Does NOD32 Detect JPEG virus?

[profhsg]

Over at the DSL Broadband Security forum they have a thread which indicates that 22 out of 23 antivirus programs were unable to detect the jpeg based virus discovered 6 months ago. NOD32 was among those that missed the virus. In response a number of contributors to that forum posted images indicating that their antivirus now detected the threat. NOD32 was not among those either.

Does NOD32 detect that threat? If it doesn't shouldn't it? If it does shouldn't somebody respond so that NOD32 doesn't get a "bad rap?"

Here is a link to the thread on the other forum:

http://www.dslreports.com/forum/rema...flat~days=9999

[JimIT]

Quote:

Originally Posted by profhsg

Does NOD32 detect that threat? If it doesn't shouldn't it? If it does shouldn't somebody respond so that NOD32 doesn't get a "bad rap?"
[/url]

There is some debate over whether AV's should detect this particular piece of code. The author has stated that it isn't malicious code or viral, and does not compromise a system. (I quoted the author on this in the thread you reference, and my post has pretty much been ignored.) It appears to be more of a POC or "test" than anything else.

I'm sure it will be detected by all AV's pretty soon--just to quiet the "hysteria", but as of right now the code referenced is about as "harmful" as an eicar test file.

I just downloaded that test file and right away even before i could save it imon detected the zip file as win32/exploit.roxo.a trojan, i let it download neways and extracted the jpg then scanned it and again it detected the win32/exploit.roxo.a in the jpeg file... so it appears that NOD32 DOES infact detect this "exploit"/ code.

Keep up the good work Eset
Marc.

[nameless]

Same here. Would have been nice for the "Delete" button to be enabled, though! What's that all about? "Yeah, there's a trojan... I think I'll just 'leave' it."

[NAMOR]

1. IMON stops it dead in it's tracks before you DL it.
2. NOD will give you the option to Leave, Rename, and Delete if you unzip the file and run a scan.

http://img.photobucket.com/albums/v219/NAMOR/NOD.jpg

[nameless]

Not here. IMON presented the dialog you see above. My only option was to "Leave" it.

Since I don't have two hours per day to devote to NOD32 beta testing, I use the default IMON setting, which is to use compatibility mode exclusively--hence, IMON does not stop it "dead in it's tracks before you DL it" [sic].

And my point is that I don't want to have to unzip it and run a scan. (Actually, you can just scan the ZIP directly.) Why should I have to? If I am downloading a trojan, let me delete it, now!

[NAMOR]

Well with Blackspear's setup IMON gave me the option to terminate and when unzipping the file AMON gave me the options to Rename and Delete.
http://img.photobucket.com/albums/v219/NAMOR/IMON.jpg


http://img.photobucket.com/albums/v219/NAMOR/AMON.jpg

[BourgePD]

When I attempted to dl the *.zip, IMON detected the trojan and terminated the connection. No possibility of infection.

[nameless]

Wow, you found the "HTTP" tab under IMON Setup. Congratulations.

[NAMOR]

Quote:

Wow, you found the "HTTP" tab under IMON Setup. Congratulations.

Maybe I missed something. What does the HTTP tab have to do with it? I haven't changed any setting under that tab. Only changes settings under the Misc tab.

[nameless]

You can have the download automatically denied on the HTTP tab.

But regarding my original post... Mea culpa. It wasn't IMON at all that caught the trojan; it was the post-download scan that GetRight passed to nod32.exe. You have to use compatibility mode with download managers.

[BourgePD]

Quote:

Originally Posted by nameless

Wow, you found the "HTTP" tab under IMON Setup. Congratulations.

Heh. Not as if NOD is difficult to use...

[NAMOR]

Quote:

it was the post-download scan that GetRight passed to nod32.exe. You have to use compatibility mode with download managers.

Gotcha now I see what you mean. Never used a DL manager before, so I can't comment on it.

http://www.nod32.com/scriptless/support/info.htm

NOD32 - v.1.1022 (20050309)

one of the defs included was: Win32/Exploit.Roxo.A

I have everything setup in the compatibility for http to higher compatibility, all thats changed is the deep heuristics etc etc.. still detected for me...

Marc.

[NAMOR]

I think the problem is that he is using a download manger? Maybe because the DL manager donwloads files in chunk as seperate download?