dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1120
Jrb2
Premium Member
join:2001-08-31

1 recommendation

Jrb2

Premium Member

IstBar variant

Hi,

Just only a little experience with a file which I found in the weekend on the PC of a friend.

Name:
ultimate_abt-sportsline-audi-allroad_pictures.exe

MD5 checksum:
dc9e6c9f12f10aeec0ab5578e58fde7b

I scanned the file at Jotti and VirusTotal.
Here is the report from VirusTotal (at this moment):
AntiVir 6.34.0.24 04.20.2006 TR/Dldr.IstBar.IT
Avast 4.6.695.0 04.28.2006 Win32:IstBar-AJ
AVG 386 05.01.2006 no virus found
Avira 6.34.1.58 05.01.2006 TR/Dldr.IstBar.IT
BitDefender 7.2 05.01.2006 Application.Bho.Coolwebsearch.Cameup.B
CAT-QuickHeal 8.00 04.29.2006 no virus found
ClamAV devel-20060202 05.01.2006 no virus found
DrWeb 4.33 05.01.2006 Trojan.Isbar.302
eTrust-InoculateIT 23.71.143 04.30.2006 no virus found
eTrust-Vet 12.4.2186 05.01.2006 no virus found
Ewido 3.5 05.01.2006 Downloader.INService.ja
Fortinet 2.71.0.0 05.01.2006 W32/IstBar.JA!tr.dldr
F-Prot 3.16c 05.01.2006 no virus found
Ikarus 0.2.65.0 05.01.2006 no virus found
Kaspersky 4.0.2.24 05.01.2006 Trojan-Downloader.Win32.IstBar.ja
McAfee 4752 05.01.2006 potentially unwanted program Adware-ISTbar
Microsoft 1.1372 05.01.2006 no virus found
NOD32v2 1.1516 05.01.2006 no virus found
Norman 5.90.17 04.28.2006 Istbar.ALY
Panda 9.0.0.4 05.01.2006 Adware/IST.ISTBar
Sophos 4.05.0 05.01.2006 no virus found
Symantec 8.0 05.01.2006 no virus found
TheHacker 5.9.7.137 05.01.2006 Trojan/Downloader.IstBar.ja
UNA 1.83 04.28.2006 no virus found
VBA32 3.11.0 05.01.2006 Trojan-Downloader.Win32.INService.ja
Jrb2

Jrb2

Premium Member

In this screenshot you see what BOClean says about it

My friends do run BOClean, and I did see on the report of BOClean that it did kill it
Jrb2

Jrb2

Premium Member

In this screenshot you see what The Cleaner says about it
Jrb2

1 recommendation

Jrb2

Premium Member

Several other scanners didn't report it as infected.
NOD32, Ad-Aware, TrojanHunter, Tauscan, and some others, come to mind.

What's going on?
Are companies not checking submissions to VirusTotal and Jotti?
(O btw, I did submit it to a few of those).

Well, I know very well that I can some times be too impatient.
My apologies for that !!!
I hope that other scanners will detect it also soon.

I guess that others have some kind of the same experience.
Expand your moderator at work

Florida Dan
Premium Member
join:2001-07-06
Boynton Beach, FL

1 recommendation

Florida Dan

Premium Member

You Read My Mind

Thanks for jumping in MagMan. I have unfortunately been away from BBR for quite some time and I had to Google "astroturfing" just to find out what it means. I reread Jrb2's posts and they don't fit the definition...IMHO.
Expand your moderator at work
Jrb2
Premium Member
join:2001-08-31

Jrb2

Premium Member

Re: IstBar variant

For your info: I did sumbit the file to all vendors (using the submission-list extracted from the submission-FAQ here at DSLR).

A few other things:

Nothing new as far as VirusTotal tells about the file (just scanned it again there).

Gavin added it very quickly to the TrojanHunter-definitions.

Kevin (BOClean) told me it is over an year old.

NOD32 doesn't detect it, but ESET told me that NOD32 does detect the file that it will download as "probably a variant of Win32/TrojanDownloader.IstBar trojan".

