e-card virus issue

[bsilva]

Hello All,

There's a new email virus going around. It comes in as e-card. Don't open it. We have multiple computers infected. NOD32 v3 is not even catching it.

I forwarded the email with the virus to support at eset.com and labeled it as a virus.

It disables the eset service and then marks it for deletion. We've had to reinstall it on a bunch of computers.

[Kosak]

Hello, it's necessary to upgrade your NOD32 to version 4, which includes new Self-Defense module. It protects whole program against unauthorized disabling. You can send then a log from SysInspector module for detailed analysis, also.

[bsilva]

We have over 1800 hundred computers... Not that easy. Also, thought you couldn't kill the eset service even in version 3.

[GrammatonCleric]

Quote:

Originally Posted by bsilva

We have over 1800 hundred computers... Not that easy. Also, thought you couldn't kill the eset service even in version 3.

Nope that was a myth, same as the effectiveness of AH.

[Kosak]

How can you say that AH isn't effective? When you compare AV according to detection rate in "zoo" test, you have to know that important factor is rate between detection and false positives. ESET's policy is don't produce many FPs. If they want, sensitivity can be higher, but then a lot of users will write "What has happend ESET?" Will viruslab work on fixes then?

You can read this e.g.

[bsilva]

Just tested version 4 on a workstation and it also shutsdown the gui but the service looks like it's running. If you try to start the GUI it dissappears in a second.

[bsilva]

After more testing... the service does start after a reboot and the GUI does come back. We are now scanning to see if it finds anything.

[bsilva]

Windows defender is catching it as Trojan:Win32/Vundo.gen!AJ

Resources: C:\Users\windowsuser\appdata\local\temp\javainst.exe

This is a windows 7 PC.

[funkydude]

For future reference, the correct email is located here: http://kb.eset.com/esetkb/index?page=content&id=SOLN141

Unless you're saying you actually need support for cleaning the PCs, then ignore my post.

[bsilva]

Thanks, after I spoke with Support they gave me that Address to email.

[bsilva]

So after a day and 4 updates from Eset, we are still battling these viruses. Eset is not catching it, we've sent multiple samples. We are using Sophos and Symantec to clean it.

This is not good for Eset.

[bsilva]

Norton sees it as Trojan.Vundo

I believe I see some signatures for it but it's still not catching.

[elavoie]

Having the same issue over here.
Never had such an issue with ESET before.

[bsilva]

I've been a customer since version 1 never had this problem. Are you dealing with the e-card virus (Trojan.Vundo)?

[elavoie]

Yes Trojan.Vundo or 25 different names eahc AV vendor chooses, i am a customer since v2, i also installed v4 and scanned the zip file, nada no detection, submitted the file to eset, i am surprised it has taken more than 24hr to fix this.

[GrammatonCleric]

Quote:

Originally Posted by bsilva

I've been a customer since version 1 never had this problem. Are you dealing with the e-card virus (Trojan.Vundo)?

Yeap welcome to my world, I hunt, test and submit malware to Anti-Malware companies and ESET is OK in my book but the load AH brings does not warrant it's detection capability.

IN 2.7 when it was light on resource it was my #1 choice but now with it's resource load and nice % of missed samples it has slowly slipped down the ranks.

IN my own personal(take it as you may) testing from the things I find, so far in Heuristic detection Avira seems to take the crown, however they have larger # of False Positives...but now is the CAtch 22.
What's worse for you?
A FP that you can unquarantine (all my Anti-malware is set to quarantine or report not to act auto) or a Large spreading infection that can fester in your system for weeks without you even knowing about, only to be detected by now "updated" signatures (or maybe never?)....just look at Hartland Data Center Breach...the infection has been in their systems since Feb of 2008 and it collected data for MONTHS before they found it.

So yeah those are the things you have to ask yourself. Everything lets things through, that is the fact of life, hence the need for layered defenses, however, currently Malware writers are winning and Anti-malware companies are playing catchup while consuming greater amount of computer resources to run their software.

