New MyDoom.M worm NOD32 detects it via Heuritics.

BUt it only gets the worm payload, not the trojan one.

I sumbitted the attachment.

so don't open anything that says attachment.zip which contains an .htm file and the file icon looks like that nice old MSDOS icon.

CHeers,

oh yeah AH must be enabled and the worm must be unpacked or ranned in order to be detected. (you can safely download the file without NOD giving a peep).

 

Symantec responded with Emergency DEFS update. (full blown detection)

McAFFE responded 5 hours ago. (full blown detection)

KAV detected it with Monday's DEFS.

Etrust responded with a full blown detection.

ClamAV responded with a full blow detection.

F-Prot full blown detection.

NOD32 still Heuritic only.

The worm is now Category 3.

 

Ok Symantec has done a full analysis of the threat.
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ax@mm.html

Time is ticking so far the response of NOd32 is not soo great come on guys/gals.

I've sent the strain at 4 pm it's 12:16 am now so that's 8 hours from my submission.
McAffe has update it at Noon.
Norton at 7:30
So so far we are about 5 hours behind norton and counting.

I know it detected the first one via heuritics but it did not nail the trojan.

Now this has become more of a test of response time then heuritics time. We have a category 3 worm spreading and so far no solid defs are present.

Make it 2:30 am, 10.5 hours. SO I guess Nod32 does not have an Emergency response team after 5 pm? EST

 

The def file may not be updated yet, but I can bet money that NOD wouldnt let it infect your computer if you tried. Thats the wonderful thing about it. Everybody has to frantically update their def files so they can detect it to, NOD catches it and prevents it without having the def updated.

 

Yes but what about a scenario where NOD's heuritics fails to detect it (it happens a lot...not as much now (since the last update of advheuri) but it still happens.). In that case you have to count on Response time of NOD's definitions. If they are slow then your friend with Norton, KAV, Mcaffe, Bitdefender, clam will be protected and you be exposed.

 

Yay 10:20 am, 18 hours and counting. Boy I am really glad that heuritics cought the worm since now I would have been scrwed. Oh yeah BTW, everyone else detects it with solid defs.
http://www.virustotal.com/flash/respuesta_sav/resultado?682bb5c4883b2e3da160894b389c7505:eng
P.S.
It did not catch the trojan that comes with it.

 

Hi,

Well I agree with you. I love Nod and I guess because it detects the file with heuristics there is not such a rush to get defs out.

Although I bet there are people who have AH disabled so still think that defs are very important and should be released quickly. I am sure if AH did not detect Nod would have been one of the first to get Defs out.

I have full AH enabled here though

Cheers

Jlo

 

Indeed this Mydoom isn't a new variant. It's only the Win32/Mydoom.R but packed with MEW and not UPX. But because AH uses a "generic unpacker", NOD was able to detect this repacked variant. Anyway, as from 1.1000, Eset added via signature Win32/Mydoom.AW.

 

Nope 1.1000 did not detect the variant since I had 1.1000 and it was detected via AH. It was detected with today's update (1.1001) as Mydoom.R.

So it took them a day to add it. Quite slow for a level 3 worm.


When ranned in my VM the only detection I got was via AH, with AH OFF my VM got fully infected.

 

Great to see NOD's AH, which is set on by default in IMON, detected this at the zero-hour before other AVs could get their definitions out and the end user got around to updating their definitions for their AV.

 

Yeap but KAV also got it with Monday's defs.

If you got it via e-mail and your e-mail is IMAP and you are useing firbird to read it then IMON would not get it. AT least it did not happen in my occasion. So with IMON gone and AMON set without AH then the user would still get infected.

SO in the end we need a lot quicker response for a high level infections. (at least faster then 1 day, others responded in less then 2 hours)

 

For my end it is still good that NOD's AH detected this before the others AVs.

The Advance Heuristic is one of the main reasons I use NOD for zero-day protection while with other AVs there is a wait time for the definitions
which may be too late for someone no matter how fast they get them out.

They should set AH on in AMON by default like it is in IMON. I find no slow down with AH set on in AMON.

 

AH are great, but they are in no way a reliable substitute for proven signatures. NOD should be working on faster response times for their defs rather than sitting on their AH laurels. Prompt service is still a major part of any vendor/consumer game.

