I posted this originally in wrong section today, ooops!

Incident Status Location

Virus:W32/Sdbot.FKS.worm Disinfected C:\WINNT\system32\svch32.pif

This is the virus Panda AS found (ok so it's low threat) and NOD Missed. Why did it miss this? I am curious to hear the possible excuses "is your anti-virus set up correctly" "have you updated" "is AMON EMON DMON IMON set up yada yada yada etc, my answer is Yes to ALL of these. I would be interested to find out why it missed it . I have already checked prices of Titanium with a view to purchasing it as I need a anti-virus that works!

Upload the file to Jotti's or Virustotal's online scanner, or Kaspersky's.

I'm not sure, but do you mean this one?

It would appear that his configuration was not set up correctly then.

What part of the configuration would have made NOD totally miss a known virus?

In this case not scanning pif files most likely, it would take messing with the defaults though as it is an ext that is scanned even with defaults. Or possibly the license expired unbeknownst to the user. Until the OP returns we can't figure out what happened though.

I assume his virus signature database was not up to date. What is ridiculous is the sentence " I am curious to hear the possible excuses "is your anti-virus set up correctly" "have you updated"... Though NOD32 has a perfect detection of new threats thanks to ThreatSense (generic detection, AH), it's still necessary to keep the signatures up to date for NOD32 to provide the best detection capabilities.

-{ Quote: "I assume his virus signature database was not up to date. What is ridiculous is the sentence " I am curious to hear the possible excuses "is your anti-virus set up correctly" "have you updated"... Though NOD32 has a perfect detection of new threats thanks to ThreatSense (generic detection, AH), it's still necessary to keep the signatures up to date for NOD32 to provide the best detection capabilities." }-

Waiting along with you Marcos, Curious to hear the excuse myself. His intial response was to fly off in anger (which I have done a few times in the past myself btw).

-{ Quote: "I assume his virus signature database was not up to date. What is ridiculous is the sentence " I am curious to hear the possible excuses "is your anti-virus set up correctly" "have you updated"... Though NOD32 has a perfect detection of new threats thanks to ThreatSense (generic detection, AH), it's still necessary to keep the signatures up to date for NOD32 to provide the best detection capabilities." }-

Like all companies ESET is indeed in business to make profit and like sooo many companies we are gently informed that we have not configured our software correctly, or we are at fault somewhere else, all very patronising so rather than get the old "have you setup correctly, yada yada yada I thought I would save you the trouble. And, my licence is for 3 yrs and runs out in 2007. Next??????? Hmmmmm! And please all NOTE that I am not a BLOKE but a woman and b4 you criticise, I BUILT my pc from scratch (not from a barebones) I also troubleshoot others (inc 2 businesses) PC's as a hobby so please do not patronise me for being another sex, I know what I am doing!!

Marcos,

When was the signature for that particular threat (virus) added to the definitions?

-{ Quote: "Like all companies ESET is indeed in business to make profit and like sooo many companies we are gently informed that we have not configured our software correctly, or we are at fault somewhere else, all very patronising so rather than get the old "have you setup correctly, yada yada yada I thought I would save you the trouble. And, my licence is for 3 yrs and runs out in 2007. Next??????? Hmmmmm! And please all NOTE that I am not a BLOKE but a woman and b4 you criticise, I BUILT my pc from scratch (not from a barebones) I also troubleshoot others (inc 2 businesses) PC's as a hobby so please do not patronise me for being another sex, I know what I am doing!!" }-

No one is criticizing you, Marcos was responding to a perceived insult to his company, which appears to be without reason as the file was detected by NOD on Virustotal's scanner (as well as almost every other AV), so that seems to show that your NOD settings are not correct or there is some other problem causing it not to be detected. When you begin a post with an aggressive/sarcastic tone you should be prepared to receive an answer in a similar tone. Are you sure your settings are correct? Is NOD fully updated? Is it running? There are many questions unanswered that could have caused this, there is obviously a problem that needs to be fixed.

