Jump to content
Adamsky

False alert or real trojan ?

Recommended Posts

Adamsky   

Today I received a mail with an attachment called Rechnung.pdf.exe .... VERY SUSPICIOUS !!!

My host machine's AV (NOD32 2.5.45, latest sig's) detected no threat at all :mellow: , whereas KIS beta 1 told me the following:

 

One of the AVs must be wrong :unsure:

Now my question: How can I tell which one ???

 

PW for Rechnung.pdf.zip is trojanalert

 

EDIT: It seems, I can't put zip-files in the post, is there any way to upload it to KL ftp server in order to share it ??post-5028-1130870762.jpg

Share this post


Link to post
Share on other sites
Adamsky   
Please, send this file to the newvirus@kaspersky.com. But I am sure - this is a Trojan program.

 

Done.

In case this is a real trojan and NOD32 couldn't detect it .... OOOUUUUCH !!!!

 

BTW: I know there are websites to which one can UL files in order to check them with different scanners, but I forgot all the URLs :P ... anyone ??

Share this post


Link to post
Share on other sites
DonKid   
Done.

In case this is a real trojan and NOD32 couldn't detect it .... OOOUUUUCH !!!!

 

BTW: I know there are websites to which one can UL files in order to check them with different scanners, but I forgot all the URLs  :P  ... anyone ??

 

Hi,

 

http://www.virustotal.com/flash/index_en.html

 

http://virusscan.jotti.org/

Share this post


Link to post
Share on other sites
saso   
In case this is a real trojan and NOD32 couldn't detect it .... OOOUUUUCH !!!!

 

welcome to the wonderfull world of kaspersky ;)

Share this post


Link to post
Share on other sites
DonKid   
welcome to the wonderfull world of kaspersky ;)

 

I agree.

 

When final version of KIS is ready, I'm going to compare resources, etc and probably I'll buy a license.

Share this post


Link to post
Share on other sites
Adamsky   
Thanks Donkid ... online analysis turned out VERY mixed results:

 

post-5028-1130875006.jpg post-5028-1130875040.jpg

 

Finally, I was able to zip & upload Rechnung.pdf.exe, so you can see for yourself: (PW is trojanalert)

 

 

Any comments welcome !!!!

 

//EDIT: (Graf) attachment was removed. Read my post http://forum.kaspersky.com/index.php?showt...indpost&p=34720

Share this post


Link to post
Share on other sites
RejZoR   

Adamsky, whats up with the archive? I can't open it so i could submit this sample to ESET.

 

Could you please re-upload it here http://www.rapidshare.de and this time use password "infected"

 

Thanks (i hope KL guys don't mind).

Share this post


Link to post
Share on other sites
Leo Max   
I used Winzip 9 SR-1 & 256bit AES Encryption to build the archive ... no problem to open it over here  :huh:

 

That's because old version sometimes don't work with new ones. Like I did ones used maximum compression and some guys could not open with older versions. ;)

Share this post


Link to post
Share on other sites
RejZoR   

WinZIP 10 is crating weird archives. I'm using 7-zip (4.29 beta) which is constantly having problems just with WinZIP 10 archives...

 

EDIT:

And some WinZIP 9 archives too...

 

Just upload it in uncompressed form and i'll deal with it anyway...

Share this post


Link to post
Share on other sites
RejZoR   

It's still not working. Nevermind, i'll download WInZIP 10 trial to deal with this one... thanks for your time :)

 

EDIT:

Ok, thanks for the sample. I already submitted it to ESET :)

Share this post


Link to post
Share on other sites
Adamsky   

Thank you for your support ...

Now I'm definitely curious if it's malware or not (if so, I'll be loosing most of my faith in NOD32, but let's first see what happens <_<)

Share this post


Link to post
Share on other sites
DonKid   

As Grnic said, it´s a trojan.

 

I have submitted some files to Eset last week and until now, they didn´t add them to database.

I knew KAV a long time ago, and when I started testing KIS, I found a trojan at my job (those one that steals your bank account) and another called open connection.

I must say KL support was great and since then, I´m testing this beta.

I don´t want to compare both AV, but I really hope KIS will improve about resources, so in may, when my NOD32´s license will expire, I can buy a new one from KL.

 

Can anyone tell me if KIS or KAV, detects lots of virus using AH or their database is the main success ?

 

P.S. I don´t mind if KIS or KAV are in English version, but if could have a Brazilian version or more marketing here, maybe KL can sell more licenses here :D

 

Best Regards,

 

DonKid.

Share this post


Link to post
Share on other sites
saso   
Thank you for your support ...

Now I'm definitely curious if it's malware or not (if so, I'll be loosing most of my faith in NOD32, but let's first see what happens  <_<)

 

you should not be to critical, it is actualy quite normal for any AV

Share this post


Link to post
Share on other sites
DonKid   
you should not be to critical, it is actualy quite normal for any AV

 

You are right.

I have seen this a lot of time.Sometimes NOD32 by AH is ahead and sometimes KAV is ahead.

Share this post


Link to post
Share on other sites
Adamsky   
you should not be to critical, it is actualy quite normal for any AV

I know, I know ... but a single real life experience sometimes has more impact than reading 1000 test results (especially when your own system is about to go to hell)

 

Admittedly not a very scientific approach, but I bet you know what I mean ;)

Share this post


Link to post
Share on other sites
saso   
You are right.

I have seen this a lot of time.Sometimes NOD32 by AH is ahead and sometimes KAV is ahead.

 

when you use AH you mean advance heuristics right? i should warn you that in kaspersky forum this can make some confusion because here we normaly use AH for anti hacker.

Share this post


Link to post
Share on other sites
Graf   

@Adamsky:

 

I's not declared in forum rules, but I think it is obvious:

 

Publishing here links to malware samples is forbidden. :angry:

(passworded or not)

 

Please, don't do this again. In case of high urgency you can use Personal Message service.

But remember, even in this case you action can be considered as "Malware distribution" :o

Share this post


Link to post
Share on other sites
DonKid   
when you use AH you mean advance heuristics right? i should warn you that in kaspersky forum this can make some confusion because here we normaly use AH for anti hacker.

 

Your right...

I was talking about advanced heuristics.

Share this post


Link to post
Share on other sites

So is it fair to say that the best way to avoid malware is by downloading software only from trusted sources, or downloading only "popular" software? And even then you´re of course not complety safe. <_<

 

Don´t get me wrong I´m not paranoid and I haven´t had malware on my system in years, but it still bothers me a bit that AV/AT´s can still miss malware. Would an IPS be able to prevent malware from installing if an AT/AV missed it?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×