my AVP and NOD32 trojans experience: what I can conclude.

Discussion in 'other anti-virus software' started by Mack Jones, Jan 3, 2004.

Thread Status:
Not open for further replies.
  1. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    First of all, i wish to all of you a happy new year !
    Thanks to Paul for allowing us to use this very useful board, and thanks to all the guys I can't remember for helping us when a problem occurs.
    :)

    I'm a proud user of NOD32 and I have experienced something very funny for those who are telling that this AV performs badly for trojans.
    I was using AVP as my primary AV (and NOD as a backup) and I discovered I got a trojan for a long time but even up to date, neither AVP nor McAfee were able to detect it !
    Only NOD32 discovered a Spy.Wolfmp.A Trojan.
    I submited the sample to WebImmune (McAfee online AV) and I received a message telling me this trojan will be added to the bases later...

    But my main argument is not here, as you can imagine:
    do you really think that the most common user needs "an absolut laboratory champion" ?
    I don't think so.
    I think many people are trying to impose a climate of panic, see medias and Sobig or Blaster...
    And as most people are ignoramus, they say "whaou ! 99% of detection is better than 85%, I'll stick to this AV".
    But it's not the REAL world.
    but I was myself in this case and I discovered than those lab tests are great but they are not well interpretated: in this case, I discovered that Eset has chosen to include not all the Zoo viruses/trojans but only those you can encounter one day: what's I call the REAL world (or ITW).
    That why I decided to use NOD as my (only) AV.
    my morality could be:
    don't panic, don't be paranoiac, don't think that a 99% detection rate will protect you better: it's only lab results.
    May be a reason why NOD32 performs average at AV.gr but is rated first for the VB.

    Thank you.
    Nick
    PS: apologies if my english is not perfect. :doubt:
     
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,934
    Location:
    SW. Oklahoma
    I have been looking For the trojan wolfmp.a I would like to know what it does. I have looked at the esset virus data base also at sophos, symantec, mcafee, f-prot,and kaspersky and I can't find it. Could you please post what the trojan does if you get infected, I would appreciate it very much. Thank You
     
  3. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    I'm agree with you, moreover ESET was enhanced the Advanced Heuristic, now is able to detect proactively Trojans. Some days ago, I found 3 trojans in a legal program and NOD32 detect those clickers and downloadern trojan proactively via AH.
    ESET is now starting to add not only In-the-wild viruses, I send several samples to ESET (including old viruses) and they add it very quickly :D
     
  4. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    Hi !
    I'm sorry but I wasn't able to find what this trojan does: i don't want to infect myself to know ! o_O
    And Eset databases does not contain any info about this trojan...
    http://nick.vallet.free.fr/samples/NOD32.jpg
     
  5. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    try scanning this file with kav using extended bases( updates_ext or updates_x) it could be detected with them
     
  6. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    Sorry, my AVP licenced expired...
    May be someone else can do the test...
    for the sample:
    ----link removed----

    Note to the Webmaster/administrator:
    can I post a sample here ?
     
  7. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    PM me the link or send the file illukka@dslr.net
     
  8. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    it is detected as TrojanSpy.Win32.Wolfmp(thanks for the sample)

    usually when kav says trojan spy it means a keylogger... so this has been running on your pc?
     
  9. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    I've been running AVP 3.0.124 (up to date), scanned on december, 26.
    VirusScan 4.51 SP1 (12/24/2003) wasn't able to detect it too and NAI sent me a extra.dat to detect the trojan...
    "This is a trojan [...]it has its own SMTP engine, so we have attached an EXTRA.Dat for detection as Uploader-L trojan"


    EDIT:
    IMHO, KAV has recently added this trojan, and McAfee will do it in a short time...but I can't verify for KAV.
     
  10. Schouw

    Schouw AV Expert

    Joined:
    Jan 4, 2004
    Posts:
    29
    Location:
    Netherlands
    Check the database, only one entry.
    Entry is from latest cumulative, which is out for months.

    So KAV is able to detect this one for months now, if not longer.

    Unless you have got some specially crypted sample, you are talking nonsense.
    (You can mail the sample to me, so I can check if that's the case, submitvirus@yahoo.com )

    If you want, I can ask someone to give me the exact date that detection was added.
     
  11. Schouw's right... Here is KAV's detection from the sample...

    Maybe their was a problem with your AVP, but mine's fine...
     

    Attached Files:

  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Schouw, welcome ;)

    For the record: KAV is not under siege here; have a look at Illuka's post. Please keep that in mind, gents.

    regards.

    paul
     
  13. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Indeed, KAV detects this Trojan since June 2003. ;)



    tECHNODROME
     
  14. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    thank you very much for your help.
    o_O i was sure that AVP wasn't able to detect it...
    my apologies if I made a mistake during the scan :oops:
    but it appears this sample is not detected by Norton (according to a friend who tested with his AV, McAfee (4.51, sure)...and may be Bitdefender...

    I'm sorry :oops:
    something's wrong with my AVP.
    Regards,
    Nick
     
  15. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Your AVP version is too old so that might be a reason (although 3.xx uses the same engines as current ones).


    tECHNODROME
     
  16. Schouw

    Schouw AV Expert

    Joined:
    Jan 4, 2004
    Posts:
    29
    Location:
    Netherlands
    No added unpackers needed.
    So sample is detected for months.

    If I had time I would check to see if avp3.0 really doesn't detect, but I have little time right now.
    If anyone is really interested in this, either test it yourself or remind me on Thursday. :)
     
  17. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    I think it's not neccessary for you to try with AVP 3.0, I prefer conclude to a mistake from my part.
    that's why I will check myself RIGHT NOW to see if i was right or not. (reply in 30 min) :)
    Nick
     
  18. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    damn !
    you were right :eek:
    that's my fault !
    http://nick.vallet.free.fr/samples/AVP3.0.jpg


    the REASON:
    NOD32 Monitor was runnig during the AVP scan and by detecting the trojan, AMON does not allow AVP to access the file... and BTW to detect it...
    Shame on me !
    All my Apologies :p

    (but for VirusScan, I'm sure, NAI sent me an extra.dat)
     
  19. Nick,

    The only Man More Honorable than the Man Who is right, is the Man who Admits Openly and Honestly, that he was Wrong! ;)

    This is a compliment... :D :D

    Feel free to use my "smart remark"... LOL :D
     
  20. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    quote from Sergey Bogukovsky" detection for this was added 22.06.2003"
     
  21. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Wise words, Shooter ;)

    Nick,

    It's just OK - we've all been there, and for sure will be there more often :)

    regards.

    paul
     
  22. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    LOL Crooked Shot ;)
    I have to agree with you

    Again I want to present my apologies to people who have spent time to read me and/or helpe me. :oops:

    Best regards,
    Nick

    Edit: thanks Paul !
     
  23. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    No need for apologies, Nick! ;)

    regards.

    paul
     
  24. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,934
    Location:
    SW. Oklahoma
    Nick thank you for your response. And no we don't want you to get infected just to find out what it does. ;)
     
  25. octogen

    octogen Registered Member

    Joined:
    Feb 11, 2002
    Posts:
    213
    Agreed! Kudos to you, Nick!

    A lot more useful information gets passed along in discussions that are done amicably. ;)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.