VirusTotal, Malwarebytes

[Lil' Abner]

I downloaded
41.Yr.Virgin.Who.Knocked.Up.Sarah.Marshall;Felt.Su perbad.LKRG136943.exe,
knowing, of course That it would be infected with *something*. Microsoft
Security Essentials liked it OK so I sent it to VirusTotal where it scored
zilch (0/43).
So I installed it on a throwaway copy of XP and actually had to kill the
installation file with task manager. And that still left a random exe file
running and eating up about 85% of the processor. So I killed that one too
and then ran MalwareBytes on it.
It found:
Trojan.Backdoor.Gen (4)
Trojan.Agent.Gen (5)
Trojan.Agent (1)
Bifrose.Trace (1)
MalwareBytes cleaned it up fine with a reboot.
IMO that saya quite a bit for MBAM and very little for 43 antivirus
companies.
At least it wasn't one of those rogue security apps that I usually get when
I play this game... :-)

--
--- Everybody has a right to my opinion. ---

[David H. Lipman]

From: "Lil' Abner" <blvstk@dogpatch.com>

| I downloaded
| 41.Yr.Virgin.Who.Knocked.Up.Sarah.Marshall;Felt.Su perbad.LKRG136943.exe,
| knowing, of course That it would be infected with *something*. Microsoft
| Security Essentials liked it OK so I sent it to VirusTotal where it scored
| zilch (0/43).
| So I installed it on a throwaway copy of XP and actually had to kill the
| installation file with task manager. And that still left a random exe file
| running and eating up about 85% of the processor. So I killed that one too
| and then ran MalwareBytes on it.
| It found:
| Trojan.Backdoor.Gen (4)
| Trojan.Agent.Gen (5)
| Trojan.Agent (1)
| Bifrose.Trace (1)
| MalwareBytes cleaned it up fine with a reboot.
| IMO that saya quite a bit for MBAM and very little for 43 antivirus
| companies.
| At least it wasn't one of those rogue security apps that I usually get when
| I play this game... :-)

LOL - If you got it from Usenet binaries, You're Welcome.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[siljaline]

Lil' Abner wrote:
<snip>

Report the Torrent to the tracker if you pulled the Warez off a site.

Your options >

<http://www.wilderssecurity.com/showpost.php?p=1533481&postcount=3>

Good luck & get a decent AV - I don't like MSE, but, that's just me.

Silj

--
"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

[David H. Lipman]

From: "siljaline" <spam@uce.gov>

| Lil' Abner wrote:
| <snip>

| Report the Torrent to the tracker if you pulled the Warez off a site.

The name of the file is a Socal Enginerering construct I am familiar weith and I doubt it
came from a Warez site. That naming convention is typical of the type of files I find
quite often in the Usenet binaries and I'll bet that is where it came from.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Lil' Abner]

"siljaline" <spam@uce.gov> wrote in news:huul4a$akp$1@news.eternal-
september.org:

> Lil' Abner wrote:
><snip>
>
> Report the Torrent to the tracker if you pulled the Warez off a site.
It came from a binary newsgroup

> Good luck & get a decent AV - I don't like MSE, but, that's just me.
The main thing I don't like about MSE is that it gets process hungry every
once in a while. I really don't have a problem with viruses and malware
since I spend most of my time cleaning up other peoples' computers. I may
go back to Avira but I'm surely not going to pay for anything.
I *do* download an obvious one once in a while. Even though I do scan it I
still won't run it on my own machine even if it appears to be clean.
That one I ran on another machine and sure enough, it was nasty.

--
--- Everybody has a right to my opinion. ---

[David H. Lipman]

From: "Lil' Abner" <blvstk@dogpatch.com>

| It came from a binary newsgroup

Bingo! :-)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[siljaline]

David H. Lipman wrote:
> From: "siljaline" <spam@uce.gov>
>
> | Lil' Abner wrote:
> | <snip>
>
> | Report the Torrent to the tracker if you pulled the Warez off a site.
>
> The name of the file is a Socal Enginerering construct I am familiar weith and I doubt it
> came from a Warez site. That naming convention is typical of the type of files I find
> quite often in the Usenet binaries and I'll bet that is where it came from.

Noted.

Usenet for binaries, oi !

Silj

--
"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

[David H. Lipman]

From: "siljaline" <spam@uce.gov>

| David H. Lipman wrote:
>> From: "siljaline" <spam@uce.gov>

>> | Lil' Abner wrote:
>> | <snip>

>> | Report the Torrent to the tracker if you pulled the Warez off a site.

