Since if it's damaged then it won't help much, I know it helps for heuritics but still is there enough difference between that and the original bugybear.b :)

detection for damaged, non-working samples of
W32/Bugbear.B. These non-working samples are detected as Bugbear.b.damaged.

regards.

paul

in general damaged means something like - incomplette virus body, unable to replicate, producing BSODs ... etc...

This seems strange to me:
-{ Quote: "NOD32 - v.1.431 (20030606)
Virus signature database updates:
Win32/Bugbear.B.damaged" }-

Yet I remember when NAV detected W32.Magistr.corrupt (http://securityresponse.symantec.com/avcenter/venc/data/w32.magistr.corrupt.html) and KAV detected I-Worm.Magistr.corrupted (http://www.viruslist.com/eng/viruslist.html?id=4170), ESET was calling that "snake oil" and proudly announcing they only included "live viruses" for detection. I really don't care, but it seems a little inconsistent based on previous behavior, but people change attitudes I guess.

FYI, McAfee included detection for W32/Bugbear.b.dam (http://vil.nai.com/vil/content/v_100358.htm):
-{ Quote: "-- Update June 05, 2003 --
Due to a further increase in prevalence, the risk assessment of this threat has been upgraded to High. AVERT has received a large number of truncated samples. These are damaged and do not infect. The next DAT release will contain detection of these samples as W32/Bugbear.b.dam. Additionally samples have been received that suggest the virus can mail the encrypted keylog file during its propagation routine." }-

and Symantec has added W32.Bugbear.B.Dam (http://securityresponse.symantec.com/avcenter/venc/dyn/33489.html) to its virus list: my wife got one of these in email Saturday. KAV also has detection of I-Worm.Tanatos.dam and CA-eTrust also has "WIN32/BUGBEAR.B.CORRUPTED" in its Newly Detected Viruses (http://support.ca.com/techbases/ilnt/31033b.html) list. Personally I'm unsure why the vendors are choosing to include a dead virus but it's OK by me. ;D :o

Well I guess ESET change their policy. People don’t understand. So you got bad publicity.

There was a lot of dust about NOD32 not detecting corrupted Magistr sample (as Randy mentioned). It was a dead virus (non-working) but people didn't care. In their eyes, NOD32 fail to detected sample of Magistr.



Technodrome

-{ Quote: " quoting: Technodrome link=board=35;threadid=9987;start=0#msg65625 date=1055162955]
There was a lot of dust about NOD32 not detecting corrupted Magistr sample (as Randy mentioned). It was a dead virus (non-working) but people didn't care. In their eyes, NOD32 fail to detected sample of Magistr.
" }-

You're right. As usual :-)
Mainly, Eset included the detection of damaged samples of Bugbear.B because I asked to do that. According to MessageLabs statistics, Italy was one of the most striked country. That's absolutely true. We received many - really many - supports calls about Bugbear.B infections. Many users received a damaged sample of Bugbear.B that at the beginning NOD32 was not able to recognize. Sure, those samples were corrupted and they could not spread any infection. But the major part of users doesn't know that: they simply looked at those e-mails, decided that they were quite suspicious... and called the helpdesk. For us was really unfeasible bearing such an overload of supports calls.

ciao,
Paolo.

-{ Quote: " quoting: Paolo Monti link=board=35;threadid=9987;start=0#msg65761 date=1055243509]
-{ Quote: " quoting: Technodrome link=board=35;threadid=9987;start=0#msg65625 date=1055162955]
There was a lot of dust about NOD32 not detecting corrupted Magistr sample (as Randy mentioned). It was a dead virus (non-working) but people didn't care. In their eyes, NOD32 fail to detected sample of Magistr.
" }-

You're right. As usual :-)
Mainly, Eset included the detection of damaged samples of Bugbear.B because I asked to do that. According to MessageLabs statistics, Italy was one of the most striked country. That's absolutely true. We received many - really many - supports calls about Bugbear.B infections. Many users received a damaged sample of Bugbear.B that at the beginning NOD32 was not able to recognize. Sure, those samples were corrupted and they could not spread any infection. But the major part of users doesn't know that: they simply looked at those e-mails, decided that they were quite suspicious... and called the helpdesk. For us was really unfeasible bearing such an overload of supports calls.

ciao,
Paolo.
" }-

It's good that most AV programs detect the damaged Bugbears.

They may not be able to spread infection, but we've seen some of them that caused problems.

The corrupted Magistr mentioned earlier did nothing. It was a false alarm.

-{ Quote: " quoting: Paul Hill link=board=35;threadid=9987;start=0#msg65775 date=1055250007]
They may not be able to spread infection, but we've seen some of them that caused problems.
" }-

Yes, that's absolutely true. Just to say: at least in one case we had a "damaged" Bugbear.B able to spread on a PC. The extent of the "damage" may vary a lot. We've seen quite damaged files (even less than 5 KB) and other samples that were almost identical to the original Bugbear.B.

ciao,
Paolo.

-{ Quote: " quoting: Paul Hill link=board=35;threadid=9987;start=0#msg65775 date=1055250007]The corrupted Magistr mentioned earlier did nothing. It was a false alarm.
" }-

I wouldn't say so. After all, it was detected as "corrupted", and it was exactly that - a corrupted, broken, non-functional virus. :P Oh well.