P.S.
Also don't hold your breath with ESET adding some malware defs, in the past it took them sometimes few weeks to add the samples. Sometimes they add it in hours sometimes in weeks, sometimes NEVER...or at least soo long that I just gave up on checking. I don't follow up on submissions to ESET, I submit to about 40 different vendors, and if the e-mail does not bounce back then I don't re-send. If Eset fails to add it, then it's up to them...and yess all are ziped or rared with "infected" as password.


Ok I am off my soapbox now.

[GrammatonCleric]

There is a lot of VUNDO's out there.

Your best bet if ESET is not responding is to install 15 Day Trail of NORTON (since they seem to catch it...according to what you said) and run scans on the systems that way.

I know, it's a pain if you have to do it in MULTITUDES! The first thing with VUNDO is to take the system of the net, so the infection does not update itself and elude your detection.

[elavoie]

Norton, i don;t think so, i use other tools, and yeah Eset seems to have degraded since v2, v3 was quite a disapointment. we will see how they play catch up.
I ubmitted ot one of those site that scans with multiple engines, a fewe picked it up, 2 tools i loked into in the past: Fortinet and CA any feedback on this?
I am tempted 2 use 2 different AV to scan emails instead of relying on one.

[funkydude]

The typical update is usually within 24 hours, I've been sending files for months and has never really been any longer than that, with the exception of weekends.

If you want you can PM me a link and I will forward it in my next daily batch.

[Marcos]

I couldn't find such file sent to samples[at]eset.com. This is the only address where you should send suspicious files or false positives. If you have actually sent the file in question to this address, please PM me the subject of the email or your email address so that I can look it up.

[GrammatonCleric]

Quote:

Originally Posted by elavoie

Norton, i don;t think so, i use other tools, and yeah Eset seems to have degraded since v2, v3 was quite a disapointment. we will see how they play catch up.
I ubmitted ot one of those site that scans with multiple engines, a fewe picked it up, 2 tools i loked into in the past: Fortinet and CA any feedback on this?
I am tempted 2 use 2 different AV to scan emails instead of relying on one.

The only reason I recommended Norton in this part was for the fact that someone reported that Norton detects it.
So instead of going onto "what other AV company detects it" hunt, I just went through the Occam Razor.

[Marcos]

Quote:

Originally Posted by GrammatonCleric

The only reason I recommended Norton in this part was for the fact that someone reported that Norton detects it.

So I gather you'll recommend installing NOD32 back as soon as Norton misses a threat

Missing threats is pretty normal for any AV even though not desired by users. There's no perfect AV in the world that detects every single threat, that's a matter of fact whether one likes it or not. 100% detection could be achieved only if detection was based on whitelisting legit files which would, on the other hand, produce tons of false positives.

As I have written, any suspicious file should be sent in an archive protected with the password "infected" to samples[at]eset.com. Samples from infected systems that are sent by our users are handled with higher priority. Usually they should be included in one of the upcoming updates released within the day.

[GrammatonCleric]

Quote:

Originally Posted by Marcos

So I gather you'll recommend installing NOD32 back as soon as Norton misses a threat

Missing threats is pretty normal for any AV even though not desired by users. There's no perfect AV in the world that detects every single threat, that's a matter of fact whether one likes it or not. 100% detection could be achieved only if detection was based on whitelisting legit files which would, on the other hand, produce tons of false positives.

As I have written, any suspicious file should be sent in an archive protected with the password "infected" to samples[at]eset.com. Samples from infected systems that are sent by our users are handled with higher priority. Usually they should be included in one of the upcoming updates released within the day.

No in this case the reason why I recommended it is because the user wants to clean the system ASAP or so it seems, so why wait for an updated detection when it's already being detected by someone else?
Then he/she/it/IT, can just remove Norton and keep ESET and perform a followup Eset scan when Eset updates the defs.

[funkydude]

Consider how persistent on a system Norton is, I would never consider installing it as a cleanup for anything.

[GrammatonCleric]

Quote:

Originally Posted by funkydude

Consider how persistent on a system Norton is, I would never consider installing it as a cleanup for anything.

That's true, but I think they fixed it with 2009, since 2009 seemed to uninstall correctly from my VM.

Another thought would be to run the free Symantec Online Scanner and at least ID the files and their locations, I don't know if Symantec Online Scanner allows you to delete the infection or if it just ID's it.