Ransom (police virus) new mutation

[lordman]

Yesterday, saturday 4/May at 01:00 aprox, I find a new mutation of ransom trojan, only detected by four antivirus on virustotal: kaspersky, malwarebytes and i dont know two others. I sent a sample to a lot of antivirus appear on virustotal, not all but a lot of.

Now, sunday 5/May at 01:33, it is the following situation:

https://www.virustotal.com/es/file/4426b1bae18d84fb3a707216cb14e41b783ebd1d45fb96b5ec585cb9fac9c63b/analysis/1367709942/

It is detected by 20/46 virustotal engines.

It is not detected by Avast, Commtouch, DrWeb, eSafe, F-Prot, Panda, SuperAntiSpyware.....

Avira, AVG, Comodo, F-Secure, Fortinet, Gdata, Mcafee, Symantec... were firsts antivirus detecting the sample this moorning.

Panda, Avast..... Very very bad. I SENT YOU A SAMPLE.

Kaspersky is the best other time.

 

[Fiery]

Actually it may not be a mutation of a trojan but rather the packing of the malware codes itself. Different packers or downloaders are developed hourly aimed at evading detection. The trojan downloader can be packed differently but ultimately downloads the same trojan. That is why AV companies have a hard time keeping up with signatures.

 

[lordman]

Sunday 5 at 10:00

Avast detects ransom.
Agnitium/Panda/F-Prot/Commtouch/Clamav/eSafe/Superantispyware.... not detects.

It is detected by 22/46 virustotal engines.

 

[lordman]

Actually it may not be a mutation of a trojan but rather the packing of the malware codes itself. Different packers or downloaders are developed hourly aimed at evading detection. The trojan downloader can be packed differently but ultimately downloads the same trojan. That is why AV companies have a hard time keeping up with signatures.

Yes, it is possible. I cant see trojan in action because virus infected a friend computer and i told him that he sent me the file before malwarebytes delete it.

 

[lordman]

Sunday 5 at 12:00

Agnitium/Panda/F-Prot/Commtouch/Clamav/eSafe/Superantispyware.... not detects.

It is detected by 24/46 virustotal engines.

Ramson is a spanish malware version and Panda (spanish antivirus) not detects it 35 hours after.

"Good point" for Panda.

 

[lordman]

Sunday 5 at 23:00

Agnitium/F-Prot/Commtouch/Clamav/eSafe/Superantispyware.... not detects.

It is detected by 25/46 virustotal engines.

Panda detects it but too late for a spain localized malware.

 

[lordman]

Tuesday 7 at 22:45

F-Prot/Commtouch/Clamav/eSafe/Symantec/Superantispyware.... not detects.

It is detected by 27/46 virustotal engines.

Four days after and 19 engines can´t detect it.

Suddenly, Symantec can't detect it, two days ago malware was detected ok.

https://www.virustotal.com/es/file/4426b1bae18d84fb3a707216cb14e41b783ebd1d45fb96b5ec585cb9fac9c63b/analysis/1367959253/

It is silly test but i dont like results very much, 19 engines are a lot.

 

[Fiery]

Most of the big security vendors detects it, the other 19 companies need to be quicker!

 

[lordman]

Most of the big security vendors detects it, the other 19 companies need to be quicker!

If i sent virus to many of then, the other companies have a very big problem.

 

[jamescv7]

There are some security companies which are literally detect for a few days or more and if worse its undetected.

One of the difficulties is the polymorphic code which attempted to compare and analyzed in order a signature created.

 

[lordman]

Thursday 9 at 21:40

F-Prot/Clamav/eSafe/Symantec/Superantispyware.... not detects.

It is detected by 29/46 virustotal engines.

Six days after and 17 engines can´t detect it.

https://www.virustotal.com/es/file/4426b1bae18d84fb3a707216cb14e41b783ebd1d45fb96b5ec585cb9fac9c63b/analysis/