Hello,

This one : h***://<removed>/virus/picture-14.exe

Bitdefender, KAV, MacAfee and Panda received a sample on 0515 like NOD32 and other AVers.

KAV adds it to its DB 2 hours later, Bitdefender 8 hours later. MacAfee and Panda today.

NOD32 doesnot detect it even with advanced heuristic till now.

Regards,

No links on this forum to malware--Ron

Please refrain from posting urls pointing to malicious files here. If you find a suspicious file not detected by NOD32 send it to samples@eset.com for further analysis. Also, bear in mind the following:
1. No AV scanner detects 100% of all threats in the world
2. Many other AV scanners flag also corrupted and non-functional files as infected

PS: the url doesn't seem to work now

{QUOTE-> Please refrain from posting urls pointing to malicious files here. If you find a suspicious file not detected by NOD32 send it to samples@eset.com for further analysis. Also, bear in mind the following:
1. No AV scanner detects 100% of all threats in the world
2. Many other AV scanners flag also corrupted and non-functional files as infected

PS: the url doesn't seem to work now <-QUOTE}

As you may see, I altered the URL before posting and if you replace *** by ttp, it 's still working and of course I sent a sample to samples@eset.com like to the other AVers 2 days ago.

1. Of course (see Cohen theoreme ;)) . The question is why some other AVers are more reactive than ESET.
2. This one is no false positive nor corrupted and fully functional as you could see if you run or decompile the sample I sent to you or d/l from the rebuild address 8)

Hello,

Now with DB 1.1100 the malware is detected.

KAV detected it 2 hours after sample submission.
NOD32 after 4 days...
No other comment

It's been said numerous times here that Eset picks up signatures on a per-need basis. Worms and in-the-wild malware has the highest priority.

Thank You Marcos :)

{QUOTE-> It's been said numerous times here that Eset picks up signatures on a per-need basis. Worms and in-the-wild malware has the highest priority. <-QUOTE}

FYI it's a worm 8)

FYI... its a trojan

{QUOTE-> FYI... its a trojan <-QUOTE}


It is a worm with backdoor Trojan functionality, like a lot of worms nowadays....

When first run the worm copies itself to the Windows system folder as MSNMSGRS.EXE and is run at Windows start up awaiting for commands from a remote attacker

Do you mean as this worm install a backdoor it should not be considered as important for an AV/AT to detect it and protect its customers as soon as possible if they happend to get a sample ? Would it be more important in your opinion to detect a simple worm without armfull payload but just spreading in a larger scale ?

I think what ESET are saying is that it is an IRC bot so needs USER intervention to activate and spread and they prioritize the worms that spread without user intervention and those that will infect the greatest number of people first

In an ideal world every sample would be analysed and include within minutes of being submitted, just as in the ideal world, you ring your doctor for an appointment, see him 5 minutes later and walk away cured, after one injection or pill, it just doesn't happen and you wait to see the doctor according to the priority of the illness

{QUOTE-> I think what ESET are saying is that it is an IRC bot so needs USER intervention to activate and spread and they prioritize the worms that spread without user intervention and those that will infect the greatest number of people first

In an ideal world every sample would be analysed and include within minutes of being submitted, just as in the ideal world, you ring your doctor for an appointment, see him 5 minutes later and walk away cured, after one injection or pill, it just doesn't happen and you wait to see the doctor according to the priority of the illness <-QUOTE}

Hello,

As most virus, trojans and other malwares, you have to click on the PE to activate it of course ;) All the recent worms and virus do require user intervention, no recent malwares on an up to date Windows OS can activate itself without user action. The fact that it"s an IRC bot does not mean you have to run IRC to activate it 8)

What is surprising is that NOD32 is renowned for its strong heuristic and it did not catch it with advanced heuristic. Other products catched it heuristically without updating their DB.
Surprising too : it takes 3 updates between submission and adding a simple sig in the DB.
Also strange, no answer, even automatic after sample submission. It does not look very professional from a simple customer point of view : I knew it was a backdoor when submitting, it took me 2 minutes to verify by myself ;)

Does not seem to be "high priority" this last days for AVers, very few adding in the DBs.

I know KAV is often first on the ball, but other products where updated the day after, NOD32 4 days after : that's a bad point for ESET whatever they may say about their so called priorities...

I will be interested to read any further discussions on this matter, I was an avid user and promoter of Nod32 once, but several instances turned me away from them and this is another example.On three occassions I forwarded a file that Kav had detected but Nod had not, I had zero feedback, and it took, on one occassion, three emails to get a response that it indeed was an infected file.

I fear they, as a company, may be resting on their laurels and believing their own hype.
It is a shame, as they have the technology to 'take over the world' in an a/v stance but they seem to be more concerned polishing their VB100 awards than reacting to0 new and in the wild threats. Please prove me wrong.

{QUOTE-> Hello,

I know KAV is often first on the ball, but other products where updated the day after, NOD32 4 days after : that's a bad point for ESET whatever they may say about their so called priorities... <-QUOTE}

I run both NOD32 and KAV on different machines.

Seems to me KAV is starting to get behind more and more in adding detections that other AVs detect.

Last piece of malware found was Trojan.DragonBot in aimbot.exe, detected by:

Scanner Malware name
AntiVir X
Avast Win32:Trojano-1302
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web Trojan.DragonBot
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 X
Norman Virus Control X
VBA32 Trojan.DragonBot


---

Last piece of malware found was !LargeGroup^.Backdoor.AntiLamer^.Backdoor.Delphi^.Trojan.LdPinch^
Worm.Bagle^Backdoor.APRE.1 in undetected.exe, detected by:


Scanner Malware name
AntiVir TR/Madtol.A
Avast X
AVG Antivirus X
BitDefender BehavesLike:Win32.ExplorerHijack
ClamAV Trojan.W32.Madtol.A.1
Dr.Web X
F-Prot Antivirus unknown virus
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control Sandbox: W32/Malware
VBA32 !LargeGroup^.Backdoor.AntiLamer^.Backdoor.Delphi^.
Trojan.LdPinch^.Worm.Bagle^Backdoor.APRE.1


