Overblog
Editer l'article Suivre ce blog Administration + Créer mon blog
16 mai 2011 1 16 /05 /mai /2011 01:56

While surfing on the web (cf. previous post), I came to download a file that looked suspicious to me: Shopper Report (ShprRprt.exe)

Kaspersky Antivirus 2011, fully up to date, did not detect anything. But the problem is if I leave the file on my desktop, Windows Defender will detect a "adware:win32/ShopperReports"...

shoper-report_WinDefender_150511.jpg

Anyway, I decided to put the file into the KAV's quarantine. I failed to find the button "submit sample", but... I did hope it would be submitted automatically.

Well, 48hours after I put the file into the quarantine, KAV told me "there is no danger with the file, Kaspersly suggests me to restore it!"...

KAVV2011_Quarant-OK_shoperRprt_150511.jpg

 

Ermf... Altough KAV is up to date, and despite the fact that I accepted to be part of the Kaspersky Security Network (Cloud based antivirus analysis), KAV does not want to detect the sample...

Apparently the KSN did not help. How can a "lambda" user send a sample to the Kaspersky's labs? using GMail you may say? well no, since GMail does detect and refuses exefiles/suspicious files... and Hotmail/YahooMail tend to do quite the same.

 

Update:

Anyway, I found a mean to send the sample with a GMail account.

There is at the bottom of the Kaspersly labs' webpages the email address to send them a "new virus": newvirus@kaspersky.com

Then, you'll have to rename the file like: "exe" to "ex0". Then you zip it and set a password up (like "infected", very common to send samples to AV labs). Now GMail will accept the attachment. The pasword protected zip will also prevent other third party AV scanners to put the file in quarantine...

There we go!...

PS: for those that my interest, or that have a bit of VX history in mind, it seems that Shopper Report is related to 180Search Solutions, a quite well known malware I had studied in the past... It was said to be a visible part of a kindda mafia...! and there are other stories:

http://www.theinternetpatrol.com/search-marketing-company-180-solutions-sues-affiliates-over-botnet-installation-of-180solutions-software-on-users-computers/?amp;name=search-marketing-company-180-solutions-sues-affiliates-over-botnet-installation-of-180solutions-software-on-users-computers

What about right now?

PS #2: did I expose here a way to bypass GMail's filter for binary files? no way!

 

Update 2:

I got a reply for my email. They do provide a link to submit samples online:

http://support.kaspersky.com/virlab/helpdesk.html?LANG=en

And there is in fact a tool in the "Kasperky online user's profile", to do the same:

https://my.kaspersky.com/fr/support/viruslab 

I'm waiting for the Lab's response...


Update 3:

48h after I sent them the email, still no answer :(

   

Update 4 (29th of May, ToW): 

Still no answer for the sample sent by mail :(

But I've also sent a sample using the "My Kaspersky" portal (link: my.kaspersky.com), on the 27th of May, 10PM (Paris Time).

I got an answer, 29th of May 7PM:

Hello,

shprrprt.ex0 - not-a-virus:AdWare.Win32.
HotBar.dh
This file is an Advertizing Tool, it is detected by extended databases set. See more info about extended databases here: http://www.kaspersky.com/extraavupdates

Regards, Ilya Simonov
Virus Analyst


Well... the thing is that their FAQ only talks about KAV version 6 and 7. Mine is 11.0.2! Anyway, I did check, and I had already selected those "extra detection features".

I tryed to force the KAV definition update. But still, no detection of my sample. Even 7 hours after I received the mail, and once again forced updates, no detection. 

My guess: the definition update for my sample has not yet been put on the KAV updates servers... but what if I was really infected at the moment?

This is why it is quite important to check if the AV update is indeed available on the vendor's download servers, once you know they created a new signature. Because if you only rely on "AV automatic updates", you may face a few problems because the signature you need is not yet known to the AV product you use, despite its update checks...



Partager cet article

Repost0

commentaires