Hi Useranon
I didn't interpret that anyone is patronizing you.... all three, so far (Marcos, flyrfan111 & GuruGuy) are trying to help and pinpoint the cause.
Lets see if we can be less caustic :) and would you be able to provide us with more relevant information so we can all (collectively) find a solution for this situation.
Thanks
Cheers :)

Hi USERANON:

Has the file been sent to Eset for analysis (sample(s) at eset.com)? It may be broken and not pose a threat.

It was detected by NOD at Virustotal but not on the user's system.

Perhaps the file is a damaged one, due to which NOD did not detect it? ???

Sits back with a large coke and bag of popcorn ;)

-{ Quote: "Hi USERANON:

Has the file been sent to Eset for analysis (sample(s) at eset.com)? It may be broken and not pose a threat." }-

Hello, sorry to sound acidic but I am so peed off with this not being detected. No I did not send it as it did not show up in my NOD logs/quarantine/detected/sent for analysis. I saved the Panda Active Scan log but it only saves as a .TXT or .DOC And it did show as a threat when I active scanned(!?) I only use the Panda AS as backup to check all is ok once a month.

Below are my nod definitions, showing clearly it is up to date.

Apologies to all but it's a bu**er of a shock to find you have a damn worm aboard!

NOD32 antivirus system information
Virus signature database version: 1.1266 (20051026)
Dated: 26 October 2005
Virus signature database build: 6267

Information on other scanner support parts
Advanced heuristics module version: 1.021 (20050930)
Advanced heuristics module build: 1092
Internet filter version: 1.001 (20031104)
Internet filter build: 1012
Archive support module version: 1.034 (20050902)
Archive support module build version: 1132

Information about installed components
NOD32 For Windows NT/2000/XP/2003 - Base
Version: 2.50.25
NOD32 For Windows NT/2000/XP/2003 - Internet support
Version: 2.50.25
NOD32 for Windows NT/2000/XP/2003 - Standard component
Version: 2.50.25

Operating system information
Platform: Windows 2000
Version: 5.0.2195 Service Pack 4
Version of common control components: 5.81.4916
RAM: 1024 MB
Processor: AMD Athlon(tm) XP 3000+ (2091 MHz)

Ok , we all understand how frustrating it as, and yes it does suck to have to deal with but hang in there and bear with us. Do you still have the file as originally detected? or did Panda' AS already clean/delete it? If it is still uncleaned please send it to samples@eset.com following these instructions;

To submit a suspicious file to Eset for analysis, please carry on as follows:

* compress the file(s) into a zip or rar archive, protect it with the password "infected"
* attach the archive to an email message
* send the message with the attachment to samples@eset.com


Also include a link to this thread in the email. This will help determine if it possibly damaged and non-functional and that could account for it not being detected. We will go from there when Eset takes a look at the file.

If your NOD32 was up to date as your log shows, there's no reason why it wouldn't have been picked up unless it was corrupted and non-functional. The best would be if you could submit it to samples@eset.com for analysis as Flyrfan111 suggested above.

And back to my question:

Marcos,
When did NOD add this to the definitions?


OP,
When did you scan with Panda and find this virus? Perhaps it wasn't in NOD's def's when you scanned.........

A google search on svch32.pif found that the file has no known legitimate purpose,it is not part of windows 2000, it is installed by 2 different trojans. First detected in May of 05, now detected by most AV's, AT's and some AS apps. Not sure when Eset added the detection. The only explanations I can think of prior to seeing if the file is damaged are; something wrong with settings, NOD being disabled somehow, or a file system problem preventing proper extension id if you don't have all files being scanned.

-{ Quote: "
Below are my nod definitions, showing clearly it is up to date.


