I've confirmed a virus but no AV detects it and CAMAS fails to analys it

Learn about Computer Security General Security Questions and Comments
1

Hi Guys

Few days ago i manually detected a threat in my system (i’m a bit of an expert at manual threat detection)…

i was able to disable the threat in the form of a “system32.exe” file residing in user/temp folders… and was set to run automatically on start up…

I was able to figure out where i got this, the threat was embedded in a certain software’s installer (Cracked ← yes i know… spare me me lessons on cracked stuff pls, but let’s stay in point :slight_smile: )

Anyway i ran my virtual machine and monitored how this thing works… to name a few, it creates lots of registry entries, changes lots too, sets itself to autorun,disables task manager, as well as registry editor, etc etc… While I was not able to detect any outgoing connections from it, it was certainly doing something as it’s constantly munching about 10% on each CPU core (i have a quad)…

Here’s the weird part…

I ran this thru several AV programs, it was clean!
I ran it through virustotal, 0/43 = clean!
http://www.virustotal.com/file-scan/report.html?id=291a31be2b1f6e29167028058ad66a0b95e850de9d58f797597f11c3f5871870-1292314514

i ran it through comodo’s CAMAS, it wasnt able to detect any “suspicious” activities , not even registry values created etc (does camas actually work?), heck i was even able to detect it created a file “cccleaner.exe” in mydocuments folder, as a copy of itself mascarading as CCCLeaner
http://camas.comodo.com/cgi-bin/submit?file=291a31be2b1f6e29167028058ad66a0b95e850de9d58f797597f11c3f5871870

So question is, what’s this? a very new virus? not even the post paranoid HID settings can detect?

if you guys would like to take a wack at this file, you can get it from here (attached)

Thoughts on this would be much appreciated…

PS
I’m back w/ a fresh formatted system… this thing changed so much in my system, it’s a nightmware to change everything back … …

Attachment removed by Moderator please do not attach possible malware on the forum
-sorry for the attachments… umm link ok? for other interesed parties to look into this? i can upload somewhere

2

Running some malware in a virtual environment can cause it to change its behaviour. Some malware detect that its running in a VM and basically twiddle its thumbs. The same malware running in a physical system reacts differently.

Ewen :slight_smile:

3

Like panic said,
some malware can recognize if there in a sandbox or a virtual system. If detects either of them, the malware will not run. Then when you put it on a normal OS, the malware will run and it’s too late

4

hm… yes, but i’ve never seen nor heard of any malware or whatever software being able to detect if they’re in VMWARE… it’s really as if they’re on a regular OS enviro…

or are you guys talking about COmodo’s Virtual environment online??

5

comodo camas can’t scan NET Application that use framework 4.
And yes malware can detects Any sandbox, virtual machines, by detecting process, some hook, somes api etc.

VT say’s : Generic CIL Executable (.NET, Mono, etc.) (83.3%)
That why camas cannot do something.

6

there are many tricks that lets you identify if you are running in VM or not…malware authors use this regularly…

7

what does camas stand for and why does it say comodo instant malware analysis when you go to the camas link provided in the above post under the virus toal link?

did they change the name from camas to cimas and if so what did camas stand for

8

It originally stood for Comodo Automated Malware Analysis System;