Well I was downloading some malwares today, I found one file a little funny. CAVs don’t seems to be that consistent with the result when you scan this file, The MD5 and SHA1 value are the same… But the results when scanning this file has been a little inconsistent, as can be seen here:
on VT COMODO says: TrojWare.Win32.TrojanDownloader.Swizzor.Gen
on Virscan COMODO says: TrojWare.Win32.Trojan.KillAV.~BYG
Both was using DB 3264 during this scan (according to the pages…)…
However, when I scan this file at home, testing all from heuristic OFF to heuristic HIGH… I get no detection what so ever…? (Iam using DB 3264 as well)…
Iam thinking perhaps virscan just uses some sort of name shortening… And perhaps Iam using some sort of corrupted database…? I guess this can have something with how VT and virscan sets the heuristic… but its still wierd I got no detection… If someone wants to scan this file as well I be happy to send it, just PM…
In general VT sends us samples not detected by us, so we do get samples on daily basis. But there are range of paid services from VT for AV vendors to download files on-demand. Apart from what we get by default via mail from VT, we can download only 100 files free on-demand.
Thanks to community, we get plenty of new malware from you via CIS and do not have to get from VT explicitly.
Btw this sample in question was uploaded to us via CIMA so you guys help us alot.
is the report link for CIMA, where not only CIMA reported it as malware but also gave it proper name. Although we already had generic detection for this sample so it was detected by default by CIS even though we didn’t have this sample. So that’s the power of generic signs we released after CIS 3.13 release and also CIMA.