Virus not detected by Nod32 - rather concerned!

[malatesta]

I have just fixed, after many hours of ploughing through the web, a virus that prevents you from using any web browser (IE7, FireFox) to go to anti virus sites. All other sites were accessible. The virus even blocked sites that offered assistance to removing viruses.

The infected file was mswsock.dll which is part of the Windows Socket API that interfaces software to the internet. I solved the problem by copying the file from a working OS into the \windows\system32 and \windows\SoftwareDistribution folders.

What surprises me is that Nod32 doesn't pick up on this type of virus. Is this something new?

I would have thought Nod32 would flag a change to this kind of file.

[ronjor]

Hello malatesta,

Kindly submit the sample if possible. http://www.eset.com/support/kb.php

Quote:

How to submit virus or potential false positive samples to ESET's labs
We are very interested in receiving virus samples in order to better protect our customers. To submit a suspicious file to ESET for analysis, please follow these steps:

1.
Compress the file(s) into a .zip or .rar archive, and password protect it with the password “infected”.

2.
Make a note of this password in the email, attach the zipped file, and email it to samples@eset.com.

3.
Use a subject line which clearly states if the attached file contains a suspected infection or a false positive. Also, please include the Customer Care case number if applicable.

4.
In the body of the email it is very important to include:

*
Any background information as to where the sample was found
*
Why you think it is malware or a false positive report.
*
If you know that another antivirus company already detects it.
*
If you are reporting a potential false positive, please provide as much information as possible about the source of the software, including the name of the developer, the name and version application and the address of the site from which the file was downloaded.

Taking the above steps will greatly assist our labs in the process of identifying and processing samples. If the issue is not resolved within two days and the matter is urgent, please send a follow-up email message with the following information:

*
subject line of email that was sent to samples@eset.com
*
date and time of email
*
email address you sent it FROM and email address you sent it TO.

[demonio]

In fact eset slow lately in updates, I sent new variants of bagle and gromozon and have never been updated

@Marcos
why?

[Marcos]

Quote:

Originally Posted by demonio

In fact eset slow lately in updates, I sent new variants of bagle and gromozon and have never been updated

@Marcos
why?

Frankly, I was wondering why we haven't received a Bagle sample from you for quite a long time as you used to submit them quite frequently. Could you resend undetected variants to samples[at]eset.com with "Bagle" in the subject as usual and PM me when done so that I can check if they have actually arrived?

[demonio]

ok

[niceTyp]

i also send ~removed virustotal scan link per policy....Bubba~ to samples@eset.com two days ago. After 5 virus def updates nothing happend.. it is a pity.
Maybe I should use Microsoft Antivir because it was one of the first they detect the virus.

[Kosak]

Hello,

ESET can be the first, who will detect other virus.

[niceTyp]

Yeah maybe but version 3271 still not detect the zlob variant...
a little bit curious...

[Kosak]

Zlob has got many new variants every day and source of them is known - It's "porn codec". Don't visit these sites, won't have Zlob.

[niceTyp]

ok my fault, I don't know that nod32 don't includes variants from such sites.
thx for the tip
don't use the internet, won't have a virus.

[alloucho]

don't use the internet, won't have a virus
There are many new variants of zlob, vundo, bagle that nod32 do not detect.
nod32 would not admit that and update it´s detection capabilities, but advice not using dangerous sites

[demonio]

Quote:

Originally Posted by alloucho

There are many new variants of zlob, vundo, bagle that nod32 do not detect.

Not a BAGLE! nod now identifies all variations. trusted

Quote:

don't use the internet, won't have a virus

crafty facts, use Sandboxie and continue to use the Internet

[niceTyp]

yeah maybe the best way to use Nod32 because after 5 days 55% of the scanner detect this cool file
http://info.prevx.com/aboutprogramte...841400729BBB51
except nod32 because it comes from a porn site...
too bad...

[Marcos]

I could show you an example of spammed dropper from a fake email from Microsoft where NOD32 was one of 3 AVs to detect it and it remained so even after 2 days. I won't go into details as comparing products or bashing is not allowed in this forum.

[krokodil_bb]

I can show you my recent experiences with "Zlob" and how Eset deal with detection.

After upgrade from eav650 to eav667 my computer randomly boot to bsod, ... eset support/dumps/logs..., then I found (with non eset tool) that cause of this is virus not known to nod. I remove flagged file, no more bsod. I sent that file to eset and was added as Win32/TrojanDownloader.Zlob.BXN trojan 2 weeks ago, that's all. But on others machines with infection nothing changed, nod updating and detect nothing. On manual scan of \system32\ directory is interesting one exe file with note "[4] Object cannot be opened. It may be in use by another application or operating system."

Only way to detect and remove it by nod is scan infected disk on clean system (I always thinked that this operation is needed only for cleaning some nasty rootkits...). It's a Eset shame becouse others /I used well known free russian utility/ can detect and delete it without wasting my time by removing drive from pc and possible interruption of others people work.

Yesterday Eset technician asked me if problem with infection was solved and asked for sysinspector log from infected pc.

If nod can't scan and detect known "zlob" virus file, what will do with real rootkits? And why adding detection if in real infected world can't detect it?