TrojWare.Win32.TrojanDownloader.Agent.~JBD@31855190

who_te_fuc · August 18, 2009, 10:05pm

Today Ive been kinda bored and downloaded some samples that I later sent to comodo… (I send samples that are UD when heuristic is off…)

However, I do scan samples with heuristic on as well (just to see how many more are found…) :)… And when I do I get findings like “TrojWare.Win32.TrojanDownloader.Agent.~JBD@31855190”

My question is simple…

Is that a naming for heuristic findings?? :-\ :o It sounds like a signature finding and perhaps something that should be detected even with heuristic off?

OmeletGuy · August 18, 2009, 10:09pm

Wait you mean you get TrojWare.Win32.TrojanDownloader.Agent.~JBD[at]31855190 Only with Heuristics on?

I know that the Heuristics Engine (if on) scans before the Signatures.

who_te_fuc · August 18, 2009, 10:31pm

Yes correct… Scanning the file with no heuristic and there is no warning about a infected file… When I turn on heuristic and rescan the file I get a “infected file” warning with that alert… :-TU

I think Ive seen similar stuff before as well but never really thought about it… I think its a weird naming for heuristic findings… :o

OmeletGuy · August 18, 2009, 10:39pm

Yes that is weird, i have PM’ed Umesh, hopefuly he will repond.

who_te_fuc · August 18, 2009, 11:00pm

Thanks, keeping the file then. =) If you like Ill PM it to you so you can confirm this “behavior”…

OmeletGuy · August 18, 2009, 11:13pm

Sure ;D PM it to me.

OmeletGuy · August 18, 2009, 11:36pm

Same thing here its not detected if heuristics are off.

Virustotal.com (no heuritics)
http://www.virustotal.com/analisis/4e0f602ae43a55dbba03cec03199fcd196884f047d553cc2750f6f22bf6ef210-1250638888
Virscan.org (Heuritics on low)
http://www.virscan.org/report/d3206199abdd3d6dd9029ae01bd0fb47.html

who_te_fuc · August 18, 2009, 11:41pm

VT uses no heuristic… but virscan does… I learn something new everyday… :-TU :-TU
Thanks for the confirmation…

smage · August 19, 2009, 9:02am

Hi,

Can anyone explain why VirusTotal does not use heuristics for Comodo.

Thanks.

umesh · August 19, 2009, 10:36am

Hi,
They do use highest heuristic mode as per information we have.
We will have to investigate this case.

This is basically Heur.Suspicious case, where name has been changed. We are going to make it available as standard detection where it will detect when heuristic is off as well.

Thanks
-umesh

who_te_fuc · August 19, 2009, 4:01pm

Hi Umesh, just wanting to inform you: http://www.virustotal.com/sv/analisis/b931af1b61e92582986106204c9266b18393215ce2ab430463036e6806b85daf-1250693201

eg, That file was sent to comodo where I wrote “probably fake antivirus” or something similar… submitted here: Comodo Firewall | Get Best Personal Firewall Software for $29.99 A Year

It was not added as a definition… =/ A lot of files I send don’t get added… at least not in days… (the example sample was sent yesterday guess thats nothing to complain about) 88) 88) But your goal is to be quick?? Some files I sent through CIMA weeks/long back has not been added either. Perhaps some are false Positives… But there is a lot of files other (scanners) say are bad that comodo simply do not add at all… Just wanted to inform you about that…

=]