追追追! 到底是哪家誤報msconfig??

發表時間: 2008-8-16 22:06 作者: vaio3388 來源: AVPClub Security Home

2008.08.14 05:04:43

http://www.virustotal.com/analis ... f3d7b02207131e3db07

當時有10家 AntiVirus 發現可疑威脅
分別是:

Avira             Worm/Brontok.DO
Avast             Win32:Trojan-gen {Other}
F-Secure          Email-Worm.Win32.Brontok.do
Fortinet          W32/Brontok.DO@mm
GData             Email-Worm.Win32.Brontok.do
Ikarus          Email-Worm.Win32.Brontok.do
Kaspersky       Email-Worm.Win32.Brontok.do
Prevx1          Worm
ViRobot          I-Worm.Win32.Brontok.163840
Webwasher-Gateway  Worm.Brontok.DO

2008.08.16 08:49:02

http://www.virustotal.com/zh-tw/ ... 4b3d31d12a5c39fbaee

目前有10家 AntiVirus 發現可疑威脅
分別是:

Avira             Worm/Brontok.DO
Avast             Win32:Trojan-gen {Other}
Fortinet          W32/Brontok.DO@mm
GData             Win32:Trojan-gen
Ikarus          Email-Worm.Win32.Brontok.do
Norman          W32/Rontokbro.GHE
Prevx1          Worm
Sunbelt          Email-Worm.Win32.Brontok.do
VBA32             Email-Worm.Win32.Brontok.do
Webwasher-Gateway  Worm.Brontok.DO

相隔2天發現一個現象

維持警報:
Avira             Worm/Brontok.DO
Avast             Win32:Trojan-gen {Other}
Fortinet          W32/Brontok.DO@mm
Ikarus             Email-Worm.Win32.Brontok.do
Prevx1             Worm
Webwasher-Gateway Worm.Brontok.DO

新增警報:
Norman  W32/Rontokbro.GHE
Sunbelt Email-Worm.Win32.Brontok.do
VBA32 Email-Worm.Win32.Brontok.do

取消警報:
*F-Secure Email-Worm.Win32.Brontok.do
*GData    Email-Worm.Win32.Brontok.do
*Kaspersky  Email-Worm.Win32.Brontok.do
ViRobot    I-Worm.Win32.Brontok.163840

*採用卡巴斯基 AVP引擎的廠商已經不警報了

而  GData  Email-Worm.Win32.Brontok.do (AVP引擎  改為不報)
GData  Win32:Trojan-gen (另一個Avast引擎警報!)

究竟是2天維持警報小紅傘...等  誤報?

還是取消警報  卡巴斯基...等 AVP引擎  誤報?

又或者  新增警報的Norman...等誤報?

期待有高手能釋疑!!

我也來說兩句 查看全部評論相關評論

sun88990 (2008-8-16 22:11:34)

Kaspersky Labs分析師最新回覆
Hello,

msconfig.exe_

No malicious code was found in this file.

Please quote all when answering.

--
Best regards, Vyacheslav Zakorzhevsky
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/

http://www.kaspersky.com/virusscanner - free online virus scanner.
http://www.kaspersky.com/helpdesk.html - technical support.
sun88990 (2008-8-16 22:32:36)

卡巴斯基又回覆了~
Hello.
This false alarm is already fixed.

Please quote all when answering.
-----------------
Regards, Vyacheslav Zakorzhevsky
Virus Analyst, Kaspersky Lab.

Ph.: +7(095) 797-8700
E-mail: newvirus@kaspersky.com
http://www.kaspersky.com http://www.viruslist.com
--
的確是誤報~
vaio3388 (2008-8-16 22:51:05)

QUOTE:
原帖由 sun88990 於 2008-8-16 22:32 發表
卡巴斯基又回覆了~
Hello.
This false alarm is already fixed.

Please quote all when answering.
-----------------
Regards, Vyacheslav Zakorzhevsky
Virus Analyst, Kaspersky Lab.

Ph.: +7(095) 7 ...
那麼以下這幾家都誤報囉
-------------------------------------------------
維持警報:
Avira             Worm/Brontok.DO
Avast             Win32:Trojan-gen {Other}
Fortinet          W32/Brontok.DO@mm
Ikarus             Email-Worm.Win32.Brontok.do
Prevx1             Worm
Webwasher-Gateway Worm.Brontok.DO

新增警報:
Norman  W32/Rontokbro.GHE
Sunbelt Email-Worm.Win32.Brontok.do
VBA32 Email-Worm.Win32.Brontok.do
sun88990 (2008-8-16 22:58:36)

是的~~~~~
我明天會上報給那些防毒廠商~
ㄚ一 (2008-8-16 23:16:25)

說不定根本就是之前賽門鐵克誤報的另一個翻版...
vaio3388 (2008-8-16 23:35:35)

QUOTE:
原帖由ㄚ一於 2008-8-16 23:16 發表
說不定根本就是之前賽門鐵克誤報的另一個翻版...
願聞其詳
謝謝!
uegajde (2008-8-17 08:35:20)

我已經回報給Avira了
sun88990 (2008-8-17 09:31:29)

又是交換樣本的下場?
uegajde (2008-8-17 09:46:51)

應該是吧.. 又不是我丟樣本給Avira害它誤報
我要怎麼知道Avira為何誤報這檔呢
而且Avira他們又不會跟我說為啥誤報.樣本又哪來的...
我有附上Kaspersky的回覆應該很快就修正了
(疑~我忘了假日他們有上班嗎?)

[ 本帖最後由 uegajde 於 2008-8-17 09:49 編輯 ]
integear (2008-8-17 10:06:21)

Sunbelt跟VBA32都是與Kaspersky有直接樣本交換的廠商(但是實驗證明VBA32確實會自行修改威脅特徵碼區位) .
sun88990 (2008-8-18 08:47:37)

Huey:

Thanks for reporting this false positive. It will be corrected in Monday's definitions release.

Best,

Eric L. Howes
Sunbelt Software
--
此誤報將於下次更新時修復.