NOD32 antivirus system information
Virus signature database version: 1.1266 (20051026)
Dated: 26 October 2005
Virus signature database build: 6267

Information on other scanner support parts
Advanced heuristics module version: 1.021 (20050930)
Advanced heuristics module build: 1092
Internet filter version: 1.001 (20031104)
Internet filter build: 1012
Archive support module version: 1.034 (20050902)
Archive support module build version: 1132

Information about installed components
NOD32 For Windows NT/2000/XP/2003 - Base
Version: 2.50.25
NOD32 For Windows NT/2000/XP/2003 - Internet support
Version: 2.50.25
NOD32 for Windows NT/2000/XP/2003 - Standard component
Version: 2.50.25

Operating system information
Platform: Windows 2000
Version: 5.0.2195 Service Pack 4
Version of common control components: 5.81.4916
RAM: 1024 MB
Processor: AMD Athlon(tm) XP 3000+ (2091 MHz)" }-

Hi,

Sorry for interrupting :-[

I was wondering about these versions of your NOD32:
Internet filter version: 1.001 (20031104)
Internet filter build: 1012

I have (on W98SE):
Internet filter version: 1.002 (20040708)
Internet filter build: 1013

Opps, missed that, but it shouldn't be a factor, it possibly could explain it getting the system as IMON might have missed it but AMON should have picked it up. It also seems from Panda's description that they just added detection of it on the 20th of Oct.

The Internet filter module is actually a packet worm scanner against Code Red and similar worms exploiting bugs in oper. systems, it has nothing to do with HTTP/POP3 scanning.

-{ Quote: "The Internet filter module is actually a packet worm scanner against Code Red and similar worms exploiting bugs in oper. systems, it has nothing to do with HTTP/POP3 scanning." }-

Thanks for the info Marcos !

Sorry for interrupting in the thread !

Thanks for setting me straight Marcos, I always thought it was for IMON.

At any rate, nobody's perfect, even Panda not as you can see below. I scanned a new worm being spread (btw, it doesn't seem to be Mydoom as detected by one of the AV)

Getting back to the original question...
-{ Quote: "Virus:W32/Sdbot.FKS.worm Disinfected C:\WINNT\system32\svch32.pif

This is the virus Panda AS found (ok so it's low threat) and NOD Missed. Why did it miss this?" }-
My excuse guess is that NOD32 uses a different signature to detect the virus than Panda does. Let us suppose that 5 bytes inside the file were changed from the "original" version of the virus. This difference may be why NOD32 does not catch it, but Panda does.

However... would the file on your computer actually do anything when executed? If changing those 5 bytes "broke" the virus, then the file is not exactly a live virus anymore, though it may resemble one. In this case, one could say that NOD32 is correct in not labeling this a virus. On the other hand, if the file actually would do something when executed, then Panda is correct, and NOD32 needs to update their definitions.

This is why we want you to submit the file. If the file does turn out to be dangerous, then Eset can update/fix their definitions.

-{ Quote: "Ok , we all understand how frustrating it as, and yes it does suck to have to deal with but hang in there and bear with us. Do you still have the file as originally detected? or did Panda' AS already clean/delete it? If it is still uncleaned please send it to samples@eset.com following these instructions;

Hi there.

Panda AS deleted it immediately so could not send to NOD

Also, I have the settings on default, never played with them, it has always picked everything else up. My setup sends for analysis by default too. I did the panda scan approximately an hour after booting up and NOD should have picked it up! I am gobsmacked that a FREEWARE tool found this and my purchased software did not!

Please see below regarding sending the file for analysis. Can't be done! the Panda AS deleted it immediately upon detection

My excuse guess is that NOD32 uses a different signature to detect the virus than Panda does. Let us suppose that 5 bytes inside the file were changed from the "original" version of the virus. This difference may be why NOD32 does not catch it, but Panda does.

However... would the file on your computer actually do anything when executed? If changing those 5 bytes "broke" the virus, then the file is not exactly a live virus anymore, though it may resemble one. In this case, one could say that NOD32 is correct in not labeling this a virus. On the other hand, if the file actually would do something when executed, then Panda is correct, and NOD32 needs to update their definitions.

