Recently I had an email with a doc.exe attachment
I was pretty sure it had a virus and didn't open it.

I was surprised ESET Smart Security didn't pick it up.

I fowarded it to Eset and after a couple of days it was detected by ESET after updates.


Today I have another zip file containing what is constructed to look like a word document.

it has a word icon assoociated with it. The file has a .exe extension but it is not obvious as it has a huge amount of white space before it so it just looks like a .doc extensions
Statement_01-1.doc .exe

i.e - the .exe extension is hidden by lots of white space in the name.

I am almost certain this is a virus.

I am beginning to wonder if ESET Smart Security is up to the task??

I have full heuristics on too.

Make sure ESET Smart Security is updated . Forward such emails to ESET Virus Labs samples@eset.com and don't wonder - it is pretty normal for nowadays situation to come accross something missed because there are tons of new malware appearing everyday.

These Autorun/Fakealert/Wigon trojans are seldom undected and at least the email/web access protection modules recognize them as Statik and block them. Please send the file to us for perusal as suggested above.

Someone else must have done it as it has now been picked up and quarantined - presumably after signature updates were picked up.

You might be right that they are seldom missed - but I must be unlucky to have had two in a few weeks that were.

-{ Quote: "Someone else must have done it as it has now been picked up and quarantined - presumably after signature updates were picked up.

You might be right that they are seldom missed - but I must be unlucky to have had two in a few weeks that were." }-

As I said, all spammed malware with Statemend.doc.exe that I know of was caught by the email/web scanner as they use more sensitive heuristics. Could you please send the file in question to samples[at]eset.com in a password protected archive and a link to this thread url in the subject? I'd be interested in checking it with an older version to make sure it was initially intercepted by the email/web scanners.

I will send the file attachment if you can tell me how to get the quarantined file back.

The email is in my infected outlook folder but the message has now has no attachment as ESET deleted it.


The actual attachment was called Statement_01-10.zip.

This zip file contained a file called Statement_01-10.doc .exe


(There are about 115 spaces between .doc and .exe so it looks like just .doc as you can't see the .exe part - when I post this message you can't see this as the html is reformatted to trim the spaces out).


The sender was:
Etta Lundy [tempestdianequeennn@btopenworld.com]

The subject was:
dave Report 1/1/2008 - 10/1/2008.


The email message was as below:

Dear Valued Customer:

Your account ID: dave

As requested, we are sending you this account report attached this mail between 1/1/2008 and 10/1/2008.

At your service,
Etta Lundy


Eset has now tagged the message thus:


__________ ESET Smart Security warning, version of virus signature database 3533 (20081017) __________

Warning, ESET Smart Security found the following threats in the message:

Statement_01-10.zip - Win32/TrojanDownloader.Wigon.AU trojan - deleted
Statement_01-10.zip > ZIP > Statement_01-10.doc .exe - Win32/TrojanDownloader.Wigon.AU trojan - was a part of the deleted object

http://www.eset.com



Again there are lots of spaces between .doc and .exe in the tagged message - but you won't see them when I post it.



ESET is doing it's job now, but only a day or so after getting the messages or after I reported it.


Can I undelete the attachment?
If so I will send it.

It should be in the Quarantine of ESS

Restore from there and send to ESET
http://training.eset.com/kb/index.php?option=com_kb&Itemid=29&page=articles&articleid=720

It wasn't in the quarantine as emails don't go here.

However I had originally saved the file to my desktop and that one did go in quarantine.

I have submitted it as requested with link to this message.


PS:

I am using 3.0.650 version

The virus definitions that picked up the virus was database 3533 (20081017)

So the ones that missed must have been earlier than that