Dr.Web adding more virus signatures

Discussion in 'other anti-virus software' started by Miyagi, Apr 7, 2006.

Thread Status:
Not open for further replies.
  1. Severyanin

    Severyanin AV Expert

    Joined:
    Mar 19, 2006
    Posts:
    57
    For everyone's reference:
    http://update.drweb.com might be interesting to find out what was added to the base and when.
     
  2. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    Analysts are working hard!!!!
     
  3. Severyanin

    Severyanin AV Expert

    Joined:
    Mar 19, 2006
    Posts:
    57
    Well, to be frank, the hardest work is done when they have to crack polymorphics like Win32.Polipos. Sleepless nights and full days.
    Adding thousands of zoo samples is just a routine... Not really interesting.
     
  4. Sputnik

    Sputnik Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    1,198
    Location:
    Москва
    Amazing isn't it, how those guys talk about making signatures :D
     
  5. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,886
    Location:
    Innsbruck (Austria)
    Will W32.Polipos be reported/listed on the Wildlist?
    edit: Hm, I do not see noone from Dr.Web listed as Wildlist reporter :(
     
  6. Severyanin

    Severyanin AV Expert

    Joined:
    Mar 19, 2006
    Posts:
    57
    Hi!
    Nice to meet you, I am one of them:)
     
  7. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Props to the DrWeb team! :thumb:



    tD
     
  8. Severyanin

    Severyanin AV Expert

    Joined:
    Mar 19, 2006
    Posts:
    57
    Well, I am sure that the WildList already has the Polipos.
    Because the P2P community has been speaking about it for a month.
    The problem is that it seams to be too difficult to detect for most AVs...

    The situation now is really strange and unusual. We don't quite understand it, either - even people from Doctor Web, Ltd. did not think that we have such strong capabilities in polymorphic detection that we can be all alone for one month...
     
  9. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Yeah, especially considering Symantec is one of the best (if not the best) in this fieldo_O Though it looks this isn't the case for Polipos...
     
  10. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,886
    Location:
    Innsbruck (Austria)
    Symantec hasn't added it so far, so you can not say anything about how reliable/good the detection of it is.
    So far it seems like only Dr.Web is able to detect it in a reliable way :thumb:. E.g. Fortinet has also added it, but it does not detect all.
    IMO Dr.Web, KAV, Symantec and ESET are the companies able to do very good detection of polymorphic stuff. Others may be good too, it is only my opinion.
     
    Last edited: Apr 20, 2006
  11. Durad

    Durad Registered Member

    Joined:
    Aug 13, 2005
    Posts:
    594
    Location:
    Canada
    What does it do and how does it spread?
     
  12. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,886
    Location:
    Innsbruck (Austria)
  13. Durad

    Durad Registered Member

    Joined:
    Aug 13, 2005
    Posts:
    594
    Location:
    Canada
    Thanks!

    IBK can you test when other AV vendors will detect it, same as you did for Mytob??
     
  14. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,886
    Location:
    Innsbruck (Austria)
    so far only Dr.Web detects it. Fortinet, Avira and eSafe detect some, but not really. Maybe this changes in some days/weeks.
     
  15. Severyanin

    Severyanin AV Expert

    Joined:
    Mar 19, 2006
    Posts:
    57
    Well, it is really surprising - I don't remember the same thing has ever happened. I would have understood a zoo sample being neglected for several week. But a virus that is widely spoken of and remaining undetected for more than 1 month - something is really wrong ...
     
  16. Siarheika

    Siarheika AV Expert

    Joined:
    Apr 9, 2005
    Posts:
    24
    Maybe it was just (mistakenly?) considered a zoo sample by other AV vendors? But now everything is going to change...
     
  17. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well, considering i couldn't find it after nearly hour of searching on ED2K,G1 and G2 networks i don't really consider it as highly dangerous thing. Maybe the damage factor, but propagation is pretty low. Thats why mass mail worms can spread that fast because they are pushed to users, not waiting to be downloaded...
     
  18. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Even though (if) it’s a zoo virus, the rest should detect it. It looks like it is a very complex virus and it’s able to cause more damage then some worm or downloader. For this reason alone, its should be detected and recognized by all antivirus companies.No excuses....:cautious:


    tD
     
  19. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,886
    Location:
    Innsbruck (Austria)
    Kaspersky added it now, but does not detect all.

    Still no news from other vendors. Maybe some of them wait for global epidemic and in the meantime they follow the sarcastic rule "if we do not detect it and it is not on the wildlist, it exists only in labs", like they some of them always say if they miss stuff.
     
  20. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Thanks for the follow-up IBK. :thumb:


    tD
     
  21. Durad

    Durad Registered Member

    Joined:
    Aug 13, 2005
    Posts:
    594
    Location:
    Canada
    - Does NOD32 and VBA32 detect it?

    - Also how does it manifest on infected machine?

    - Can we detect it with HijackThis and similar tools?

    - Can Dr.Web CureIT clean this virus?
     
  22. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,886
    Location:
    Innsbruck (Austria)
    Last edited: Apr 21, 2006
  23. Durad

    Durad Registered Member

    Joined:
    Aug 13, 2005
    Posts:
    594
    Location:
    Canada
    I dont know ;)

    If somebody post HJT log and complain about problems with PC how do we know that he is infected with that virus?
     
  24. Siarheika

    Siarheika AV Expert

    Joined:
    Apr 9, 2005
    Posts:
    24
    VBA32 had initial detection record for Win32.Polipos available yesterday in the evening, but due to some problem it worked for linux scanner only (could be tested on virusscan.jotti.org). Now an updated detection record is available for both windows and linux, it should detect a large number of Win32.Polipos variations, but I'm still not sure whether it is 100% perfect. A final detection record is expected to be available tomorrow. We are still working on improving detection of this virus and would be glad to get any missed samples.
     
  25. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    It's very easy to detect - there's nothing to worry about it once you found the real EPO call - cleaning is somehow more tricky, took me around 2 hours of work. The source code of the cleaner (Win32 ASM, Console) goes online soon as open source.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.