Archive for September, 2008

Command line scanner GUI frontend

September 16th, 2008 15 comments

One of the readers of this blog was nice enough to create a GUI frontend to Panda Antivirus Command Line (PAVCL). It's a small little utility that's really useful for certain tasks. From the main window you can configure the scan, update the signature database, select what you want to scan and launch the scan. The results window shows both the progress output as well as the detection output, by either selcting Logs->All or Logs->Detections. The "View Message" option will open a resizeable and more readable window showing the output.


From the configuration window you can select all the options which are available through command-line switches. Also you can define where to write the report to.


Finally a short disclaimer. This freeware utility is not developed nor supported by Panda Security. Its author can be reached by email at pavclgui[at] for suggestions and kudos.

Click on the following link to download the PAVCL GUI installer. The installer will create a directory on your desktop and copy both the PAVCL and PAVCL-GUI files. Simply run "pavcl gui.exe" from this directory.

The installer does not include a signature file (pav.sig) for size reasons. To download a free signature file from this blog (updated "whenever-I-have-a-chance") click on However within the PAVCL GUI utility you can enter your registered Panda CustomerID to download updated signatures on-demand.


UPDATE 9/23/2008 – Version 1.0.3 released:

Changes in this version:
- URL to pav.sig in config file is encrypted.
- Limited the credential field to 10 characters for security reasons.
- Added password-style text entry for credential passwords.
- Allowed additional action, to "report only" malware.
- Allowed additional arguments to be sent to pavcl.
- Removed redundant switches in "options" window.

You can download version 1.0.3 of the freeware PAVCL GUI installer and a not-so-frequently updated pav.sig from this page. As always kudos go to pavclgui[at] I'd like to thank the author for his continued effort and for providing this truly useful utility free of charge for the community.

Categories: Utils Tags:

Malware Prevalence August 2008

September 5th, 2008 Comments off

During the month of August
we've seen 8165 unique samples actively circulating and infecting users. These
figures come mostly from people who use our online scanner Panda ActiveScan and have a variety of different AV products
installed as well as from our behavioral sensors. The vast mayority of the people who use
ActiveScan are Symantec, Nod32, McAfee, Kaspersky and AVG users. Out of the total seen infecting
these users only a portion are new and not seen in previous months, of which 82%
are non-self-replicating Trojans while the rest are self-replicating viruses and
worms.  The following are the runtime
packing properties and most active families whose new variants have been making
the summer rounds.


August 2008 – Custom & Private

In our last
obfuscation study Packer (r)evolution we saw an increase in the use of private or customized versions of packers being
developed to evade AV signature detections. As a curiosity I've updated the
study to see how this trend is evolving. For this purpose our colleague Satur created a tool called "Detector" for advanced packer
identification which specializes on specific, generic and custom packer
identification but is also able to identify file infectors, polymorphism,
installers and much more. The results are pretty amazing. In April 2008 we
already saw an increase to over 30% of the packers being "private". This has
exploded now and in the August 2008 collection a whopping 75% of them are using
non-mainstream runtime packing.

August 2008 – New Variants of Self-Replicating
Virus/Worm Families

***        W32_Mandaph
*** W32_MSNPhoto
*** W32_Lineage
*** W32_IRCBot
** W32_Sohanat
** W32_Autorun
* W32_Bagle
* W32_Spamta
* W32_Socks
* W32_Sdbot
* W32_Rahack
* W32_Nuwar
* W32_MSNworm
* W32_Lineage
* W32_Kolabc
* W32_Gaobot

August 2008 – New Variants of
Non-Self-Replicating Trojan Families

*****  Spyware_Virtumonde
*** Trj_Lineage
*** Bck_IrcBot
*** Adware_Zenosearch
** Trj_dmRandom
** Trj_Agysteo
** Trj_Agent
** Adware_Netproject
** Adware_NaviPromo
** Adware_AntivirusXP2008
* VBS_Autorun.ABM
* Trj_Zlob
* Trj_Sinowal
* Trj_QQPass
* Trj_ProxyServer
* Trj_Proxy
* Trj_Passtealer
* Trj_Nabload
* Trj_Multidropper
* Trj_Mailfinder
* Trj_KillAV
* Trj_Gamania
* Trj_Exchanger
* Trj_Downloader
* Trj_DNSChanger
* Trj_Clicker
* Trj_Buzus
* Trj_Banker
* Trj_Banbra
* Trj_Alanchum
* Spyware_Vundo
* Rootkit_Lineage
* Dialer
* Bck_RedGirl
* Bck_Nuclear
* Bck_Hupigon
* Bck_Flooder
* Bck_Bifrose
* Bck_Agent
* Application_AntivirusXP2008
* Application_Antivirus2009
* Application_AntiSpyCheck
* Adware_Xpantivirus2008
* Adware_XPSecurityCenter
* Adware_XPAntivirusPro
* Adware_WinAntispyware2008
* Adware_VapSup
* Adware_RogueAntimalware2009
* Adware_RogueAntimalware2008
* Adware_MediaCodec
* Adware_JavaCore
* Adware_IEAntivirus
* Adware_IEAntiSpyware
* Adware_Antivirus2009
* Adware_Antivirus2008XP
* Adware_Antivirus2008Pro
* Adware_Antivirus2008
* Adware_Antispyware2008
* Adware_AntiSpyCheck
* Adware_Adsmart
* Adware_AVMaster

Categories: behavior analysis, Packers Tags: