This trojan is not detected by Nod32 and sat on my computer for a while:

181497

send it for analyse to sample [at] nod32.com. ;)

From VGrep:

ALWIL [undetected]
CA InoculateIT [undetected]
CA VET [undetected]
Doctor Web Trojan.MulDrop.3765
ESET Win32/TrojanDownloader.Delf.NIN
Fortinet [undetected]
Frisk Software [undetected]
GRISoft Downloader.Generic2.JU
H+BEDV [undetected]
IKARUS [undetected]
Kaspersky Lab Trojan-Downloader.Win32.Delf.aef
McAfee [undetected]
Microsoft [undetected]
Norman W32/Delf.JPY
Panda [undetected]
SOFTWIN [undetected]
Sophos [undetected]
Symantec Downloader.Trojan
Trend Micro PAK_Generic.001
VirusBuster [undetected]

Blackspear.

Regardless of Vgrep, Nod32 did not detect it - even with your settings. A scan by Norton (in BartPE) found it and VirusTotal confirmed it.

-{ Quote: "Regardless of Vgrep, Nod32 did not detect it - even with your settings. A scan by Norton (in BartPE) found it and VirusTotal confirmed it." }-Send the sample to Eset, it may simply be a broken, only analysis will determine the outcome.

Blackspear.

Since you have no contact option via PM i have to reply here too. Send this file please to me too. Thanks

-{ Quote: "Since you have no contact option via PM i have to reply here too. Send this file please to me too. Thanks" }-

I sent the sample to you and Eset. It will come from "joesdump", let me know if it does not make it.

got it. thanks

-{ Quote: "got it. thanks" }-So Inspector, what's the outcome?

Cheers ;D

-{ Quote: "So Inspector, what's the outcome?

Cheers ;D" }-

The outcome is as follows

-{ Quote: "Inspector Clouseau has much love for Detox." }-

-{ Quote: "From VGrep:

ALWIL [undetected]
CA InoculateIT [undetected]
CA VET [undetected]
Doctor Web Trojan.MulDrop.3765
ESET Win32/TrojanDownloader.Delf.NIN
Fortinet [undetected]
Frisk Software [undetected]
GRISoft Downloader.Generic2.JU
H+BEDV [undetected]
IKARUS [undetected]
Kaspersky Lab Trojan-Downloader.Win32.Delf.aef
McAfee [undetected]
Microsoft [undetected]
Norman W32/Delf.JPY
Panda [undetected]
SOFTWIN [undetected]
Sophos [undetected]
Symantec Downloader.Trojan
Trend Micro PAK_Generic.001
VirusBuster [undetected]

Blackspear." }-

Well, the third result is:
ALWIL [undetected]
H+BEDV TR/Dldr.Delf.aef.1
GRISoft Downloader.Generic2.MV
Kaspersky Lab Trojan-Downloader.Win32.Delf.aef
SOFTWIN Trojan.Downloader.Delf.AEF
Doctor Web [undetected]
Frisk Software security risk named W32/Downloader.WSM
McAfee Downloader-ABT
Fortinet W32/Delf.AEF!tr.dldr
Microsoft [undetected]
Symantec Downloader.Trojan
ESET [undetected]
Norman W32/Delf.IQY
Trend Micro TROJ_Generic
??? I've noticed anyway that Kaspersky has a name for a particular malware and if you search for it on VGrep it finds many results and other vendors name it differently but KAV the same.

-{ Quote: "Well, the third result is:
ALWIL [undetected]
H+BEDV TR/Dldr.Delf.aef.1
GRISoft Downloader.Generic2.MV
Kaspersky Lab Trojan-Downloader.Win32.Delf.aef
SOFTWIN Trojan.Downloader.Delf.AEF
Doctor Web [undetected]
Frisk Software security risk named W32/Downloader.WSM
McAfee Downloader-ABT
Fortinet W32/Delf.AEF!tr.dldr
Microsoft [undetected]
Symantec Downloader.Trojan
ESET [undetected]
Norman W32/Delf.IQY
Trend Micro TROJ_Generic
??? I've noticed anyway that Kaspersky has a name for a particular malware and if you search for it on VGrep it finds many results and other vendors name it differently but KAV the same." }-
Yes, but still have we heard if it even should be detected? - I certainly haven't?