This is why we want you to submit the file. If the file does turn out to be dangerous, then Eset can update/fix their definitions." }-

-{ Quote: "Please see below regarding sending the file for analysis. Can't be done! the Panda AS deleted it immediately upon detection" }-
Ahhh, so I see. Oh, well.

Panda's ActiveScan uses the same signature set (or at least a subset) as their full antivirus programs. ActiveScan does not monitor the computer continuously like their full antivirus packages do. That is one reason Panda gives away ActiveScan for free... to get you interested in their full products. Hmmm, it seems to be working... :lurking:

Panda does have evaluation versions of their software you can download from their website. I believe they are 30 day trials. Look in the "Downloads" section.

Still seems to be missing this point...that it's possibly a harmless broken/corrupted file.

-{ Quote: "Getting back to the original question...

My excuse guess is that NOD32 uses a different signature to detect the virus than Panda does. Let us suppose that 5 bytes inside the file were changed from the "original" version of the virus. This difference may be why NOD32 does not catch it, but Panda does.

However... would the file on your computer actually do anything when executed? If changing those 5 bytes "broke" the virus, then the file is not exactly a live virus anymore, though it may resemble one. In this case, one could say that NOD32 is correct in not labeling this a virus. On the other hand, if the file actually would do something when executed, then Panda is correct, and NOD32 needs to update their definitions.

This is why we want you to submit the file. If the file does turn out to be dangerous, then Eset can update/fix their definitions." }-

To track down or find this file (svch32.pif) I decided to get some information on it before I try to get the infected file.
It would appear that if the machine has been patched, then the W32/Robot.asz Worm would not be able to exploit the vulnerabilities. However, that being said, I will try to "get" the file so I can send it off to eset.
Cheers :)

This blurb is taken from the SOPHOS web site.
------------------------------------------------------------
This section is for technical experts who want to know more.
W32/Rbot-ASZ is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-ASZ may spread to remote network shares with weak passwords or by exploiting any of the following system vulnerabilities: RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1 (MS04-007).
W32/Rbot-ASZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Rbot-ASZ copies itself to <System>\svch32.pif.
The following registry entries are created to run svch32.pif on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SVCH Service
svch32.pif
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SVCH Service
svch32.pif
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
SVCH Service
svch32.pif
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
SVCH Service
svch32.pif
Registry entries are set as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
SVCH Service
svch32.pif
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
SVCH Service
svch32.pif
HKCU\Software\Microsoft\OLE
SVCH Service
svch32.pif
HKLM\SOFTWARE\Microsoft\Ole
SVCH Service
svch32.pif
------------------------------------------------------------------

If it's already detected by NOD32, there's no need to send it as we already have one.

-{ Quote: "Also, I have the settings on default, never played with them..." }-BINGO, we have a winner, by default everything marked in the following screenshot is not scanned.

Have a run through this thread (http://www.wilderssecurity.com/showthread.php?t=37509) in regards to tweaking Nod32.

Cheers ;D

I don't know about the use of the term "winner" here.... :-X Which of those non-default items would account for this particular virus going undetected, assuming that we are not dealing with a damaged or mutated version of the virus?

I asked the same thing in post #5

-{ Quote: "And back to my question:

Marcos,
When did NOD add this to the definitions?


OP,
When did you scan with Panda and find this virus? Perhaps it wasn't in NOD's def's when you scanned........." }-


Sorry to jump in but after looking to eset web site, this threat was added in the V. 1.10.30 on 2005-03-19

I do not use NOD32 for long but so far I love it.

And my question to ask you here is why did Panda miss alot of viruses that NOD didn't ? Lets say it did miss this virus does that make a NOD a bad product. Ok so you say stuff NOD because it misses one virus, whats will happen when you buy (assume you do) Panda and it misses one or more virus, than will you jump back to NOD, Kaspersky, McAfee, NAV whatever.

