BMP and NOD32

[sir_carew]

Hello People,
Due to a lack in Windows 2000, people has discovered a vulnerability that can infect your computer viewing a bmp picture in IE 5.X
AV for protect their users, has made a generic detection for any files that try to exploit this. NAV, KAV, McAfee and possibly others. Why NOD not?, when?
Thanks.

[Kobra]

http://www.kaspersky.com/news?id=148515536

Beware! BMP files may contain a new virus


Kaspersky Labs, a leading information security software developer has detected a mass mailing of a new Trojan named Agent. Agent infects victim machines when users view graphics in BMP format.

Agent exploits a vulnerability in MS Internet Explorer versions 5.0 and 5.5 which allows malicious code to be launched on victim machines via modified BMP files. This vulnerability is a direct result of the Windows source code leak and was first detected on February 16, 2004.

Agent was mailed using spammer technology in an infected email that only contains a BMP file with a random name. The file is created especially for the Russian version of Windows 2000; the malicious code will not function on other language versions. This implies that Agent was probably created in Russia or the CIS.

Should a user open the BMP file Agent immediately connects to a remote server located in the Lybian domain zone, downloading and installing a second Trojan named Throd.

Throd is a classic spyware program. The Trojan first copies itself into the Windows system registry autorun keys and then awaits further commands. The 'master' can remotely execute various commands on the victim machine including copying data, collecting addresses from MS Outlook and turning the infected computer into a proxy server functioning as a platform for anonymous cyber crimes.

"Throd is obviously written for spammers,' comments Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Labs, 'the Trojan harvests email addresses and creates a network of zombie machines for massive spammer attacks. Once again, we see spammers and virus-writers are working hand in hand."

To date, Microsoft has not issued a patch for this vulnerability. In other words, the only protection users have is up-to-date anti-virus software. "Moreover, it is very likely that malware attacking other versions of Windows will soon appear', adds Eugene Kaspersky, 'I strongly recommend that users make sure that their antivirus software protects them from malware exploiting this particular Windows vulnerability."

Kaspersky® Anti-Virus does scan the contents of BMP files and automatically detects suspicious objects attempting to penetrate via either the Internet of email. The solution neutralizes Agent automatically and our antivirus databases have been updated to detect Throd.

Detailed descriptions of both Agent and Throd are available in the Kaspersky Virus Encyclopedia.

[ronjor]

Once again, KAV is in the middle of the NOD support forum.

[sir_carew]

Frankly, I don't like KAV and his owner Eugene. It's not a comparison between NOD and KAV, indeed I mencioned others Avs: McAfee and NAV.

Quote:

Originally Posted by ronjor

Once again, KAV is in the middle of the NOD support forum.

[ronjor]

http://www.nod32.co.nz/compare.htm

[Kobra]

Well glad I use BOCLean to back up NOD32... I emailed Kevin at BOClean, and he replied within minutes with:

-------------------
If the embedded executable WITHIN the BMP starts to run, BOClean does have it covered. We call it "MOO" since that was the internal name given to it by its author. MOO downloads the pathetic LOMOD trojan (name again taken from that given by its author) ... but yeah, what they're doing is BINDING an executable to a BMP file and then taking advantage of the new memory buffer overflow holes in the recent XP patch (this one only seems to work on the Russian version owing to the extra characters) ... we DO expect to see copycats soon though, especially now that Kapersky has "hyped" it ... monkey see, monkey do is the motto of the kiddies today. One does it, and the rest steal it and call it their own.

[sir_carew]

Strange, because this vulnerability only affect Windows 2000 and IE 5.X. It was discovered due the lack of code of Windows 2000 months ago.

[Mele20]

It may only affect W2000 and IE5/5.5 now. Kaspersky believes that there will soon be new versions affecting other OSes and since Kaspersky had made this major news...copycats will be drawn to this. Thus, I am worried because I use NOD32 on my W98SE box and that box has IE5.5 on it so ..... Is Eset going to ignore this or slowly follow Kaspersky, Symantec and McAfee with a signature?

[Kobra]

Well heres the thing.. Checking the AV definitions released today by NOD32, then scanning KAV's encyclopedia, I see *NONE* of those same things coming up. In fact, going back a day or so, none of them are coming up in my Kaspersky Encyclopedia searches.

Either KAV doesn't update their encyclopedia as often as their AV, or they are just grossly behind the curve in terms of NOD32 definitions? Which is it?

I'm checking out KAV5.0 and i'm more impressed with it than I was with 4.5, its scanner is still horribly slow, but its resident stuff is much slicker, and the interface is great now. But if its definitions are this behind or am I missing something?

NOD32 leaves me feeling naked in terms of Trojan/Malicious spyware elimination/prevention, thats why I use BOClean to back it up, which catches about anything. So all is good, since I already purchased BOClean, and it comes with free lifetime updates and stuff. But still, if KAV will give me superior protection, i'll met my license on NOD32 run out.

[ronjor]

It's late, I'm tired, but, I do have a comment.
If anybody thinks an antivirus program can patch every hole that ever existed in an operating system, I have a bridge I want to sell you.
The sky is NOT falling.
Forget your license if you are not comfortable with a program you are using. Get a program that gives you comfort.
Practice safe computing and you can forget about ninety percent of the posts on these boards.

[Paul Wilders]

Quote:

Originally Posted by ronjor

Once again, KAV is in the middle of the NOD support forum.

Not any longer. This thread has been moved to a more apropriate forum.

regards.

paul

[tazdevl]

Quote:

Originally Posted by ronjor

http://www.nod32.co.nz/compare.htm

Might want to look at the dates in the link bubba. Good chance that the performance of applications can change in a 1-2 year time period no?

[ronjor]

Did you read all the results?

"Summary of 7 tests June 2002 - Feb 2004 : OSs include Netware 6, 2000, NT and XP"

The current year is 2004 I believe.

Yes, I agree that performance can change over time.

[sir_carew]

Can somebody of ESET reply this?

[tazdevl]

LOL honestly ronjor. I skimmed it. Was in the middle of a conference call. My bad.

However, being a marketer, I'm always suspect of research results. Especially when you look at other sources which contradict the research you referenced like AV Comparatives and Rokop.

Few more questions leap to mind as well
- Were all the products tested at the same intervals.
- Were any resubmitted if problems arose?
- If so, were the results counted?
- Were updated versions of the software used if available etc...
- What was the original hardware configuration and how did it change over time?

It gets back to what Paul keeps saying, need the details of the test.

[ronjor]

tazdevl

It was an honor to be "bubbatized" on this forum.

[tazdevl]

Quote:

Originally Posted by ronjor

tazdevl

It was an honor to be "bubbatized" on this forum.

ROFL its an affectionate term I use