new mytob variant of today

Hi,

just for fun and information: at Midnight I got a new Mytob variant from an user. At that time it was detected only by:
BitDefender BehavesLike:Win32.AV-Killer (suspected)
eSafe Trojan/Worm [101] (suspicious)
Fortinet suspicious
McAfee New Malware.p (trojan or variant)
Nod32 NewHeur_PE (probably unknown virus)
Panda Suspicious file
QuickHeal Suspicious (warning)
Trend Micro PAK_Generic.001
VBA32 Backdoor.xBot.16 (suspected)

12 hours later it is detected by:
AntiVir Worm/Mytob.EF.1
AVG I-Worm/Bagle.LB
BitDefender BehavesLike:Win32.AV-Killer (suspected)
eSafe Trojan/Worm [101] (suspicious)
Ewido Worm.Mytob.ef
F-Secure Net-Worm.Win32.Mytob.ef
Fortinet (BETA) W32/MyTob.EF!worm.im
Ikarus Net-Worm.Win32.Mytob.ef
Kaspersky Net-Worm.Win32.Mytob.ef
McAfee (BETA) W32/Mytob.gen@MM
Nod32 NewHeur_PE (probably unknown virus)
Panda Suspicious file
QuickHeal Suspicious (warning)
Trend Micro PAK_Generic.001
VBA32 Backdoor.xBot.16 (suspected)

not detected by:
Avast!, ClamAV, Command, Dr Web, eTrust-INO, eTrust-VET, F-Prot, Microsoft, Norman, Sophos, Symantec, VirusBuster.

I will keep you updated here in this post .

 

Thanks IBK.

Shows a few things.The importance of heuristics and just how many companies aren't on top of things, even 12 hours later.Especially Norton, with it's prominence in the market, "unexceptable".Twelve hours is a huge window for infection and why getting " a deal " on an AV sometimes " isn't a deal ".

 

Detected within 18 hours:
AntiVir Worm/Mytob.EF.1
AVG I-Worm/Bagle.LB
BitDefender BehavesLike:Win32.AV-Killer (suspected)
Command W32/Mytob.VI@mm (exact)
Dr Web Win32.HLLM.MyDoom.95
eSafe Trojan/Worm [101] (suspicious)
Ewido Worm.Mytob.ef
F-Prot W32/Mytob.VI@mm (exact)
F-Secure Net-Worm.Win32.Mytob.ef
Fortinet (BETA) W32/MyTob.EF!worm.im
Ikarus Net-Worm.Win32.Mytob.ef
Kaspersky Net-Worm.Win32.Mytob.ef
McAfee (BETA) W32/Mytob.gen@MM
Nod32 NewHeur_PE (probably unknown virus)
Norman W32/Mytob.ZC@mm
Panda Suspicious file
QuickHeal Suspicious (warning)
Trend Micro (BETA) WORM_MYTOB.PL
VBA32 Net-Worm.Win32.Mytob.ef
VirusBuster I-Worm.Mytob.RD

not detected by:
Avast!, ClamAV, eTrust-INO, eTrust-VET, Microsoft, Sophos, Symantec

 

At least there are within 18 hrs some av-vendors, which prefer definitions albeit they at first detected this nasty by proactive methods.

Fortinet (BETA) W32/MyTob.EF!worm.im
McAfee (BETA) W32/Mytob.gen@MM
Trend Micro (BETA) WORM_MYTOB.PL
VBA32 Net-Worm.Win32.Mytob.ef


Best regards,
Firefighter!

 

Well, congratulation again for NOD32 and also for Bit Defender. KAV needs to improve its heuristic engine.... they would have gain much more if they have done it in version 6 but unfortunately they added only the proactive defence system. Symantec and MS are really slow. MS should make something if they want to hit the market with their OneCare

 

hello all,

about kav, i find this on http://www.viruslist.com/en/index.html

and roel http://www.viruslist.com/en/weblog was speaking about an update with the name : Net-Worm.Win32.Mytob.eg ?!

and you post today 05:45 PM.

 

http://www.kaspersky.com/viruswatchlite?search_virus=mytob&x=14&y=1&hour_offset=-2

 

Next big project for Kaspersky is a new heuristic engine. Some of the development team for Version 6 are tasked with that. So they are aware and working on it.

 

Yes, I know that but it have been quite nice to have a new heuristic engine in version 6.

 

Great news .