---

Last piece of malware found was Backdoor.Small.DL in dfg.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender Backdoor.Small.DL
ClamAV Trojan.Small-39
Dr.Web BackDoor.Teh
F-Prot Antivirus unknown virus
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control Sandbox: W32/Malware
VBA32 X


Last piece of malware found was Backdoor.Win32.Ciadoor.13 in server4.exe, detected by:

Scanner Malware name
AntiVir BDS/Ciadoor.13.B
Avast Win32:Ciadoor-024
AVG Antivirus X
BitDefender GenPack:Backdoor.Ciadoor.13
ClamAV Trojan.Ciadoor.13.C
Dr.Web X
F-Prot Antivirus W32/Ciadoor.AQ@bd
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 Win32/Ciadoor.13
Norman Virus Control X
VBA32 Backdoor.Win32.Ciadoor.13


Last piece of malware found was probably unknown WIN32 in server1.exe, detected by:

Scanner Malware name
AntiVir BDS/VB.adn.1
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown WIN32
Norman Virus Control X
VBA32 X


---

Last piece of malware found was Embedded.Trojan.Win32.Rootkit.h in lx2.exe, detected by:

Scanner Malware name
AntiVir Worm/Rbot.MM.2
Avast X
AVG Antivirus X
BitDefender X
ClamAV Exploit.DCOM.Gen
Dr.Web Win32.HLLW.MyBot.based
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
VBA32 Embedded.Trojan.Win32.Rootkit.h


---

Last piece of malware found was BackDoor.Generic.947 in goettin.zip, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV Trojan.Mosucker-28
Dr.Web BackDoor.Generic.947
F-Prot Antivirus X
Fortinet W32/Mosuck.X-tr
Kaspersky Anti-Virus X
mks_vir Trojan.Mosucker.Ah
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
VBA32 BackDoor.Generic.947


---

Last piece of malware found was probably unknown NewHeur_PE in winwy.exe, detected by:

Scanner Malware name
AntiVir TR/Dldr.Delf.CQ
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web Trojan.PWS.Lineage
F-Prot Antivirus unknown virus
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
VBA32 X


---

Last piece of malware found was Trojan.Spybi in aurora.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web Trojan.Spybi
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 X
Norman Virus Control X
VBA32 Trojan.Spybi


--

Last piece of malware found was Embedded.Trojan-Downloader.Win32.ConHook.d in 1_VIRUS.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender Dropped:Trojan.Downloader.ConHook.D
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 X
Norman Virus Control X
VBA32 Embedded.Trojan-Downloader.Win32.ConHook.d


---

Last piece of malware found was probably unknown NewHeur_PE in 00005.SPL, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web Win32.HLLW.Agobot
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
VBA32 X


---

Last piece of malware found was Heuristic/Trojan.PwdStealer in 092E89E5.exe, detected by:

Scanner Malware name
AntiVir Heuristic/Trojan.PwdStealer
Avast Win32:Haltura-B
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 X
Norman Virus Control Sandbox: W32/Backdoor
VBA32 X


--

Last piece of malware found was Trojan.Bankfraud in Important Information From LaSalle Bank Billing Department.eml, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV HTML.Phishing.Bank-1
Dr.Web Trojan.Bankfraud
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 X
Norman Virus Control X
VBA32 X


----

Last piece of malware found was BehavesLike:Trojan.Downloader in note.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender BehavesLike:Trojan.Downloader
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control Sandbox: W32/Downloader
VBA32 X


----

Last piece of malware found was Trojan.MulDrop.1732 in yod12st275.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web Trojan.MulDrop.1732
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir Win32.4
NOD32 X
Norman Virus Control X
VBA32 X


---

Last piece of malware found was probably unknown NewHeur_PE in HomeVideo.txt, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web BackDoor.Generic.806
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
VBA32 X


---

Last piece of malware found was Backdoor.VisualBasic.12 in BRAT.zip, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender Backdoor.Generic.941
ClamAV X
Dr.Web modification of BackDoor.Generic.941
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
VBA32 Backdoor.VisualBasic.12


---

Last piece of malware found was Dropped:Trojan.PWS.Ldpinch.AK in krtqvyuh.virus exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender Dropped:Trojan.PWS.Ldpinch.AK
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir Win32
NOD32 probably unknown NewHeur_PE
Norman Virus Control Sandbox: W32/Downloader
VBA32 X


---

Last piece of malware found was probably unknown NewHeur_PE in popuper.exe, detected by:

Scanner Malware name
AntiVir TR/Drop.Puper.D.1
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
VBA32 X


---

Last piece of malware found was Dropped:Backdoor.Prorat.19 in UPXServer.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus Dropper.Small.15.S
BitDefender Dropped:Backdoor.Prorat.19
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 X
Norman Virus Control X
VBA32 X


-----

Last piece of malware found was DIAL/Generic dialer in uk_nm.exe, detected by:

Scanner Malware name
AntiVir DIAL/Generic dialer
Avast X
AVG Antivirus Dialer.26.AC
BitDefender BehavesLike:Trojan.StartPage
ClamAV Dialer-135
Dr.Web X
F-Prot Antivirus X
Fortinet Dial/256
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control Sandbox: W32/Malware
VBA32 X


-----------------

Last piece of malware found was probably unknown NewHeur_PE in MMD_Svr.exe, detected by:

Scanner Malware name
AntiVir TR/Spy.Delf.EQ.1
Avast X
AVG Antivirus X
BitDefender BehavesLike:Win32.ExplorerHijack
ClamAV X
Dr.Web X
F-Prot Antivirus unknown virus
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
VBA32 X


-----

Last piece of malware found was BehavesLike:Trojan.LowZones in gclib.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender BehavesLike:Trojan.LowZones
ClamAV X
Dr.Web X
F-Prot Antivirus unknown virus
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control Sandbox: W32/Malware
VBA32 X



----

Last piece of malware found was Bifrose.D in server.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender Backdoor.Bifrose.D
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir Win32.4
NOD32 X
Norman Virus Control Bifrose.D
VBA32 X


----

Last piece of malware found was Heuristic/Trojan.Downloader in ali.pif, detected by:

