AVs fail Again

Lately I have seen many web downloads, some at forums and some at rapidshare and also a few torrents such as “Adobe Acrobat 9″ that include installation and a crack.
The installation or crack is in a password protected rar file that in order to get the password, one must run the suppled tool called “XXX Password Generator”.

This installs another variant of the AntiVirus 2008, I can truly say I can’t tell anymore if it comes from the same guys, ok of course it’s them but there is just no way they got so much man power to write so many completely different versions!!!
Here are the websites it pops up to purchase from:

Installs executables at:
%ProgramFiles%\Antivirus 2008\Antivirus-2008.exe
which is today detected by 24 of 36 AV vendors


This virus adds a scary DANGER! iframe to your desktop.htt, who would remove this for you?

It installed some dlls and executables which are very known to AVs:










There is as another variant I found called “AntiMalwareGuard_Free.exe” packed with PECompact 2.xx, this is considered detected relatevly to the other variants 19 of 36 AV vendors detect it.


So where is the problem???
The Troajn Downloader it self wasn’t detected by any vendor and now 2 month after I found it (which means the vendors got the samples from my virustotal file upload 2 month ago), now it is detected by only 15 AV vendors!!!


Kaspersky! McAfee! TrendMicro! Panda! F-Secure! Fortinet! Where are you people?!?!?!?!

The malicious guys have no problem replacing the executables at the server side to avoid detection, they even have the man power to write completely new ones.

  • NoName

    i think this good example why you need to buy software or download open source solutions :)

  • Anonymous

    How about sending those files to :

    and/or to me?
    And lets get those files detected?

  • MrGutts

    I have seen those same files on a friends box, once they on the machine NO AV can get rid of them. Might as well scrub the machine and reinstall.

    The AV companies are being a bunch of corporate slacks in my eyes.

  • Funtime

    This is why I use only open source AV applications compared to corporate AV solutions. Open source AV is more likely to be updated quicker than corporate AV because it is written, and accepts signatures from developers who have had a chance to study the malware and create signatures to block it.

  • Mr. Gusten


    Opesource AV’s might be faster than (some) commercial. Look at the stats and history – sometimes ClamAV is faster, sometimes Mcafee/Symantec/Trend are faster. Does it really matter?

    1. No AV vendor out there can be fastest everytime! Open or Closed Source – doesn’t matter.

    2. NO AV vendor will ever be able to provide 100% coverage! There will always be malicious code out there for which there exist no signature. Most of the malware out there stay “below the radar”.

    So in my opinion – signaturebased protection (such as AV) is no longer an appropriate protection method.


  • Damage

    Anonymous – missing the point with the direct emails. All the vendors have access to samples submitted to VirusTotal and should be acting on them. 2 months they had to eval these.

    Mr. Gusten – also missing the point. The post isn’t at all about the race for first. It is calling out major vendors who’s primary revenue stream is derived from the detection of malware who:
    a. couldn’t/didn’t find common downloaders on their own.
    b. didn’t bother to act on samples of said downloaders when they were submitted to them via VirusTotal.

    Though you are on to something with your last statement. Unfortunately, behavioral detection simply doesn’t cut it either and in reality is often far less effective than even bad sigs.

  • http://www.n/a.com Mr. Gusten

    Damage – ACK on your points with regards to the original post. I totally agree.

    However, I was not commenting on the original post, but mainly on the comments (like you) made by FunTime and NoName, which focused on Open Source vs. commercial AV.

    Damage – behavioral detection simply doesn’t cut it either and in reality is often far less effective than even bad sigs.

    1. this is really interesting.
    On what facts/sw/solutions do you base this statement?

    Can you provide any detailed statistics on the coverage and track recod on protections from behaviour based solutions (perhaps from ’06/07 or 08) compared to leadtime for AV vendors based on sig’s? If yes, I think this would be very interesting factual data.

    2. Where am I missing the point? My statement was that no AV vendor out there can never be fastest everytime and never provide 100% coverage.

    I did not state that behaviour based solutions are able to do so?