For those people interested in malware behavior you can submit samples files at http://www.pctools.com/threat-expert/submit/ -- they should be EXE or DLLs and Threat Expert will email you back a report of everything the file does on the system, like contacting servers, using exploits, downloading files, writing files and registry keys, installing drivers, services ... or rootkits, mass-mailing SPAM, installing backdoors, killing firewalls or antivirus apps, stealing CD-keys and game codes, keylogging, all sorts of good stuff.

We'd be happy to hear experiences.

Simon

First post. :D

It seems to be impossible to send an .exe file to Threat Expert. Any attempts to do so results in the following email sent to my inbox:



BANNED message from you (multipart/mixed | application/x-msdownload,.exe,.exe-ms,ad1322.exe.bin)
From: "Content-filter at mx2.pctools.com" <postmaster@mx2.pctools.com> [ Save address | Block sender | This Is Spam ]
To: <myemail@mydomain.com>
Cc:
Subject: BANNED message from you (multipart/mixed | application/x-msdownload,.exe,.exe-ms,ad1322.exe.bin)
Date: Wed, 14 Feb 2007 10:55:02 -0600 (CST)
Previous | Next


BANNED CONTENTS ALERT

Our content checker found
banned name: multipart/mixed |
application/x-msdownload,.exe,.exe-ms,ad1322.exe.bin

in email presumably from you <myemail@mydomain.com>
to the following recipient:
-> tesubmit@mx2.pctools.com

Our internal reference code for your message is 27175-01/AZZ4jcqzExbK

According to a 'Received:' trace, the message originated at: [65.61.182.46],
www.pctools.com (localhost [127.0.0.1])

Return-Path: <myemail@mydomain.com>
Message-ID: <20070214165710.3D7FBDB8319@lb8.pctools.com>
Subject: Web Submission

Delivery of the email was stopped!

The message has been blocked because it contains a component
(as a MIME part or nested within) with declared name
or MIME type or contents type violating our access policy.

To transfer contents that may be considered risky or unwanted
by site policies, or simply too large for mailing, please consider
publishing your content on the web, and only sending an URL of the
document to the recipient.

Depending on the recipient and sender site policies, with a little
effort it might still be possible to send any contents (including
viruses) using one of the following methods:

- encrypted using pgp, gpg or other encryption methods;

- wrapped in a password-protected or scrambled container or archive
(e.g.: zip -e, arj -g, arc g, rar -p, or other methods)

Note that if the contents is not intended to be secret, the
encryption key or password may be included in the same message
for recipient's convenience.

We are sorry for inconvenience if the contents was not malicious.

The purpose of these restrictions is to cut the most common propagation
methods used by viruses and other malware. These often exploit automatic
mechanisms and security holes in more popular mail readers (Microsoft
mail readers and browsers are a common target). By requiring an explicit
and decisive action from the recipient to decode mail, the danger of
automatic malware propagation is largely reduced.


dsn_status

Reporting-MTA: dns; mx2.pctools.com
Received-From-MTA: smtp; mx2.pctools.com ([127.0.0.1])
Arrival-Date: Wed, 14 Feb 2007 10:54:58 -0600 (CST)

Final-Recipient: rfc822;tesubmit@mx2.pctools.com
Action: failed
Status: 5.7.1
Diagnostic-Code: smtp; 550-5.7.1 Rejected, id=27175-01 - BANNED:
550-5.7.1 multipart/mixed |
550 5.7.1 application/x-msdownload,.exe,.exe-ms,ad1322.exe.bin
Last-Attempt-Date: Wed, 14 Feb 2007 10:55:02 -0600 (CST)


header

Return-Path: <myemail@mydomain.com>
Received: from dlpostfix.pctools.com (b2.8.5446.static.theplanet.com
[70.84.8.178])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mx2.pctools.com (Postfix) with ESMTP id B87153F823E
for <tesubmit@threatexpert.com>; Wed, 14 Feb 2007 10:54:58 -0600 (CST)
Received: from lb8.pctools.com (lb8.pctools.com [65.61.182.46])
by dlpostfix.pctools.com (Postfix) with ESMTP id 812ED76C3DA
for <tesubmit@threatexpert.com>; Wed, 14 Feb 2007 10:57:10 -0600 (CST)
Received: from www.pctools.com (localhost [127.0.0.1])
by lb8.pctools.com (Postfix) with SMTP id 3D7FBDB8319
for <tesubmit@threatexpert.com>; Wed, 14 Feb 2007 16:57:10 +0000 (GMT)
From: "PC Tools Threat Expert" <myemail@mydomain.com>
To: "Threat Expert Submissions" <tesubmit@threatexpert.com>
Subject: Web Submission
Date: Wed, 14 Feb 2007 16:57:10 +0000
X-Mailer: XPM2 v.0.1 <www.xpertmailer.com>
Content-Type: multipart/mixed;
boundary="=_bc925be53cecfb095171ae3c577f1241"
MIME-Version: 1.0
Message-Id: <20070214165710.3D7FBDB8319@lb8.

I get the same email message saying it was denied BECAUSE it was infected; I thought that was the point :D

I tried zipping it up with the password infected but then I received an email saying it will only take .exe and .dll's.

If anyone figures out how to correctly send a sample, please share!

Hi solcroft & Terces,

We are sorry for the problems. This has now been fixed :) Could you please try resending these samples again.

Is any dependency between www.threatexpert.com and PC Tools AntiVirus?
Will samples sended to threatexpert use for impruve PC Tools AntiVirus virus detection?
What way I must using for send samples? Thanks.

The samples submitted to TE will be added mostly into SD and some samples for the AV. You can send the samples in any format, zipped, .exe etc.

The samples submitted to TE will be added mostly into SD and some samples for the AV. You can send the samples in any format, zipped, .exe etc.
Why 'some'?
Why not 'most'?

And sending via webform now does not work - after pressing 'submit' hang at ~75s and show res://C:\WINNT\system32\shdoclc.dll/dnserror.htm (server not found or dns error)

There could be a connection problem between the client and the server - try using the submission applet: http://www.threatexpert.com/submissionapplet.aspx

'Some', not 'most' is because we receive thousands of new samples a day - we process them on our priority basis.

1. via proxy server
http://www.pctools.com/forum/attachment.php?attachmentid=1024&stc=1&d=1211971234

2. From W2K:
http://www.pctools.com/forum/attachment.php?attachmentid=1025&stc=1&d=1211971254

Could you try copying the files into you're local drive and submit it from there (not from the map drive)

The samples submitted to TE will be added mostly into SD and some samples for the AV. You can send the samples in any format, zipped, .exe etc.

They won't be used for threatfire then its kind of sucks to collect sample from free users and not help them back. Anyways how do send multiple samples?

For ThreatFire, send it to the team @ http://www.threatfire.com/submitfile/

Chippa

You can also upload your files to mrc webpage. To go to the mrc upload section click here (http://www.pctools.com/mrc/submit/)

Hope it helps