Just came across a cool file that just nuked everything.

I just came across a cool file that just nuked everything off my VM. It did not get picked up by NOD32 nor BoClean.
So do no execute a file that in a decription says:
TEMPERASER MFC

The icon is of a blue bubble that says "chat" the exact file size is 606,208 bytes.

KAV ID it, same goes for Mcaffee, Avast but the rest are haveing problems inlcluding Norton.
TDS-3 detects it as KILLFILES.hi
So be careful.

Yeah did send it to NOd32 and others.


P.S.
Nod32 in question is 2.5 beta at max settings.

 

ArcaVir and Dr.Web detect this Trojan too.

NOD32 does not, it seems

 

Over the years of testing different anti-viruses I concluded that Nod32 is low on resources but not really something I would fully trust. They are trying I know that.
But that file is quite old and it has been around the net for a while. And inlcuding that fact that a free AV detects it and a paid does not is kind of .
It would be a childplay if the file was nothing more but a worm, but in fact this file nukes your whole harddrive! It leaves the running icons in place so you think that your protection is working...but once you duble click on it you will realize that nod32.exe blah blah.exe can not be found error.

 

Good thing I've got McAfee on my bro's PC........I came only two days ago to the NOD community

Not saying NOD is bad - I've submitted many files to Jotti where NOD heuristics caught - the heuristics work 80-85% of the time

And that is what I love about NOD (apart from Daddy Cool Happy Bytes of course )

 

you have never tested it against spyware or trojans haven't you?
The heuritics don't fare so well there.

 

Spyware...No.

Trojans...yes. Still quite good. From my observation, NOD32's heuristic trojan detection was better than BitDefender or ArcaVir - both of which have a nice heuristics engine (not as good as NOD32 though)

Signature wise - BitDefender is better, and NOD32 is roughly equal to ArcaVir

 

So you just doubled clicked on a file (with eraser in the file name) that you knew nothing about and thought, "Oh well, I've got an AV, all will be well". What a wonderfully astute move!

And, perchance, did this file arrive via e-mail from someone you'd never heard of? Another example of your sagacity?

 

Well, I understand what you mean Holden4th but I find too that NOD32 should have reacted. If KAV, Avast and Mcafee gave a howl NOD should have done the same. Especially since it's an older file it should have been something detected by at least the heuristics, or not?

 

You'd want this detected by heuristics? Are you serious? Heuristics are behavioral directed techniques. Detecting this by heuristics would run the risk of flagging every drive/folder cleaning program in existence. No, this is one that needs signature coverage - either specific or generic.

Blue

 

I don't care which part of NOD would have detected this
Of course the heuristics is not the most probable piece to do that...

But not deteing anything at all, while other programs do (by signatures) is not cool.

 

Edwin,

It's in that heuristics "is not the most probable piece to do that", it's that heuristics is not the piece period. I'm being a little strident on this point since users or potential users of NOD32 might not understand the issues behind the words and view this as a significant shortfall of the heuristics component in NOD32, which it is decidedly not.

Naturally, being able to deal with this type of program would require a sample to develop a robust signature, which apparently has be provided by the original poster.

Even at that, I am somewhat less sanguine at the direction that posters are indicating in this thread. Not all bad outcomes are due to malware - I am ignoring all specifics in this particular case since I have not seen the file in question. The fact of the matter is, it's likely that a renamed, but valid, automated disk eraser utility would perform precisely the job described in thread, as would a simple batch file with the single command "DEL /S C:\*.*" Bad outcomes if run inattentively to be sure.

Blue

 

I would like to report that this sample should be added soon (say, a week or so at the maximum) as Eset should have recieved this sample because some others have also sent it.