Scanner Malware name
AntiVir Heuristic/Trojan.Downloader
Avast X
AVG Antivirus X
BitDefender BehavesLike:Win32.ExplorerHijack
ClamAV Trojan.Downloader.Small-213
Dr.Web Trojan.Elirt.101
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir Trojan.Trojandownloader.Small.Fk
NOD32 X
Norman Virus Control Sandbox: W32/Downloader
VBA32 X


----

Last piece of malware found was JS/Relink.A in Htm2.zip, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender Exploit.Html.MhtRedir.Gen
ClamAV Exploit.HTML.MHTRedir-8
Dr.Web Exploit.MhtRedir
F-Prot Antivirus X
Fortinet HTML/Exploit.Mht
Kaspersky Anti-Virus X
mks_vir X
NOD32 HTML/Mht.AP Exploit
Norman Virus Control JS/Relink.A
VBA32 X


---

Last piece of malware found was Backdoor.Win32.Evilsock in evilsocks.zip, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir Trojan.Evilsock
NOD32 X
Norman Virus Control X
VBA32 Backdoor.Win32.Evilsock


----

Last piece of malware found was probably unknown NewHeur_PE in server.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV Trojan.Runup.10-srv-2
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir Trojan.Xcv
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
VBA32 X


------

Last piece of malware found was Trojan-Downloader.Win32.Agent.ex in testinst.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus Downloader.Agent.12.AF
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet W32/Agent.EX-tr
Kaspersky Anti-Virus X
mks_vir X
NOD32 X
Norman Virus Control X
VBA32 Trojan-Downloader.Win32.Agent.ex


----------

Last piece of malware found was Trojan-Downloader.Win32.Agent.ex in ViaSky.zip, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus Downloader.Agent.12.AF
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet W32/Agent.EX-tr
Kaspersky Anti-Virus X
mks_vir X
NOD32 X
Norman Virus Control X
VBA32 Trojan-Downloader.Win32.Agent.ex


-----

Last piece of malware found was Worm/SdBot.57334.A in Edited2.exe, detected by:

Scanner Malware name
AntiVir Worm/SdBot.57334.A
Avast X
AVG Antivirus X
BitDefender BehavesLike:Win32.IRC-Backdoor
ClamAV Trojan.SdBot-279
Dr.Web X
F-Prot Antivirus unknown virus
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control Sandbox: W32/Malware
VBA32 X


----

Last piece of malware found was probably unknown NewHeur_PE in Data_1.bin, detected by:

Scanner Malware name
AntiVir TR/Dldr.Bandos.C
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
VBA32 X


-----

Last piece of malware found was Trojan.LdPinch.1 in s3.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 Win32/Prorat.16
Norman Virus Control X
VBA32 Trojan.LdPinch.1


-----------

Last piece of malware found was probably unknown NewHeur_PE in burn.exe, detected by:

Scanner Malware name
AntiVir X
Avast Win32:Ciadoor-024
AVG Antivirus X
BitDefender Backdoor.VB.ASB
ClamAV X
Dr.Web BackDoor.Generic.920
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
VBA32 X


------

Last piece of malware found was Win32.HLLW.NetSky.c in rx7-encrypt.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control Sandbox: W32/Gaobot.gen
VBA32 Unknown.Win32Virus

----

Last piece of malware found was Trojan.Trojandownloader.Small.Eo in mHOn.exe, detected by:

Scanner Malware name
AntiVir TR/Dldr.Small.EO
Avast Win32:Trojano-271
AVG Antivirus X
BitDefender BehavesLike:Win32.ExplorerHijack
ClamAV Trojan.Downloader.TFWB
Dr.Web Trojan.DownLoader.3072
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir Trojan.Trojandownloader.Small.Eo
NOD32 X
Norman Virus Control X
VBA32 X



----------

Last piece of malware found was Backdoor.Win32.Bifrose.d in server.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir Win95
NOD32 probably unknown WIN32
Norman Virus Control Bifrose.D
VBA32 Backdoor.Win32.Bifrose.d


------

Last piece of malware found was Unknown.Win32Virus in (EFZ) LongBOt.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web Trojan.DragonBot
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 X
Norman Virus Control X
VBA32 Unknown.Win32Virus


-------

Last piece of malware found was probably unknown NewHeur_PE in csmss32.exe, detected by:

Scanner Malware name
AntiVir TR/Proxy.Agent.CK.1
Avast Win32:Trojan-gen.
AVG Antivirus X
BitDefender Trojan.Agent.DO
ClamAV X
Dr.Web BackDoor.Zorro
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
VBA32 X


-----

Last piece of malware found was Embedded.Trojan.Win32.Rootkit.h in shited.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control Sandbox: W32/Malware
VBA32 Embedded.Trojan.Win32.Rootkit.h


-------

Last piece of malware found was probably unknown NewHeur_PE in bogieman.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control Sandbox: W32/Malware
VBA32 X



-------

Last piece of malware found was probably unknown NewHeur_PE in rBot.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender BehavesLike:Win32.IRC-Backdoor
ClamAV X
Dr.Web Win32.HLLW.ForBot
F-Prot Antivirus unknown virus
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
VBA32 X


----------------

Last piece of malware found was probably unknown NewHeur_PE in sdbot05b.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender Backdoor.SDBot.78116B39
ClamAV X
Dr.Web X
F-Prot Antivirus unknown virus
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
VBA32 X


-------------

Last piece of malware found was probably unknown NewHeur_PE in p1.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV Trojan.Mosucker-28
Dr.Web BackDoor.Generic.947
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir Trojan.Mosucker.Ah
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
VBA32 X


------


Last piece of malware found was Win32/VB.NAD in smss.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir Trojan.Vb.Nad
NOD32 Win32/VB.NAD
Norman Virus Control X
VBA32 X



------

Last piece of malware found was BehavesLike:Win32.FileInfector in Stubbos.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender BehavesLike:Win32.FileInfector
ClamAV X
Dr.Web X
F-Prot Antivirus unknown virus
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control Sandbox: W32/Malware
VBA32 X



-------

Last piece of malware found was probably unknown NewHeur_PE in ForBot-NoSSL.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender Backdoor.SDBot.68B55F76
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
VBA32 X


---------

Last piece of malware found was Dropped:Backdoor.Bifrose.D in tester.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender Dropped:Backdoor.Bifrose.D
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 Win32/TrojanDropper.Small.FK
Norman Virus Control Sandbox: W32/Malware
VBA32 X