>> The name of the file is a Socal Enginerering construct I am familiar weith and I doubt
>> it
>> came from a Warez site. That naming convention is typical of the type of files I find
>> quite often in the Usenet binaries and I'll bet that is where it came from.

| Noted.

| Usenet for binaries, oi !

oi ^2 = Oy Vey !

:-)


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[CiderScratter]

On Fri, 11 Jun 2010 18:22:02 -0500, "Lil' Abner" <blvstk@dogpatch.com>
wrote:

>I downloaded
>41.Yr.Virgin.Who.Knocked.Up.Sarah.Marshall;Felt.S uperbad.LKRG136943.exe,
>knowing, of course That it would be infected with *something*. Microsoft
>Security Essentials liked it OK so I sent it to VirusTotal where it scored
>zilch (0/43).
>So I installed it on a throwaway copy of XP and actually had to kill the
>installation file with task manager. And that still left a random exe file
>running and eating up about 85% of the processor. So I killed that one too
>and then ran MalwareBytes on it.
>It found:
> Trojan.Backdoor.Gen (4)
> Trojan.Agent.Gen (5)
> Trojan.Agent (1)
> Bifrose.Trace (1)
>MalwareBytes cleaned it up fine with a reboot.
>IMO that saya quite a bit for MBAM and very little for 43 antivirus
>companies.
>At least it wasn't one of those rogue security apps that I usually get when
>I play this game... :-)

You details are very sparse to say the least and seem to indicate a big
flaw in your testing process. Maybe you just did not document it too
well.

So why did you only have to kill the installation on the throwaway copy
of XP?
What about the PC where you tested it with MSE? Did you try the install
here or just scan the 'original exe? What about the unpacked one with
MSE?

Have you sent the unpacked exe file to virustotal?
Did Malwarebytes find it in a scan before you run the exe.

A test is only fair if the exact same procedures are followed for each
application being tested and your notes do not indicate this.

[Lil' Abner]

CiderScratter <cider-scratter@hotmail.invalid> wrote in
news:rdh6165samves2n6sms0qqvba5qojg4bs7@4ax.com:

> On Fri, 11 Jun 2010 18:22:02 -0500, "Lil' Abner" <blvstk@dogpatch.com>
> wrote:
>
>>I downloaded
>>41.Yr.Virgin.Who.Knocked.Up.Sarah.Marshall;Felt. Superbad.LKRG136943.exe
>>, knowing, of course That it would be infected with *something*.
>>Microsoft Security Essentials liked it OK so I sent it to VirusTotal
>>where it scored zilch (0/43).
>>So I installed it on a throwaway copy of XP and actually had to kill
>>the installation file with task manager. And that still left a random
>>exe file running and eating up about 85% of the processor. So I killed
>>that one too and then ran MalwareBytes on it.
>>It found:
>> Trojan.Backdoor.Gen (4)
>> Trojan.Agent.Gen (5)
>> Trojan.Agent (1)
>> Bifrose.Trace (1)
>>MalwareBytes cleaned it up fine with a reboot.
>>IMO that saya quite a bit for MBAM and very little for 43 antivirus
>>companies.
>>At least it wasn't one of those rogue security apps that I usually get
>>when I play this game... :-)
>
> You details are very sparse to say the least and seem to indicate a
> big flaw in your testing process. Maybe you just did not document it
> too well.
>
> So why did you only have to kill the installation on the throwaway
> copy of XP?

Because it wasn't doing anything and it wouldn't quit running.

> What about the PC where you tested it with MSE?

It was actually a rar file. I un-rared it on the original computer and
checked the exe with MSE.

> Did you try the install here or just scan the 'original exe?

No and yes.

> What about the unpacked one with MSE?

See above.

> Have you sent the unpacked exe file to virustotal?

Yes. Found nothing.

> Did Malwarebytes find it in a scan before you run the exe.

Didn't try that, but I see your point. I've still got it. I'll try it right
now. OK. http://mewnlite.com/sample.gif - I had to help it a bit by putting
it in the windows\system32 folder since the original was in a download
folder on another drive and MBAM wouldn't have found it there. Anyway,
thanks for prompting me to run it. It found some other stuff while it was
there!

> A test is only fair if the exact same procedures are followed for each
> application being tested and your notes do not indicate this.

OK, I have the paid version of MBAM but I haven't been running it in real
time since a long time ago it was blocking a lot of legitimate IP
addresses. I've turned it back on (temporarily) and will go back and find
another one of those Debbie.Does.Dallas.in.the.treehouse23456.rar files and
see if it'll catch it!



--
--- Everybody has a right to my opinion. ---