Ransom (police virus) new mutation

lordman

Level 6
Thread author
Verified
Well-known
Apr 18, 2013
255
Yesterday, saturday 4/May at 01:00 aprox, I find a new mutation of ransom trojan, only detected by four antivirus on virustotal: kaspersky, malwarebytes and i dont know two others. I sent a sample to a lot of antivirus appear on virustotal, not all but a lot of.

Now, sunday 5/May at 01:33, it is the following situation:

https://www.virustotal.com/es/file/4426b1bae18d84fb3a707216cb14e41b783ebd1d45fb96b5ec585cb9fac9c63b/analysis/1367709942/

It is detected by 20/46 virustotal engines.

It is not detected by Avast, Commtouch, DrWeb, eSafe, F-Prot, Panda, SuperAntiSpyware.....

Avira, AVG, Comodo, F-Secure, Fortinet, Gdata, Mcafee, Symantec... were firsts antivirus detecting the sample this moorning.

Panda, Avast..... Very very bad. I SENT YOU A SAMPLE.

Kaspersky is the best other time.
 

Fiery

Level 1
Jan 11, 2011
2,007
Actually it may not be a mutation of a trojan but rather the packing of the malware codes itself. Different packers or downloaders are developed hourly aimed at evading detection. The trojan downloader can be packed differently but ultimately downloads the same trojan. That is why AV companies have a hard time keeping up with signatures.
 

lordman

Level 6
Thread author
Verified
Well-known
Apr 18, 2013
255
Sunday 5 at 10:00

Avast detects ransom.
Agnitium/Panda/F-Prot/Commtouch/Clamav/eSafe/Superantispyware.... not detects.

It is detected by 22/46 virustotal engines.
 

lordman

Level 6
Thread author
Verified
Well-known
Apr 18, 2013
255
Fiery said:
Actually it may not be a mutation of a trojan but rather the packing of the malware codes itself. Different packers or downloaders are developed hourly aimed at evading detection. The trojan downloader can be packed differently but ultimately downloads the same trojan. That is why AV companies have a hard time keeping up with signatures.

Yes, it is possible. I cant see trojan in action because virus infected a friend computer and i told him that he sent me the file before malwarebytes delete it.
 

lordman

Level 6
Thread author
Verified
Well-known
Apr 18, 2013
255
Sunday 5 at 12:00

Agnitium/Panda/F-Prot/Commtouch/Clamav/eSafe/Superantispyware.... not detects.

It is detected by 24/46 virustotal engines.

Ramson is a spanish malware version and Panda (spanish antivirus) not detects it 35 hours after.

"Good point" for Panda.
 

lordman

Level 6
Thread author
Verified
Well-known
Apr 18, 2013
255
Sunday 5 at 23:00

Agnitium/F-Prot/Commtouch/Clamav/eSafe/Superantispyware.... not detects.

It is detected by 25/46 virustotal engines.

Panda detects it but too late for a spain localized malware.
 

lordman

Level 6
Thread author
Verified
Well-known
Apr 18, 2013
255
Tuesday 7 at 22:45

F-Prot/Commtouch/Clamav/eSafe/Symantec/Superantispyware.... not detects.

It is detected by 27/46 virustotal engines.

Four days after and 19 engines can´t detect it.

Suddenly, Symantec can't detect it, two days ago malware was detected ok.

https://www.virustotal.com/es/file/4426b1bae18d84fb3a707216cb14e41b783ebd1d45fb96b5ec585cb9fac9c63b/analysis/1367959253/

It is silly test but i dont like results very much, 19 engines are a lot.
 

Fiery

Level 1
Jan 11, 2011
2,007
Most of the big security vendors detects it, the other 19 companies need to be quicker!
 

lordman

Level 6
Thread author
Verified
Well-known
Apr 18, 2013
255
Fiery said:
Most of the big security vendors detects it, the other 19 companies need to be quicker!

If i sent virus to many of then, the other companies have a very big problem.
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
There are some security companies which are literally detect for a few days or more and if worse its undetected.

One of the difficulties is the polymorphic code which attempted to compare and analyzed in order a signature created.
 

lordman

Level 6
Thread author
Verified
Well-known
Apr 18, 2013
255
Thursday 9 at 21:40

F-Prot/Clamav/eSafe/Symantec/Superantispyware.... not detects.

It is detected by 29/46 virustotal engines.

Six days after and 17 engines can´t detect it.

https://www.virustotal.com/es/file/4426b1bae18d84fb3a707216cb14e41b783ebd1d45fb96b5ec585cb9fac9c63b/analysis/
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top