-------

Last piece of malware found was probably unknown CRYPT.WIN32 in build3xing.exe, detected by:

Scanner Malware name
AntiVir TR/Click.Small.DN.3
Avast X
AVG Antivirus X
BitDefender X
ClamAV Trojan.Rbot.GEN-3
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir W32.Generic
NOD32 probably unknown CRYPT.WIN32
Norman Virus Control X
VBA32 X


-----

Last piece of malware found was Heuristic/Backdoor.IRCBot in vegasbot.exe, detected by:

Scanner Malware name
AntiVir Heuristic/Backdoor.IRCBot
Avast X
AVG Antivirus IRC/BackDoor.SdBot
BitDefender Backdoor.SDBot.3667B92B
ClamAV X
Dr.Web X
F-Prot Antivirus unknown virus
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control Sandbox: W32/Backdoor
VBA32 X


-------------

Last piece of malware found was Win32/Beastdoor.207.B in 91826740_server.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender Backdoor.Beastdoor.207.B
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir Win32.4
NOD32 Win32/Beastdoor.207.B
Norman Virus Control X


--------

Last piece of malware found was HackerTool/Cracksearch in CrackSearcher.rar, detected by:

Scanner Malware name
AntiVir PMS/CrackSearch.A possible malicious software
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web not a virus Tool.CrackSearch
F-Prot Antivirus X
Fortinet HackerTool/Cracksearch
Kaspersky Anti-Virus X
mks_vir X
NOD32 X
Norman Virus Control X



--------

Last piece of malware found was probably unknown NewHeur_PE in virus.eee, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender Win32.Mydoom.1.Gen@mm
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir Win32.4
NOD32 probably unknown NewHeur_PE
Norman Virus Control X


-----

Last piece of malware found was Win32/TrojanDropper.Small.NBO in rocked.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir Win32.4
NOD32 Win32/TrojanDropper.Small.NBO
Norman Virus Control X


-------

Last piece of malware found was W32/StartPage-tr in geoe.dll, detected by:

Scanner Malware name
AntiVir X
Avast Win32:StartPage-080
AVG Antivirus X
BitDefender X
ClamAV Trojan.Startpage-215
Dr.Web Trojan.StartPage.581
F-Prot Antivirus X
Fortinet W32/StartPage-tr
Kaspersky Anti-Virus X
mks_vir X
NOD32 X
Norman Virus Control X


-----

Last piece of malware found was probably unknown NewHeur_PE in document.htm.pi_, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender Win32.Mydoom.1.Gen@mm
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir Win32.4
NOD32 probably unknown NewHeur_PE
Norman Virus Control X


---------


Last piece of malware found was W32/Bagle.Gen!Rar in Encrypted.rar, detected by:

Scanner Malware name
AntiVir Heuristic/PwdRAR
Avast RarPSW
AVG Antivirus X
BitDefender Win32.Bagle.M (RAR)
ClamAV Worm.Bagle.Gen-rarpwd
Dr.Web Win32.HLLM.Beagle.pswzip
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 Win32/Bagle.gen.rar
Norman Virus Control W32/Bagle.Gen!Rar


-----------

Last piece of malware found was Win32/DSNX.05 in 999.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 Win32/DSNX.05
Norman Virus Control Sandbox: W32/Malware


--------


Last piece of malware found was Trojan.Littlewitch.61.Aa in Pena ;(.exe, detected by:

Scanner Malware name
AntiVir Heuristic/Trojan.PwdStealer
Avast X
AVG Antivirus BackDoor.LittleWitch.DD
BitDefender Backdoor.LittleWitch.6.1.V
ClamAV X
Dr.Web BackDoor.LWitch.61
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir Trojan.Littlewitch.61.Aa
NOD32 X
Norman Virus Control X


------------

Last piece of malware found was BackDoor.Seed.11 in pic1.exe, detected by:

Scanner Malware name
AntiVir BDS/Seed.11.A
Avast X
AVG Antivirus X
BitDefender X
ClamAV Trojan.Seed-1
Dr.Web BackDoor.Seed.11
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 X
Norman Virus Control X


------

Last piece of malware found was W32/PWSteal-tr in IFinst25.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender Backdoor.IzRam.1.7
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet W32/PWSteal-tr
Kaspersky Anti-Virus X
mks_vir X
NOD32 X
Norman Virus Control X


--------

Last piece of malware found was Trojan.Downloader.Delf.Jy in cartao.scr, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender Trojan.Downloader.Delf.JI
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir Trojan.Downloader.Delf.Jy
NOD32 X
Norman Virus Control X


----------------------
Last piece of malware found was BehavesLike:Trojan.Downloader in ifc.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender BehavesLike:Trojan.Downloader
ClamAV X
Dr.Web X
F-Prot Antivirus unknown virus
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown NewHeur_PE
Norman Virus Control Sandbox: W32/Downloader


---------

Last piece of malware found was Dropped:Win32.Worm.Kiph.A in main.exe, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender Dropped:Win32.Worm.Kiph.A
ClamAV X
Dr.Web X
F-Prot Antivirus unknown virus
Fortinet X
Kaspersky Anti-Virus X
mks_vir Win32
NOD32 probably unknown NewHeur_PE
Norman Virus Control Sandbox: W32/P2PWorm


-----------

Last piece of malware found was W32/SDBot.CWI in rfc.exe, detected by:

Scanner Malware name Time taken
AntiVir Worm/SdBot-43744 0.39 seconds
Avast Win32:SdBot-1245 1.53 seconds
AVG Antivirus IRC/BackDoor.SdBot.154.AT 0.54 seconds
BitDefender X 0.53 seconds
ClamAV X 0.61 seconds
Dr.Web X 0.91 seconds
F-Prot Antivirus X 0.13 seconds
Fortinet X 0.45 seconds
Kaspersky Anti-Virus X 1.03 seconds
mks_vir Win32 0.23 seconds
NOD32 X 0.49 seconds
Norman Virus Control W32/SDBot.CWI 0.23 seconds


-----------------

Last piece of malware found was Dropped:Trojan.Agent.DN in m2.exe, detected by:

Scanner Malware name Time taken
AntiVir X 0.42 seconds
Avast X 1.53 seconds
AVG Antivirus X 0.56 seconds
BitDefender Dropped:Trojan.Agent.DN 0.60 seconds
ClamAV Trojan.Dropper.Purityscan.F 0.66 seconds
Dr.Web X 0.94 seconds
F-Prot Antivirus X 0.18 seconds
Fortinet X 0.49 seconds
Kaspersky Anti-Virus X 1.07 seconds
mks_vir X 0.47 seconds
NOD32 Win32/TrojanDropper.PurityScan.G.gen 0.60 seconds
Norman Virus Control Sandbox: W32/Malware 22.03

----------------------------------------------------------------------------------

Last piece of malware found was probably unknown NewHeur_PE in hmzz.exe, detected by:

Scanner Malware name Time taken
AntiVir BDS/Optix.Pro.13.28 0.81 seconds
Avast Win32:Optix-J 3.08 seconds
AVG Antivirus X 1.12 seconds
BitDefender Backdoor.OptixPro.1.Gen 1.16 seconds
ClamAV Trojan.PWS.Wexd 1.54 seconds
Dr.Web X 1.71 seconds
F-Prot Antivirus X 0.19 seconds
Fortinet X 0.88 seconds
Kaspersky Anti-Virus X 2.12 seconds
mks_vir Trojan.Optix.Pro.13 0.43 seconds
NOD32 probably unknown NewHeur_PE 1.07 seconds
Norman Virus Control X 0.64 seconds

Yep, we've got hundreds (if not thousands) of samples detected only by NOD32 that all other AV/AS/AT have missed. But this is not the right thread for comparing NOD32 vs other AV.

Do you also keep the examples detected by other a/v firms before Nod32 does? if so can we have a list?
My only example I can go on does entail the three files I provided via Marco and Jan that were (all of a sudden ) detected several days after |I admitted them, and still with zero email response until I went through wilders

{QUOTE-> Yep, we've got hundreds (if not thousands) of samples detected only by NOD32 that all other AV/AS/AT have missed. But this is not the right thread for comparing NOD32 vs other AV. <-QUOTE}

My purpose is not to compare AV, I like and run NOD32 but to understand why a simple variant of a well known worm is not detected by advanced heuristic, why it takes so long to add a sig in the DB and why no feedback after a sample submission ?
After all, I don't care about this malware, even without AV it could not infect me and even if I infected myself purposely I could clean up manually in a breeze :)
I do think the biggest problem about NOD32 is communication with their users and never admitting that as any other product it's not perfect.

{QUOTE-> ... and why no feedback after a sample submission ? <-QUOTE}I heard on the grapevine that ESET recieved in the order of 1300 samples yesterday(or the day before). I don't expect them to personally respond to each of them.{QUOTE-> ...and never admitting that as any other product it's not perfect. <-QUOTE}"Some antivirus companies claim "100% virus detection" for their programs.

We wouldn't dare to insult your intelligence with such a claim !!!" -->HERE (http://www.nod32.com.au/nod32/awards/snakeoil.htm)<--

{QUOTE-> I heard on the grapevine that ESET recieved in the order of 1300 samples yesterday(or the day before). I don't expect them to personally respond to each of them."Some antivirus companies claim "100% virus detection" for their programs. <-QUOTE}

They should be able to send an automatic answer, shouldn't they ?

{QUOTE->
We wouldn't dare to insult your intelligence with such a claim !!!" -->HERE (http://www.nod32.com.au/nod32/awards/snakeoil.htm)<-- <-QUOTE}

Nobody but Viguard from TEGAM claimed such a stupidity and it is no antivirus but a blocker...
BTW, saying there are other priorities than protecting against a worm installing a trojan backdoor : sneak oil too :-D

Read my post : I don't say NOD32 should detect all malwares, I wonder why they don't add a sig faster and why advanced heuristic does not detect a simple variant of a well know worm.

{QUOTE-> Read my post : I don't say NOD32 should detect all malwares, I wonder why they don't add a sig faster and why advanced heuristic does not detect a simple variant of a well know worm. <-QUOTE}

Just because it didn't detect this specific IRC Bot with their AH, I would still have to say that NOD32's advance heuristic is one of the best and provides some significan zero-hour detection over some of the other AVs.

I suppose one could single out any AV and then show they were a bit slow on the uptake for some specific threat at times.

{QUOTE-> They should be able to send an automatic answer, shouldn't they ?



Nobody but Viguard from TEGAM claimed such a stupidity and it is no antivirus but a blocker...
BTW, saying there are other priorities than protecting against a worm installing a trojan backdoor : sneak oil too :-D

Read my post : I don't say NOD32 should detect all malwares, I wonder why they don't add a sig faster and why advanced heuristic does not detect a simple variant of a well know worm. <-QUOTE}I'm sorry, I probably should have elaborated on what I meant a little more. I was really just wanting to mention that as any other AV vendor ought to admit freely, NOD32 is not trying to suggest it's perfect. This was a specific response to your post 'never admitting that as any other product it's not perfect'. I really wasn't trying to have a dig at you or anything like that - just passing on some information that I though might be helpful to you in light of your post.
I have to admit that even an automatic response to submissions would be welcomed - at least then people know it has been recieved. I don't know what else specifically ESET had on their plate at the time but I'm glad that they have a system for prioritising the adding signatures - even if it doesn't always work out perfectly. I'm glad they have a specific intent to provide the best possible protection. :)

There is a system for automatic and manual submission of samples in v. 2.50. After a file has been submitted successfully, a record will appear in the Event log.

Its under early warning/Advanced, it gives you an option for Nod32 to ask if you want to submit the sample or submit the sample without asking.

{QUOTE-> Its under early warning/Advanced, it gives you an option for Nod32 to ask if you want to submit the sample or submit the sample without asking. <-QUOTE}

Seems to me but didn't check that's for submitting suspected files found by NOD32 and/or in quarantine. This file was not suspected by NOD32 => I sent it from Outlook.

That still doesn't confirm or acknowledge that ESET got the file.......only that it was sent by the user. How difficult would it be to have the submission email address send back an autoreply? Thousands of folks do it........why can't ESET?

The message a file has been submitted to Eset for analysis appears in the log after the server has confirmed receipt of the file.