Let me say something here and make it very clear with you. There is NO SUCH THING as a 100% full proof AV software, but let me rest assure there are AV softwware products out there that do a better job than others, and I can rest assure that NOD32 does a better job than Panda and also many others for sure.

-{ Quote: "And my question to ask you here is why did Panda miss alot of viruses that NOD didn't ? Lets say it did miss this virus does that make a NOD a bad product. Ok so you say stuff NOD because it misses one virus, whats will happen when you buy (assume you do) Panda and it misses one or more virus, than will you jump back to NOD, Kaspersky, McAfee, NAV whatever.

Let me say something here and make it very clear with you. There is NO SUCH THING as a 100% full proof AV software, but let me rest assure there are AV softwware products out there that do a better job than others, and I can rest assure that NOD32 does a better job than Panda and also many others for sure." }-

Oh DO calm down dear, no need to get soooo emotional about things! ESET can't be paying you that much surely!?? It is a common virus and I should NOT be suffering from such a common virus, let's face it Nod b***sed up! NO more LAME EXCUSES PLEASE!

I WILL stay with NOD only because I have tried all the other "BIG GUNS" and NOD has proved the best. But ESET I am having to FORMAT my hard drive THANK YOU, NOT!

Format the drive just because of one SdBot ? Thats new to me...

-{ Quote: "Format the drive just because of one SdBot ? Thats new to me..." }-

Well that`s new to me too. :)

-{ Quote: "Format the drive just because of one SdBot ? Thats new to me..." }-

I am afraid there is something more malevolent on my machine, in the first instance I thought "ok, nothing major, no real harm done" but now I am noticing explorer errors, needs to be restarted all the time, now I am having problems using my web editor. I am also getting a lot of unknown connection errors. I am assuming that there is something more afoot. So, hence the format. Bye

-{ Quote: "I am afraid there is something more malevolent on my machine, in the first instance I thought "ok, nothing major, no real harm done" but now I am noticing explorer errors, needs to be restarted all the time, now I am having problems using my web editor. I am also getting a lot of unknown connection errors. I am assuming that there is something more afoot. So, hence the format. Bye" }-
Panda's ActiveScan may not have deleted the registry entries that the SdBot may have created/modified, due to which you may be facing this problem.

Tell her to do another Panda online scan.

USERANON, Do try F-Secure's online scanner too:

http://support.f-secure.com/enu/home/ols.shtml

Why resort to formatting the hdd and not send a log from Hijackthis to Eset's support for analysis?

To USERANON:
(1) Don't stress so much. It appears NOD32 does recognize your little bug. So be open to look at the fact there may be something wrong with your configuration.
(2) You may think about buying another AV-solution... but are you sure it'll do better? Don't expect ANY sollution to be 100% bullet proof. I still think NOD32 is one of the best performing AV's detection-wise(and I don't even use it myself... I just evaluated it)
(2bis) You may ask why I don't use it then... well because I don't run the company I work for. And alse there seems to be some/'a lot' of installation/stability problems. That's ok(=managable) for 1 personal computer but not if I have to manage hundreds of computers.

To all:
And what if it was a false positive from Panda ;D ...

-{ Quote: "I am afraid there is something more malevolent on my machine, in the first instance I thought "ok, nothing major, no real harm done" but now I am noticing explorer errors, needs to be restarted all the time, now I am having problems using my web editor. I am also getting a lot of unknown connection errors. I am assuming that there is something more afoot. So, hence the format. Bye" }-

~snip~ let's keep the personal comments out of this please ~ Blackspear

Why not set up NOD as per Blackspears very-easy-to-follow instructions, do a scan and let us know what other rubbish you have on your pc? ::)

NOD32 should detect all threats with default settings. If you want NOD32 to do a complete scan of all files (including archives), you need to enable the appropriate option in the on-demand scanner setup, or run an in-depth scan as AMON would not pick up threats packed in archives which are actually harmless at this point.