Recently, I am facing a malware script with name “Rahul’s Virus Protection.vbe”, which when enters a system, automatically adds itself to the startup list with “wscript.exe”(which is a safe file).
I have sent a sample to CAV labs one month ago and it was added to definitions two days later (not cloud detection). It was detected as “unclassified malware”.
After a week, when I found that the same file was again running in my PC undetected, I took the sample and verified it in Virus total. It was detected as the same malware by every other company that previously identified it, except COMODO.
Modified file (just one commented line was deleted):
I checked the hash of the files, and the hash was different.
To confirm this behaviour, I disabled CAV, opened the sample with wordpad, changed one “commented line” from above, saved it with another name. When I scanned the two samples again, the modified file was not identified.
Some one please confirm this. I can send you the samples if you want.
If this is the current CAV detection method, I do not think it is any effective against new threats. Just adding the hashes of all known samples is not a signature based detection in my opinion.