Security Manifest

Benjamin Johnstone-Anderson, Microsoft MVP - Windows Security

Submitting Virus Samples

How to Submit a Virus

So, you've found a virus that your current virus scanning program does not detect? Submit it! Here are the following steps you can do to submit said virus to the various vendors out there. Be careful, though. It is recommended that you rename the viral file to a helpless extension (i.e. .txt) to avoid accidentally executing it.

Computer Associates (eTrust/InoculateIT)

Email: virus@ca.com
- Format Required: .zip
- ZIP Password: virus
Online Submission: Yes
Full Instructions: Yes
Other Instructions: Boot sector viruses

Computer Associates (eTrust EZ Antivirus)

Email: n/a
- Format Required: n/a
- ZIP Password: n/a
Online Submission: Yes
Full Instructions: Yes
Other Instructions: Boot sector viruses

Computer Associates (Vet)

Email: support@vet.com.au
- Format Required: .zip
- ZIP Password: virus
Online Submission: Yes
Full Instructions: Yes
Other Instructions: Boot sector viruses

DialogueScience (Dr. Web)

Email: n/a
- Format Required: n/a
- ZIP Password: n/a
Online Submission: Yes
Full Instructions: No
Other Instructions: n/a

Eset (NOD32)

Email: samples@nod32.com
- Format Required: n/a
- ZIP Password: n/a
Online Submission: No
Full Instructions: No
Other Instructions: n/a

F-Secure

Email: samples@f-secure.com
- Format Required: .zip
- ZIP Password: F-Secure asks for users to password their files, but does not specify which password to use. Include the used password in the submission email.
Online Submission: No
Full Instructions: Yes
Other Instructions: n/a

Network Associates (McAfee)

Email: virus_research@avertlabs.com
- Format Required: .zip
- ZIP Password: infected
Online Submission: Yes
Full Instructions: Yes
Other Instructions: n/a

Norman

Email: analysis@norman.no
- Format Required: .zip
- ZIP Password: Norman asks for users to password their files, but does not specify which password to use. Include the used password in the submission email.
Online Submission:No
Full Instructions: Yes
Other Instructions: n/a

Sophos

Email: support@sophos.com
- Format Required: n/a
- ZIP Password: n/a
Online Submission: No
Full Instructions: Yes
Other Instructions: n/a

Symantec (Norton)

Email: n/a
- Format Required: n/a
- ZIP Password: n/a
Online Submission: No
Full Instructions: No
Other Instructions: n/a
Note: Symantec recommends users submit viruses by entering them using "Scan and Deliver," built in to NAV.

Trend Micro

Email: n/a
- Format Required: n/a
- ZIP Password: n/a
Online Submission: Yes
Full Instructions: No
Other Instructions: n/a
Note: Trend Micro has been known to ignore submissions from users not running their products. However, in informal tests, selecting HouseCall (their online, free scanner) got a detection added, although in most cases no notification of the detection was received, and in some cases the submission was simply ignored.


Glossary

Email
This field indicates the email that you should use to submit files. Please note that not all of these emails have been verified as working; they are whatever email is indicated on the vendors site for submissions.

Format Required
Many antivirus companies will only accept certain types of files during the submission process. The most common policy is to only allow .ZIP files through. .ZIP files are compressed, and also do not trigger gateway mail servers which disallow potentially dangerous files such as .EXE's, which viruses often come as. Although under recent versions of Windows, there is a built-in .zip reader with many abilities, it is recommended that the common program WinZip is used. You can download a 30-day trial of the program here.

ZIP Password
In order to avoid corruption during the send, most antivirus companies that require .zip files also require that they be passworded. The following instructions require WinZip:
  1. Open WinZip
  2. If there is a splash screen, click "use evaluation version"
  3. Click NEW
  4. Under "save in," go to DESKTOP
  5. In "file name," type INFECTED.ZIP
  6. The ADD dialog should come up; navigate to the folder containing the infected file(s) and add them
  7. Go to the ACTIONS menu
  8. Go to ENCRYPT
  9. A message box may be displayed telling you of the disadvantages of encryption; click OK
  10. Enter whatever password the company you are submitting to requires
  11. Re-enter it for verification
  12. Assure MASK PASSWORD and ZIP 2.0 COMPATIBLE ENCRYPTION are selected if the options are there
  13. Click OK
  14. An asterisk (*) should appear at the end of the name of the viral file(s) you are submitting; if it does not, redo steps 7-13
  15. Close WinZip and submit your file


Online Submission
Some companies allow you to submit files via an online interface, while others use it as the only method of submission. This is probably the most convenient way of submitting files, although not all users may feel comfortable using these methods. Additionally, this method of submission allows for the user to remain virtually anonymous. However, response times may be somewhat slower (although typically it will be faster) and the user may have to visit a web site to get the outcome of the process if they do not enter an email address. Whether or not this is the best method depends on the situation and the user's wishes.