Symantec told me in an automatically generated reply that Symantec products that support security risks, detect it as Adware.Istbar
»www.symantec.com/avcente ··· bar.html

Seeing that Symantec doesn't detect it at VirusTotal and having read the Symantec reply, I guess that I have to conclude that at the moment VirusTotal isn't using a Symantec product that support security risks and/or that the Symantec scanner at VirusTotal isn't set to the max.
Jrb2

1 edit

Jrb2

Premium Member

quote:
Seeing that Symantec doesn't detect it at VirusTotal and having read the Symantec reply, I guess that I have to conclude that at the moment VirusTotal isn't using a Symantec product that support security risks and/or that the Symantec scanner at VirusTotal isn't set to the max.

Mystery solved !
Thanks to a dear old friend who checked it (thanks Randy!!!).
NAV does indeed detect it; see screenshots.
The problem is this (maybe you knew it already):
VirusTotal uses an old version of Symantec Corporate: 8.0.
Home Editions of NAV (I understand version 2004 and higher) are using the expanded threats and security risk signatures in the database.
So, if you're using NAV then make sure that you're using the latest version.

Conclusion:
Scan results from VirusTotal cannot be trusted always.
(meaning: it might tell you that a scanner doesn't detect it, while it does detect it if you have the latest version)

Question:
Which other scanners at VirusTotal are using a too old version?

amysheehan
MVM
join:1999-12-21
Chula Vista, CA

1 edit

1 recommendation

amysheehan

MVM

said by Jrb2:

quote:
Seeing that Symantec doesn't detect it at VirusTotal and having read the Symantec reply, I guess that I have to conclude that at the moment VirusTotal isn't using a Symantec product that support security risks and/or that the Symantec scanner at VirusTotal isn't set to the max.

Mystery solved !
Thanks to a dear old friend who checked it (thanks Randy!!!).
NAV does indeed detect it; see screenshots.
The problem is this (maybe you knew it already):
VirusTotal uses an old version of Symantec Corporate: 8.0.
Home Editions of NAV (I understand version 2004 and higher) are using the expanded threats and security risk signatures in the database.
So, if you're using NAV then make sure that you're using the latest version.

Conclusion:
Scan results from VirusTotal cannot be trusted always.
(meaning: it might tell you that a scanner doesn't detect it, while it does detect it if you have the latest version)

Question:
Which other scanners at VirusTotal are using a too old version?
More info re Symantec Products re old scanning engine for SAV @ Virustotal
FROM: Jan 17, 2006 News Release

»www.symantec.com/about/n ··· 60117_02

Customers using Norton Internet Security 2006, Norton AntiVirus 2006, Norton SystemWorks 2006, Symantec AntiVirus Corporate Edition 10.0, and Symantec Client Security 3.0 received an updated antivirus scanning engine automatically through their products' LiveUpdate feature throughout December. Users also received new Auto-Protect Spyware Blocking after being notified of a "critical update" and provided with instructions on how to manually download the package.

The updates also include new Auto-Protect Spyware Blocking, which enhances Symantec's ability to handle non-viral security risks by blocking spyware and adware applications before they are installed on a user's system.

More Updated info from late April 2006 --
»www.symantec.com/about/n ··· 60327_02
redwolfe_98
Premium Member
join:2001-06-11

redwolfe_98 to Jrb2

Premium Member

to Jrb2
jrb2, if you still have the file, can you submit it to etrust/ca?

according to virustotal, etrust didn't catch it..
Jrb2
Premium Member
join:2001-08-31

Jrb2

Premium Member

Hi redwolve_98,

As far as I knew I had submitted it to CA, but didn't get a reply (well, that happens with most of the companies).
Just used their online-page:
»www.my-etrust.com/Suppor ··· orm.aspx
Got this time an automatic reply from CA Security Advisor.
quote:
"ultimate_abt-sportsline-audi-allroad_pictures.exe" determined to be Clean Potentially Unwanted.
The file has been identified as ISTbar
While our researchers have analyzed the file and found nothing that could be considered malicious, it is possible that in particular circumstances this file may be unwanted. Adware, spyware and other, related types of application fall into this category.