Neil

 

Advanced heuristics is highly reliable in the case of worms. I would say there's less than 0,001% probability of getting an unsolicited email with attachment which AH would evaluate falsely as a probable virus.

 

Advanced heuristics is highly reliable in backdoors too.

 

This is nice to know Marcos, thank you.

Cheers

 

Ok then let's flip the coin.
With NOd32 response time lacking, then what is the probability of AH evaluating an positive viral (non definitions) unsolicited email as a virus?

 

I have NOD on one machine, a KAV AV on two machines and one of the free AVs on a fourth machine.

Even though NOD was a bit slow getting the definition out on this one, that was already detected by AH, I have found they are pretty quick getting the
definitions out for high level infections. Sometimes even faster the KAV

Example:
https://www.wilderssecurity.com/showthread.php?t=42010

NOD's AH has worked well on my end.
https://www.wilderssecurity.com/showthread.php?t=58482

 

By the same token some of the other AVs should stop resting on their laurels
with just definitions and no or poor heuristics and start improving their heuristics for better zero-day protection like NOD.

No matter how fast an AV can react there is still a wait time until
the definitions are released and the end user has updated.

I much rather see a zero-day high level infection stopped at the onset
like NOD has done a number of times on my end.

 

Tell that to the hundreds of Exchange admins who had to explain to the CEO that their "high-end" AV didn't catch the latest Bagle/MyDoom/Netsky worm at the door, and a bunch of clients were infected--"but hey boss, at least we got the signature within 3 hours!"

 

You guys have really missed the point. Many people, such as the NOD users here, tend to rally around posts like this one and other ones that tout how great the AH were in stopping x virus, but forget about the other posts on this board about viruses that HAVE slipped pasted NOD's AH. Therein lays the problem. Thinking like this makes us realize that there is a dark figure - how many viruses go undetected because of complacency in relying on AH to find a virus on your machine. Examples:

1. https://www.wilderssecurity.com/showthread.php?t=55903&highlight=missed
2. https://www.wilderssecurity.com/showthread.php?t=43614&highlight=missed
3. https://www.wilderssecurity.com/showthread.php?t=31324&highlight=missed

Don't get me wrong, NOD's AH are the best in the business, BUT AH are only part of the solution. Proven signatures provided in a quick manor are the other part of the total solution. I realize that 'quick' is a relative thing, but we can all agree on a week later as not being classified as 'quick'. We can reply with anecdotal quips like "but hey boss, at least we got the signature within 3 hours!" and ignore the idea of running a virus for a WEEK before getting an update only to find out then that your system is infected. I assure you no boss would want to hear that either. A backdoor giving access to protected information is not something that anyone wants. But, hey, get complacent and rely on AH.

Obviously there are many users who agree with me to some extent on this point, as many here run a secondary AV as well as AT software. This isn't a knock against NOD, but rather a recognition that it isn't going to get them all, regardless of how great the AH are. That is the nature of the beast. Quick response time can only make the product better; complacency will only make it worse.

Neil

 

I currently run NOD on one machine, F-Secure on two machines and
one of the free AVs on a fourth machine.

Even KAV can be late getting the definitions out on a high level threat.
https://www.wilderssecurity.com/showthread.php?t=42010

It has been my overall experience that NOD does a good job with the
definitions.
http://www.nod32.com/scriptless/support/info.htm

What I am saying is that you need both definitions and good heuristics
for the best overall protection.

From what I have seen is some AV pretty much rest upon their definitions and have not developed a quality heuristics to provide that additional security level for their customers with a zero-day defense.

From using the above posted AVs and others, no matter how fast the
definitions are released it is always going to be too late for some of
their customers. A good heuristics detection like NOD's AH can only
make their product better.

 

I think we can all agree that timely defs are imperative--I'm certainly not arguing that. I think, however, that you will find that as a rule, NOD adds detections for new malware very quickly. I think, also, that most users--rather than being described (innaccurately in my opinion) as complacent while having the protection of AH--appreciate it as a very strong component of an already very formidable virus defense.

Avast! is another up and comer in this area, and kudos to them.

The point I believe you are missing, is that all AV's will sometimes miss a virus because they don't have the definition. NOD32 misses many fewer because of IMON's AH--and catches almost all of the zero-day worms--and a lot of other malware--before most other AV companies can issue a def. Those aren't anecdotal quips--they're being proven time and time again in labs and in the real world.