Pykko , as Marcos have said many times , we should trust only VirusTotal as it provides the most acurate results

yes, I know that! ;)

-{ Quote: "Send this file please to me too. Thanks" }-
Ermm.. As this is a NOD support forum and IC is no longer an ESET employee and who now works for one of their competitors should we be really sending him/F-PROT these files? Shouldnt he be asking/looking in an FPROT forum somewhere?

-{ Quote: "Ermm.. As this is a NOD support forum and IC is no longer an ESET employee and who now works for one of their competitors should we be really sending him/F-PROT these files? Shouldnt he be asking/looking in an FPROT forum somewhere?" }-


Although it is off-topic , please reread carefully the whole thread and I am sure you'll find the answer ;)

-{ Quote: "Although it is off-topic , please reread carefully the whole thread and I am sure you'll find the answer ;)" }-

Okay, I have re-read the post and yes, IC couldnt contact the the original poster directly so he asked him to contact him through the forum.

I made my comment as a general observation, not specifically related to this post.

-{ Quote: "Okay, I have re-read the post and yes, IC couldnt contact the the original poster directly so he asked him to contact him through the forum.

I made my comment as a general observation, not specifically related to this post." }-


No , no , you didn't understand what I mean . Something completely different but let's stop it because I might get banned ;D ;D ;D It is off-topic :)

As I think has been posted elsewhere and also IMHO, IC is most welcome to participate in these forums. His expertise is indeed appreciated and although he may now works for a different vendor, there remains a good friendship with ESET. If he wishes a sample he is far more than just qualified to ask for one, once more JMHO.

Cheers :)

IC is still a top expert in malware so i don't see a slightest reason why they shouldn't send him those files if he requests so. Besides, he left ESET because of other (personal) reasons. Those in "doubt" shoudl read his blog more often...

-{ Quote: "As I think has been posted elsewhere and also IMHO, IC is most welcome to participate in these forums. His expertise is indeed appreciated and although he may now works for a different vendor, there remains a good friendship with ESET. If he wishes a sample he is far more than just qualified to ask for one, once more JMHO." }-I will second this :thumb:

Simply because Michael has gone elsewhere for personal reasons does not make him the enemy. If a friend leaves your work and goes to work for the opposition, do you stop having a beer with him at the local pub? What he knows on a pin-head is 1000 times more than what I know.

The Inspector is certainly most welcome here.

Blackspear.

In addition to what BS said:

The discussion and\or questioning of whether a former employee of Eset should be entitled to post in a Nod32 thread requesting an e-mail sample also....is seriously off topic in this thread and this forum.

If you wish to debate this topic further, feel free to start a dedicated thread in an appropriate forum here, as it may be important enough to some as of general interest. Otherwise, let's stay on the nominal topic Please.

Bubba

-{ Quote: "I will second this :thumb:

Simply because Michael has gone elsewhere for personal reasons does not make him the enemy. If a friend leaves your work and goes to work for the opposition, do you stop having a beer with him at the local pub? What he knows on a pin-head is 1000 times more than what I know.

The Inspector is certainly most welcome here.

Blackspear." }-

And it is Eset's stated policy to share it's samples - as all the most ethical companies do.

-{ Quote: "And it is Eset's stated policy to share it's samples - as all the most ethical companies do." }-

Have you rescanned your sample now, beenthereb4 ?
Your scanning result is from v. 1.1668 and now NOD32 has been updated to 1.1672. Maybe they've added something. The latest version contains 2 signatures for Win32/Trojan.Downloader.Delf See here (http://nod32sse.hotserv.dk/view.php?id=1486&highlight=Win32/TrojanDownloader.Delf) :)

-{ Quote: "And it is Eset's stated policy to share it's samples - as all the most ethical companies do." }-

And thats the bit that I forgot about. Sorry IC and anyone else who was upset/offended etc.

-{ Quote: "Have you rescanned your sample now, beenthereb4 ?
Your scanning result is from v. 1.1668 and now NOD32 has been updated to 1.1672. Maybe they've added something. The latest version contains 2 signatures for Win32/Trojan.Downloader.Delf See here (http://nod32sse.hotserv.dk/view.php?id=1486&highlight=Win32/TrojanDownloader.Delf) :)" }-

Still produces the identical scan results.

-{ Quote: "Send the sample to Eset, it may simply be a broken, only analysis will determine the outcome.

Blackspear." }-
I doubt it is a corrupted file; though it is possible NOD32 will detect the trojans that are downloaded by this file.

hope so, Firecat