{QUOTE-> That still doesn't confirm or acknowledge that ESET got the file.......only that it was sent by the user. How difficult would it be to have the submission email address send back an autoreply? Thousands of folks do it........why can't ESET? <-QUOTE}

Post it in the wishlist thread... it's sticky, you should be able to find it near the top of the v2 forum.

regards

Greg

{QUOTE-> The message a file has been submitted to Eset for analysis appears in the log after the server has confirmed receipt of the file. <-QUOTE}

Marcos, I have sent a sample through Control Center 3 days or more before and my Event Log still does not contain an item about successful submitting.. is this bad?

Are you sure it was a sample that could not already be submitted by someone else?

Myslim si, ze hej alebo je to aspon dost mozne, nakolko sa nachadzal pravdepobodne neznamy NewHeur_PE virus na priatelkinom pocitaci... ona chodi na internet skutocne malokedy a ked hej tak su to zvacsa slovenske alebo podobne... stranky.. Takisto som poslal "pravdepodobne variant" WebAnhacer(neviem presne ako sa to uz vola" a tiez ziadna udalost v Protokole o uspesnom odoslati sa v protokole nenachadza.. Myslim si ze by to mohlo byt lepsie spracovane a ked sa subor neposle lebo uz bol poslany tak aby bolo zretelne napisane v protokole apod....

Are you sure it was a sample that could not already be submitted by someone else?

---------------------------

What is this supposed to mean? You said if it was sent successfully and the ESET server received it, then it would add an entry back in the log. Now it appears that you're saying that if it was already submitted by someone else, then you wont get a log entry! That's a crock! If you submit something, then you should get something back saying it was received.

{QUOTE-> What is this supposed to mean? You said if it was sent successfully and the ESET server received it, then it would add an entry back in the log. Now it appears that you're saying that if it was already submitted by someone else, then you wont get a log entry! That's a crock! If you submit something, then you should get something back saying it was received. <-QUOTE}What Marcos is saying is that if the file has already been submitted by someone else, then your machine will not submit it again, as in they do not need to receive 5000 submissions of the same sample.

The person that does submit the file first will have an entry in their logs.

Hope this helps...

Cheers ;D

Perhaps it MIGHT be a good idea for nod to set it so you get a pop up saying file sent & received or file rejected as already in database if that is possible to eliminate these problems

we do need to remember that many people who are infected will panic and the reassurance value that the sample will be included or is already known so very soon will be included is good public relations

The ability to submit from with in the AV is very important and many of Nod's competitors cannot do that and send via email so you know it has gone and assume it is received

with NOD where there is no acknowledgement except digging through logs which are not easy to read at the best of times you don't know that it has even been sent sometimes

That's exactly what I said and it's stupid. How is the person submitting it supposed to know that someone else has already submitted it?

Each sample submitted should get some sort of reply back that it was received.

{QUOTE-> That's exactly what I said and it's stupid. How is the person submitting it supposed to know that someone else has already submitted it?

Each sample submitted should get some sort of reply back that it was received. <-QUOTE}Agreed, and good post Derek.

Cheers ;D

{QUOTE-> That's exactly what I said and it's stupid. How is the person submitting it supposed to know that someone else has already submitted it?

Each sample submitted should get some sort of reply back that it was received. <-QUOTE}

Because i am creative enough..I could change a few bits of code and packing so that even bad boys already detected and updates realease or heuristics in place faster by one AV compared to another might still be an issue to you..

http://www.dslreports.com/forum/remark,13436505~mode=flat~days=9999~start=20#13446896

What is more important to me is how many people are infected with it at any given moment.

Currently there are 43 and counting variant of fast moving Win32/Mytob FAMILY. Combining malicious packages are the trend nowdays..I think every major AV is doing a good job for their customers in keeping down a threshold number as to when all their cunstomers are protected...espcially since we all know many are started locally in various countries like what we have seen with the Sober worm reappearing and that is the goal..keeping it contained.

{QUOTE-> That's exactly what I said and it's stupid. How is the person submitting it supposed to know that someone else has already submitted it?

Each sample submitted should get some sort of reply back that it was received. <-QUOTE}So if instead of saying nothing there was a log entry noting that ESET already has a copy of the file, then would that in your view be sufficient reply back for that situation?{QUOTE-> Seems to me but didn't check that's for submitting suspected files found by NOD32 and/or in quarantine. This file was not suspected by NOD32 => I sent it from Outlook. <-QUOTE}If you open quarantine, click 'Submit for analysis', browse to the infected file that wasn't detected, fill in the comment and your email address you can send any file that needs investigation, detected or not without needing to use outlook. I'm sure this would show up in your logs if ESET do not already have a sample.

Quote:
Originally Posted by BTW
Seems to me but didn't check that's for submitting suspected files found by NOD32 and/or in quarantine. This file was not suspected by NOD32 => I sent it from Outlook.

If you open quarantine, click 'Submit for analysis', browse to the infected file that wasn't detected, fill in the comment and your email address you can send any file that needs investigation, detected or not without needing to use outlook. I'm sure this would show up in your logs if ESET do not already have a sample.
__________________

As the file is not detected by NOD32, why should it be in quarantine ? I ought to put it by myself in the quanratine as NOD32 has no reason to put an unsuspected file into the quarantine...

The quarantine box give you the possibility to send a file to Eset without using your email software, any file ...
It is easy and fast. The file don't need to be in the quarantine folder, you can submit any file by browsing your drive. Click on the button 'Submit for analysis' and choose the file you want to submit

Regards

{QUOTE-> Quote:
Originally Posted by BTW
Seems to me but didn't check that's for submitting suspected files found by NOD32 and/or in quarantine. This file was not suspected by NOD32 => I sent it from Outlook.

If you open quarantine, click 'Submit for analysis', browse to the infected file that wasn't detected, fill in the comment and your email address you can send any file that needs investigation, detected or not without needing to use outlook. I'm sure this would show up in your logs if ESET do not already have a sample.
__________________

As the file is not detected by NOD32, why should it be in quarantine ? I ought to put it by myself in the quanratine as NOD32 has no reason to put an unsuspected file into the quarantine... <-QUOTE}

Well it seems to me that if you are really smvs at tweaker.net. But maybe you are not that person..but rather someone who just got a copy and submitted it..which is it ??

http://gathering.tweakers.net/forum/list_messages/1036449

then it answers a lot of questions for me..as to how the picture thing got on a PC in the first place.