 

ok, thank you

 

After 20 hours:
AntiVir Worm/Mytob.EF.1
Avast! Win32:Mytob-QI [Wrm]
AVG I-Worm/Bagle.LB
BitDefender BehavesLike:Win32.AV-Killer (suspected)
Command W32/Mytob.VI@mm (exact)
Dr Web Win32.HLLM.MyDoom.95
eSafe Trojan/Worm [101] (suspicious)
Ewido Worm.Mytob.ef
F-Prot W32/Mytob.VI@mm (exact)
F-Secure Net-Worm.Win32.Mytob.ef
Fortinet (BETA) W32/MyTob.EF!worm.im
Ikarus Net-Worm.Win32.Mytob.ef
Kaspersky Net-Worm.Win32.Mytob.ef
McAfee W32/Mytob.gen@MM
Nod32 NewHeur_PE (probably unknown virus)
Norman W32/Mytob.ZC@mm
Panda (BETA) W32/Mytob.NV.worm
QuickHeal Suspicious (warning)
Trend Micro (BETA) WORM_MYTOB.PL
VBA32 Net-Worm.Win32.Mytob.ef
VirusBuster I-Worm.Mytob.RD

Not detected by: ClamAV, eTrust-INO, eTrust-VET, Microsoft, Sophos, Symantec.

 

Who cares? When KAV was capable to detect this nasty within a couple of hrs as the majority of ALL other nasties too. This situation is far more safer than that you are detecting about 60 % of all nasties with proactive methods but the rest only AFTER some 3...6 weeks.

Best regards,
Firefighter!

 

probably everyone which want to be protected...

not true...; even KAV has samples since years that they still not have added... Samples are added on a per-need base even by KAV.

 

Which would probably have detected this one.

 

Well, of course every AV has its own weak and strong points. Hope that 3...6 weeks will transform in 3...6 days or even better...days.

Don_Pelotas...it may be possible.. I don't know exaclty how does ProActive feature works but it's better to detect it before running the file.

 

That's why we need other tests than pure detecting rate tests too. What if we can see tests, which are measuring update delays as cumulative missed hrs for example? Those proactive detected samples are of course welcome to this kind of tests too as zero hour missed hrs. We need only, let's say, about 4 weeks all kind of new nasties collection, at least 10k of samples to test with.

In my mind this kind of test is measuring quite well the whole security level of av:s

Best regards,
Firefighter!

 

if such a thing would be possible to do, it would be already done. but it is impossible.

 

I agree that. Right attitude.

Best regards,
Firefighter!

 

We have seen a man in the moon, which many of people a couple of decades ago thought that it was impossible!

Best regards,
Firefighter!

 

It already is possble and detecting the malware when it executes is not worse than detecting it via an on-demand scan (or http scan), it just makes you feel more protected without being so.

 

Thank you for the test IBK! This really shows the effectiveness of the engine and how fast av vendors add the signatures. Nice to see ewido adding it to their database in the 12 hr time frame.

 

After 24 hours:
AntiVir Worm/Mytob.EF.1
Avast! Win32:Mytob-QI [Wrm]
AVG I-Worm/Bagle.LB
BitDefender BehavesLike:Win32.AV-Killer (suspected)
Command W32/Mytob.VI@mm (exact)
Dr Web Win32.HLLM.MyDoom.95
eSafe Trojan/Worm [101] (suspicious)
Ewido Worm.Mytob.ef
F-Prot W32/Mytob.VI@mm (exact)
F-Secure Net-Worm.Win32.Mytob.ef
Fortinet (BETA) W32/MyTob.EF!worm.im
Ikarus Net-Worm.Win32.Mytob.ef
Kaspersky Net-Worm.Win32.Mytob.ef
McAfee W32/Mytob.gen@MM
Nod32 Win32/Mytob.SK worm
Norman W32/Mytob.ZC@mm
Panda (BETA) W32/Mytob.NV.worm
QuickHeal Suspicious (warning)
Trend Micro (BETA) WORM_MYTOB.PL
VBA32 Net-Worm.Win32.Mytob.ef
VirusBuster I-Worm.Mytob.RD

not detected by: ClamAV, eTrust-INO, eTrust-VET, Microsoft, Sophos, Symantec.

 

If new mytob variant is a mass-mailing worm so it may detected by heuristics in avast! mail scanner module that cannot be tested as an on-demand scan.

 

Whats going on with Symantec?