Prev: c:\recycler\S-1-5-21-129_ ... Dc775.zip
Next: explorer.exe startet nicht richtig - HILFE bitte!!
From: Art on 2 Jul 2006 08:40
The JPG-SCAN program at my web site has been updated
to detect certain narrower specific characteristics that the
Trojanized JPG samples I have display. Deletion of detected
Trojanized JPGs is left up to the user.
From: Art on 2 Jul 2006 16:13
On Sun, 02 Jul 2006 12:40:22 GMT, Art <null(a)zilch.com> wrote:
>The JPG-SCAN program at my web site has been updated
>to detect certain narrower specific characteristics that the
>Trojanized JPG samples I have display. Deletion of detected
>Trojanized JPGs is left up to the user.
Updated again Sunday afternoon to accomodate additional
Trojanized samples I found. It's quite unlikely that the scanner
will false alarm on non-Trojanized JPGs, so if the picture image
is of little value the file(s) detected should be deleted. If anyone
finds apparent FPs, please send sample(s) of the file(s) to
artsown at epix dot net.
As of this afternoon here in cental Pa., I see Ewido added as the
fourth to to the very short list of av/anti-malware vendors alerting
on the Trojanized files.
From: Art on 4 Jul 2006 15:15
On Thu, 22 Jun 2006 22:51:00 GMT, Art <null(a)zilch.com> wrote:
As of today, most vendors are still not alerting on the JPGs.
Some such as TIBS.JPG and WEB.JPG only have one vendor
alerting ... Symantec. With PROXY.JPG, only Fortinet and
I made a attemt to get a idea of which vendors might alert
on a realtime scanner basis. I isolated the appending malicous
code portions of the files, and for five of the eight samples
I was able to also determine the XOR decryptor used. I found
that McAfee in particular didn't alert on the encrypted files
but it did on some of the decrypted files. So to nursemaid
the av products a bit, I only uploaded decrypted files to
VT. Notably, in my other tests using McAfee SCAN, F-Prot
DOS and KAVDOS32, F-Prot and Kaspersky didn't care if the
files were decrypted or not.
The details are far too lengthy to report here since they involve
many Virus Total results as well as other details. Suffice it to say
that the results are quite mixed and detection is "spotty". While
some of the better av/antimalware products can be expected to
alert realtime on some of the files (when a new and "unknown"
companion runs the appended malicious code), I wouldn't place
any bets on it in general.
So IMO, the situation is just as peculiar, or worse, as when I
started this thread. Three of my samples, NT1, NT2 and NT3
(the ones I failed to decrypt) aren't detected by any vendors
in their isolated non-JPG form. Yet these are the three that
four vendors alert on in their full JPG form. So we have
reason(s) to expect that the appended code is malicious. I'm
not about to use a companion to extract, decrypt and run
the code (on a goat PC) to see which av alert, if any.
Why the vendors don't alert on the JPGs is beyond me. They
are leaving users at much higher risk, when it would be so
easy for them to provide detection.
From: Art on 4 Jul 2006 22:06
My JPG-SCAN program has been speeded up considerably,
and there have been some cosmetic changes done recently.
Detection is now "tight enough" that there should be no
false positives on legit JPG files.
From: Dustin Cook on 4 Jul 2006 22:15
Art <null(a)zilch.com> wrote in news:6e7ma2tf4liihq5lno54scdecet49c5lp6@
> My JPG-SCAN program has been speeded up considerably,
> and there have been some cosmetic changes done recently.
> Detection is now "tight enough" that there should be no
> false positives on legit JPG files.
Jeeze Art... Are you going to make a gif/tga/bmp scanner too? *grin*
Author of BugHunter - MalWare Removal Tool