed analyze report about the sample i send and sometimes then an senior virus analyst responds back and adds the samples.

 

there was a time where i was sending quite a lot of samples to different vendors, this days i must confess i mostly upload the samples only to virustotal. vendors have the access to it and they should take care to keep the track with it.

Edited by saso

Share this post


Link to post
i also fully support you here, it has happened also to me several times. sometimes i continue and send the samples again, sometimes i simple don't care, i don't always have the time to argue about some samples. there was one time where i got in a bit of a fight with one analyst who has said if i send one more email my address will be baned. on the other hand i sometimes take the time and provide more detailed analyze report about the sample i send and sometimes then an senior virus analyst responds back and adds the samples.

 

there was a time where i was sending quite a lot of samples to different vendors, this days i must confess i mostly upload the samples only to virustotal. vendors have the access to it and they should take care to keep the track with it.

Thanks saso ! I will not send them to many e-mails about this, because I don`t want to be baned or worst , to be reported as spam ( at kaspersky or yahoo ) . I want to help kaspersky , but " love with force " it`s not possible :) This topic it`s not for blame kaspersky a-v researchers ( you observed that I didn`t write name of KL analyst , that said it`s not malware, to protect it ) but I just want to see some signatures added

Edited by adi_bun

Share this post


Link to post
Thanks saso ! I will not send them to many e-mails about this, because I don`t want to be baned or worst , to be reported as spam ( at kaspersky or yahoo ) . I want to help kaspersky , but " love with force " it`s not possible :) This topic it`s not for blame kaspersky a-v researchers ( you observed that I didn`t write name of KL analyst , that said it`s not malware, to protect it ) but I just want to see some signatures added

 

Yes, I am also not blaming nobody here, but there is always room for improvement, even by KL analysts.

Share this post


Link to post

Thank you for your feedback everybody, I had passed your comments along to head VirusAnalyst :)

Share this post


Link to post
Thank you for your feedback everybody, I had passed your comments along to head VirusAnalyst :)

Thanks Whizard ! I still didn`t get any answer from KL , so I will send you a link ( PM ) were I uploaded some samples ( including Punisher Trojan ) . Let us know please about what you will find...

Edited by adi_bun

Share this post


Link to post

Good topic, this happens to me regularly, I send quite a bit of files for them to analyze. For example just yesterday I was working on a badly infected pc (I have a computer business) and I sent about 6 files to KL but have not yet received a reply and today i sent about 15 more without a reply yet. Usually I get a reply within hours and they are malicious and added but sometimes I have to submit them multiple times to get a reply and I get the same response as you when I know they are malicious. The analysts ought to know me by name by now, I have a routine for cleaning up malware and regularly find files KAV misses, I'm a reseller for KL so I want it to be the best.

 

:D

Share this post


Link to post

Sometimes they are swamped with work and unable to reply. As always the first priority is to address the signatures and than reply. But I will keep tabs on this topic.

Edited by Whizard

Share this post


Link to post

Finally , they added signatures for Punisher Trojan Client.exe and as Whizard said, svcosts it`s detected by PDM as keylogger , I would like to be detected by file anti-virus too... Anyway, we are on the good way, let`s continue :)

post-40434-1196287598_thumb.jpg

Edited by adi_bun

Share this post


Link to post
Thanks Whizard ! You`re the only one that realy help me and not trying to say that I`m wrog.

I didn't say you're wrong! In my earlier post, I was disagreeing with Steve.

Share this post


Link to post

"Punisher Trojan Client" as says it's name is NOT a trojan. It can't make any harm to computer of owner. File name and analisys tell us that it is Client part of some backdoor named "Punisher Trojan".

 

Howewer, detecting such software is useful for hosting administrators. They can find out that harmfull to other computers software is hosted on their servers.

 

That is why "Punisher Trojan Client" was detected as HackTool.Win32.VB.nu after adi_bun suggested that.

Share this post


Link to post
"Punisher Trojan Client" as says it's name is NOT a trojan. It can't make any harm to computer of owner. File name and analisys tell us that it is Client part of some backdoor named "Punisher Trojan".

 

Howewer, detecting such software is useful for hosting administrators. They can find out that harmfull to other computers software is hosted on their servers.

 

That is why "Punisher Trojan Client" was detected as HackTool.Win32.VB.nu after adi_bun suggested that.

Even it`s not the server, it`s good to be detected as malware. Svchosts.exe it`s keylogger and I think it`s the server , so would be nice to be detected by signatures , and not by PDM when you clicked on it . PMD it`s for undetected malware , but they have .exe from me, they should take advantage and add it , so they can create a disinfect/delete routine .

Edited by adi_bun

Share this post


Link to post
I didn't say you're wrong! In my earlier post, I was disagreeing with Steve.

 

Hello Tareq - indeed you were! :rolleyes:

 

Your command of the English language is, I suspect, much better than Adrian's - but he is still a young man and, like a good wine, his English will improve with time! I applaud his persistence in spite of his difficulty with the language! :bravo:

 

Forgive a naive query (to all).

 

Can someone explain how you begin to identify a file carrying malicious code? I don't mean by sending same to VirusTotal.com or virusscan.jotti.org. What is it which makes you suspicious of a particular file in the first place?

 

I'm curious because I put my trust in KAV7 and its Heuristics to alert me to danger. What prompts you to check a specific file? TIA

 

Dave

 

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.