And also why KAV and BD then finally detect it fast before the others. ;D

But it also tells me more..that particular bot is easy to avoid in the first place
even of you get it in MSN renamed from someone you do not even know..you just dump it. ;)

But if you are that curious to find out what is inside..you don't Infect your own system with the darn thing.

There are more than 1000 variant irc bot with a very short life span and only less than 100 or so people in a local area between the people they contact that get infected at time.

Please tell me if you are really a person who was infected with this picture_14.exe..what other text message did you receive with it..since you have not mentioned this yet ?

Also did you get it with MSN Messenger ?

W32/Rbot-ACQ is a worm with backdoor Trojan functionality.
W32/Rbot-ACQ connects to an IRC channel and listens for backdoor commands from a remote attacker.
When first run the worm copies itself to the Windows system folder as MSNMSGRS.EXE.
The following registry entries are created to run MSNMSGRS.EXE on startup:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
strmsnmsgr
msnmsgrs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
strmsnmsgr
msnmsgrs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
strmsnmsgr
msnmsgrs.exe


And new one come up each day renamed

http://www.pcreview.co.uk/startup/MSN-id-3394.php


http://www.bleepingcomputer.com/startups/Cat-M.html

It all usually starts with a version of W32.Netsky repackaged for Messaging

http://www.srnmicro.com/virusinfo/netsky-ad.htm


http://msmvps.com/trafton/archive/2005/03/06/37762.aspx

http://msmvps.com/trafton/archive/2005/03/06/37763.aspx

{QUOTE-> As the file is not detected by NOD32, why should it be in quarantine ? I ought to put it by myself in the quanratine as NOD32 has no reason to put an unsuspected file into the quarantine... <-QUOTE}C'mon, lets work together on this - the 'Submit for analysis' button on the quarantine tab lets you browse to a non-quarantined file on your system so even though this particular file was not in quarantine you can still ask to submit to ESET.

I've seen dozens of samples submitted manually despite of previously being detected and identified by name. Also, there are files from the prefetch folder which people think are infected and not detected because of a bug in NOD32, etc. Some people submit 4 (four) bytes files thinking they are infected and wondering why NOD32 did not pick them up...

Even the EICAR test file is only 68 bytes and it's tiny :)

{QUOTE-> I've seen dozens of samples submitted manually despite of previously being detected and identified by name. Also, there are files from the prefetch folder which people think are infected and not detected because of a bug in NOD32, etc. Some people submit 4 (four) bytes files thinking they are infected and wondering why NOD32 did not pick them up... <-QUOTE}

That must drive you guys nuts at ESET >:(

The prefectch for XP still confuses many people so I just give up and have them download a free 28K tool and give them a GUI to play with so they can feel CLEAN.

;D
No You do not have a trojan in your PreFetch, What are those .pf files on my PC ?
http://forum.gladiator-antivirus.com/index.php?act=ST&f=70&t=26326&st=0#entry97074

{QUOTE->

And also why KAV and BD then finally detect it fast before the others. ;D

But it also tells me more..that particular bot is easy to avoid in the first place
even of you get it in MSN renamed from someone you do not even know..you just dump it. ;)

There are more than 1000 variant irc bot with a very short life span and only less than 100 or so people in a local area between the people they contact that get infected at time.

Please tell me if you are really a person who was infected with this picture_14.exe..what other text message did you receive with it..since you have not mentioned this yet ?

Also did you get it with MSN Messenger ?

<-QUOTE}

Hello,

No, I am not that person.

I presume KAV detected it because it can handle more than 600 runtime packers and the other AV only a few ones, like NOD32.

No I didn't get it through MSN Messenger: I don't accept files even from my own contacts ;) I just visited purposely the site to d/l the worm in order to analyse it for I has been asked for by one of my customers 8)

I know there is a miriad of variants, I just wonder :
1. Why advanced heuristic don't catch it (probably because of an exotic runtime packer)
2. Why they did not add it in the DB next DB update after submission
3. Why no answer, even automatic after submission through Mail or from NOD32 GUI ; there is a good suggestion from a reseller : any submitted sample should get an answer even if the sample is already submitted by some one else, it's easy to send a reassuring message telling they received the mail or the sample : that's what I do for my own bizness by respect for my customers, especially when they try to help me, as I said before I don't care about this cheap bot for myself :-D.

Regards,

@BTW

Good glad we establised that..so did you just then scan that picture_14.exe thingie with your NOD..or did you actually then try to infect a PC with MSNMSGRS.EXE that had NOD running and want to tell us it failed to do that with the way you have NOD set up ? ;D

And if you read the link I posted and understand Dutch..you will know why ( in the timeframe you speak of) KAV and BD then finially ID that one..but before that time..neither could stop it..just state it looks suspicious.

{QUOTE-> @BTW

Good glad we establised that..so did you just then scan that picture_14.exe thingie with your NOD..or did you actually then try to infect a PC with MSNMSGRS.EXE that had NOD running and want to tell us it failed to do that with the way you have NOD set up ? ;D

And if you read the link I posted and understand Dutch..you will know why ( in the timeframe you speak of) KAV and BD then finially ID that one..but before that time..neither could stop it..just state it looks suspicious. <-QUOTE}

So sorry, I don't understand Dutch and it's hardly understandable with an online translator ;(

No NOD32 did not prevent it ;) My blocker warned that the prog tried to write a RUN key in the registry
(my customer running NOD32 had these keys in his registry according to HijackThis and he runs MSN Messenger but he didn't know if he got it through MSN Messenger :
O4 - HKLM\..\RunServices: [strmsnmsgr] msnmsgrs.exe
O4 - HKCU\..\Run: [strmsnmsgr] msnmsgrs.exe
and it was no netsky variant

{QUOTE-> So sorry, I don't understand Dutch and it's hardly understandable with an online translator ;(

No NOD32 did not prevent it ;) My blocker warned that the prog tried to write a RUN key in the registry
(my customer running NOD32 had these keys in his registry according to HijackThis and he runs MSN Messenger but he didn't know if he got it through MSN Messenger :
O4 - HKLM\..\RunServices: [strmsnmsgr] msnmsgrs.exe
O4 - HKCU\..\Run: [strmsnmsgr] msnmsgrs.exe
and it was no netsky variant <-QUOTE}

You missed one since there are three.

