New Trojan Downloader?

Discussion in 'NOD32 version 2 Forum' started by covaro, Jul 20, 2006.

Thread Status:
Not open for further replies.
  1. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    http://www.notmyblog.com/images/trojan downloader.jpg

    Little bugger I was pointed to browsing around over @ broadbandreports (Didn't link cause the posts include the link to DL this puppy). DL'ed it into a VM and confirmed that NOD32 doesn't detect it. Ran it, and NOD does pick up a couple little buggers it attempts to DL and install. Just to checkup, I checked the registry and what not, and it looks like a couple little bugs (pieces of bugs maybe?) did slip through. On a pass through with EWIDO it picks up a couple .dlls labeled:
    Trojan.Mezzia
    Adware.Virtumonde

    The Downloader and the DLLs have been submitted for analysis via the internalsubmission tool in NOD32.

    -Cov

    Note: Yes, the VM is clean. It gets reset to a blank slate after every use.
     
    Last edited: Jul 20, 2006
    covaro, Jul 20, 2006
    #1
  2. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    you should better submitt it to sample [at] nod32.com rather than the internal submission tool in NOD32. ;)
     
    pykko, Jul 21, 2006
    #2
  3. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Thanks covaro :)
     
    NOD32 user, Jul 21, 2006
    #3
  4. Proactive Services

    Proactive Services Registered Member

    Joined:
    Jan 10, 2006
    Posts:
    153
    Location:
    Petersfield, Hampshire, UK
    Could you elaborate on this statement-surely they perform the same function?
     
    Proactive Services, Jul 21, 2006
    #4
  5. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    the internal submission tool in NOD32 is for heuristically detected viruses. Non detected samples should be submitted to sample [at] nod32.com.
    This is what I know. Marcos can confirm it.
     
    pykko, Jul 21, 2006
    #5
  6. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    I can submit via email when I get home tonight.

    -Cov
     
    covaro, Jul 21, 2006
    #6
  7. Proactive Services

    Proactive Services Registered Member

    Joined:
    Jan 10, 2006
    Posts:
    153
    Location:
    Petersfield, Hampshire, UK
    Hmm so why the ability to submit for analysis items in quarantine?
     
    Proactive Services, Jul 21, 2006
    #7
  8. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    they've added 4 Trojan.Downloader.Small in version 1.1672. Maybe they've added yours also because they're monitoring VirusTotal also and since you've scanned your file there.... ;)
     
    pykko, Jul 21, 2006
    #8
  9. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,229
    All files that are sent to VT and Jotti's are automatically submitted to any products that do not detect them.
     
    flyrfan111, Jul 21, 2006
    #9
  10. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Items in quarantine are files flagged by NOD32 as unknown viruses (with heuristic engine).
     
    pykko, Jul 21, 2006
    #10
  11. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Items in quarantine are whatever you have configured your NOD32 to put there regardless of by what mechanism the detection is, or what you have put there manually....
     
    NOD32 user, Jul 21, 2006
    #11
  12. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    yes, that's right but the send feature was designde especially for heuristic detection as far as I know. ;)
     
    pykko, Jul 21, 2006
    #12
  13. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    I'm pretty sure that it's just for whatever things need to be sent to ESET - Have you read that somewhere?
     
    NOD32 user, Jul 21, 2006
    #13
  14. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Just a thought...
    Doesn't ESET have two different e-mails for samples submission; one for heuristic detection (sample(at)eset.com) and one for unknown (samples(at)eset.com)? How will the program know where to send the samples?
     
    kjempen, Jul 21, 2006
    #14
  15. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    Yup, she was detected now... go ESET. :cool:
     
    covaro, Jul 21, 2006
    #15
  16. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    nice to hear that. ;)
     
    pykko, Jul 23, 2006
    #16
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...