Full Instructions
Many antivirus vendors will post detailed instructions on how to use their individual submission venues, while others hardly provide any information whatsoever. This link indicates whether the vendor in question has such a detailed write-up available online, and allows access to it.

Other Instructions
Occasionally, antivirus vendors have some type of virus that they want to have submitted in an alternative manner. This is especially common with boot sector viruses of MSDOS days, which do not manifest themselves using a file.

Note
This section indicates any other miscellaneous things of note about the indicated vendor's submission process.


This document (c) 2004 Benjamin "Trafton" Johnstone-Anderson, and is sole property of Security Manifest. The text of this document is not to be edited or abridged, although portions may be quoted, unedited, from the original, as long as a link is given back to this content or the home page of Security Manifest. Modification of this document is a violation of U.S. copyright law. Reproductions of this document are to be distributed for educational purposes only, and under no circumstances will this document be sold. All copies of this document must contain this copyright in its entirety.

Posted: Apr 11 2004, 10:52 AM by trafton | with 22 comment(s)

Comments

TrackBack said:

# April 11, 2004 11:00 AM

trafton said:

Did not see McAfee's 2nd point of contact for submission.
www.webimmune.net

Until I checked more carefully. (the "yes" behind online is a link)
# April 12, 2004 8:38 AM

trafton said:

The first link on this pabe should probably be that web site that I think you posted that submits the sample automatically to multiple AV vendors, and sends back scan results in a few seconds. I'm always forgetting that URL to that site, but it's been extremely helpful.
# December 10, 2004 8:16 AM

trafton said:

http://www.virustotal.com/flash/index_en.html

Above is a site which tests against multiple engines. Not sure whether it auto-submits. As I recall, I think it will.
# December 10, 2004 2:12 PM

trafton said:

Hi! Me call Born! I from Nodsa. I invite on my site: <a href = "http://www.best-tools-online.info/">www.best-tools-online.info</a>
Thank!
# October 18, 2005 10:18 AM

trafton said:

I have added your site in the bookmarks as for a long time did not meet anything similar! Thanks.
# October 23, 2005 8:20 AM

trafton said:

Greate site. Thank you :)
# October 27, 2005 10:03 PM

trafton said:

Greate site. Thank you :)
# October 29, 2005 10:05 PM

trafton said:

Hi all, just wondering what site you do best at. Either you feel you get really lucky there or the players just are big time fishies.
I like <a href=&#039;http://www.best-flush.info&#039;>http://www.best-flush.info</a> because it seems the players are just awful.
# November 9, 2005 12:17 AM

trafton said:

I have added your site in the bookmarks as for a long time did not meet anything similar! Thanks.
# November 9, 2005 10:19 AM

trafton said:

Hi! I like the tournaments on <a href="http://www.real-texas-holdem.info">Texas">http://www.real-texas-holdem.info">Texas Holdem Table</a>. Plenty of players and a great opportunity to win big with small stakes. I placed 18th in my first tournament there and won over 200

Been close a couple of times since but fell short. I&#039;m not a great NL tourney player, (yet)!
Play now: http://www.real-texas-holdem.info
# November 9, 2005 2:09 PM

trafton said:

Hi! What you do today by evening?
# November 10, 2005 4:04 PM

trafton said:

Hi, why nobody responds me?
# November 11, 2005 11:36 AM

trafton said:

?-mine, where I have got?
# November 13, 2005 6:19 AM

trafton said:

Hi
Do not prompt how to adjust a font of the messages?
# November 22, 2005 7:33 PM

trafton said:

Hi
Who can answer my question?
# November 22, 2005 11:20 PM

trafton said:

Hi! Prompt, how to me to you to get?
# November 23, 2005 4:36 PM

trafton said:

I, as a lot of white men, dream and fantasize about having with a black woman. <a href=&#039;http://www.black-xxx-video.info&#039;>http://www.black-xxx-video.info</a> - it&#039;s just a natural thing for sexually driven men to think about pleasing and getting pleasure from a black girl.
# November 23, 2005 5:18 PM

trafton said:

hi
Why I can not insert the image into my message?
# November 25, 2005 5:34 AM

trafton said:

Good site. Why also is not present?! (
# November 25, 2005 9:33 AM

trafton said:

Hi
As to me to create the same page?
# November 25, 2005 9:42 PM

trafton said:

Why that long to be loaded a site, and it is very bad with the text, and so very good site.
# November 28, 2005 11:30 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)