W32/Rbot-ACQ
is a worm with backdoor Trojan functionality.
W32/Rbot-ACQ connects to an IRC channel and listens for backdoor commands from a remote attacker.
When first run the worm copies itself to the Windows system folder as MSNMSGRS.EXE.
The following registry entries are created to run MSNMSGRS.EXE on startup:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
strmsnmsgr
msnmsgrs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
strmsnmsgr
msnmsgrs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
strmsnmsgr
msnmsgrs.exe


I guess you do not then even have NOD ..but best I guess to give "your customer" the benefit of the doubt his NOD was updated and set up correctly.

NOD32 Setup Tutorial (for Advanced Protection)
Screenshots courtesy of © Blackspear 2004
http://www.nod32-av.com/setup/nod32setup.htm

I just want to make sure no one is cheating on Fred Cohen's Proclamtion.

Goedel Incompleteness Theorem is a two way street and I like all the facts.

"Catastrophe may be inevitable, but it need not be crippling."

I see neither catastrophe or any hint of crippling on that bugger and as you say "as I said before I don't care about this cheap bot for myself :-D."

Thanks again for submitting it..best to you in your own bizness.

It is strange that your customer would not know where he/she got picture_14.exe.

I suspect it was from Messenger..hope you warned them to be careful.

I don't think anyone else will ever be hit with picture_14.exe.

What do you think ?

{QUOTE-> I've seen dozens of samples submitted manually despite of previously being detected and identified by name. Also, there are files from the prefetch folder which people think are infected and not detected because of a bug in NOD32, etc. Some people submit 4 (four) bytes files thinking they are infected and wondering why NOD32 did not pick them up... <-QUOTE}


I have sent you a set of 2 byte files that are part of a worm infection

even though the files themselves are not infected and cannot be infected with only 2bytes, the name of the files

C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tracert.com

which uses a windows pecularity where a .com runs before a .exe of the same name and consequently having a 2byte file in the system folder prevents the real file running, unless expressly called with the full.exe name so that bunch disable regedit and the other utilities to stop them being used

None of the av's can detect them but they are a major problem and the latest way that malware authors are using to prevent them being easily fixed

{QUOTE-> I have sent you a set of 2 byte files that are part of a worm infection

even though the files themselves are not infected and cannot be infected with only 2bytes, the name of the files

C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tracert.com

which uses a windows pecularity where a .com runs before a .exe of the same name and consequently having a 2byte file in the system folder prevents the real file running, unless expressly called with the full.exe name so that bunch disable regedit and the other utilities to stop them being used

None of the av's can detect them but they are a major problem and the latest way that malware authors are using to prevent them being easily fixed <-QUOTE}

Why do you think they are so hard to detect..and where is the rest of the files derek ??

W32.Picrate.A@mm

http://securityresponse.symantec.com/avcenter/venc/data/w32.picrate.a@mm.html

the picrate can be detected as there is code there even though it's corrupt

the alcan worm aka W32.Alcra.A

http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html

the 2 byte files only contain 2 letters MZ

no av can detect a 2 byte file reliably as the MZ is the start of most executable files and it's no good going by name as the names can be legit

full details here
http://www.wilderssecurity.com/showthread.php?t=80066

we had the fix posted ( May 14th, 2005, 10:51 AM ) a few days before Norton "Discovered" it May 17, 2005

{QUOTE-> the picrate can be detected as there is code there even though it's corrupt

the alcan worm aka W32.Alcra.A

http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html

the 2 byte files only contain 2 letters MZ

no av can detect a 2 byte file reliably as the MZ is the start of most executable files and it's no good going by name as the names can be legit <-QUOTE}

And when that one is clean off by Norton..is the PC then crippled..or are they just left..I am trying to figure out the need to detect them if the exploit is stopped.

{QUOTE-> full details here
http://www.wilderssecurity.com/showthread.php?t=80066

we had the fix posted ( May 14th, 2005, 10:51 AM ) a few days before Norton "Discovered" it May 17, 2005 <-QUOTE}

Yes :) I know

if they are not removed then the usual way of running the legitimate process by start/run and just typing the name won't work

so CMD
netstat
ping
regedit
tasklist
taskkill
tracert

won't work

the authors of the worm obviously thought that by disabling the ability to remove it easily & it's reg keys etc it would continue to do it's deeds

You know that it's almost impossible to delete a running file and if taskkill is disabled to stop it running and regedit is disabled to stop the start up keys being fixed then it's harder to kill off

Thanks..yup seen many do the hijackthis having to deal with that problem left since not many type in cmd.exe etc etc..but I did not think that if Norton cleaned the PC of the p2p thingie..that it would then leave a PC still crippled.

But doing it all manually does create a problem..and have seen people who had parts of it cleaned..find out later they could not do a regedit..ping or cmd...unles the typed in the full regedit.exe.


http://www.wiscnet.net/cl-ping

{QUOTE-> You missed one since there are three.
<-QUOTE}

Maybe, after seeing one, I thought it was a netsky variant and did not pay much more attention

{QUOTE->
I guess you do not then even have NOD ..but best I guess to give "your customer" the benefit of the doubt his NOD was updated and set up correctly.
<-QUOTE}
Yes I do : it's my resident for years and KAV on demand. At least it's well set on my machine. It was not detected by NOD32 on demand with advanced heuristic till added to the DB

{QUOTE->
Thanks again for submitting it..best to you in your own bizness.

It is strange that your customer would not know where he/she got picture_14.exe.

I suspect it was from Messenger..hope you warned them to be careful.

I don't think anyone else will ever be hit with picture_14.exe.

What do you think ? <-QUOTE}

Lot of lambda users click like lucky Luke and don't remember after five minutes what they have done and why ;)
When you tell them, they never listen and if by any chance they listen , they never learn, alas ;(
I think this little bot like many others is just a poor SK job unpacking and repacking a stupid trojan written with the feeds. No chance for wide spreading for this one :-D

Cheers,