Problem with threat

ESET does not detect Bagle variation

hello,

im running the 4.0 and updated version of the software, ive spent my last 5 hours clearing my infected PC (using free tools) from a threat that ESET Smart Security is unable to detect.

My license expire on 04/11/2010 and is valid for 2 PC, i wish to ask if it is possible to have money back as the antivirus filed on this. Ive also used online file checker from avast that also failed, and from kaspersky that found the threat. I reserve the right to ask any additional costs for the time loss.

The threat on which ESS failed is called: Trojan-Downloader.Win32.Bagle.cez this is the name given by kaspersky file checker, ive a copy of the virus and i should be able to upload somewhere if someone wish to try.

Ive also uploaded the file using ESS submit feature, i think ive uploaded it at least two times. Note that this is not a injected/net virus but a simple worm, and in my opinion if an antivirus fail where a free software (findykill) was able to restore the services and infected files there is a problem.

Virus file is around 800Kb and as side effect it prevents you from searching particular keywords on the web, included but not limited to avast, findykill. It also reset your windows installation, making the OS to ask for license validation one more time, as after the first installation. It interrupts the services and prevent to run SAFE mode correctly. It injects infected copy of itself inside all your .zip files creating a patch/crack folder with the same name executable in it.

For additional information ask to kaspersky! Have a good day,

 

hello, ive uploaded a copy of this worm, you can download it and toy with it. I suggest you to not to rename it as .exe to prevent accidental execution.

~ Removed Posted Link to Possible Malware as per Policy ~

 

Every new variant of Bagle is detected upon download by web protection providing that you have detection of potentially unwanted applications (PUA) enabled. They use Themida protector to evade detection by antivirus programs, but with web protection and PUA enabled this protector itself will be detected and download of the malicious file blocked.

Since Bagle comes disguised as a crack, avoid using cracks as much as possible. One shouldn't rely solely on the security software that it will catch 100% of malware. There's no such a solution that would protect you against every single piece of malware and one should take other precautions to prevent getting infected.

What could help you identify Bagle, it's usually bundled with a short nfo text file and the size of the exe file is approximately 700-1000 kB.

 

QUOTE: ["They use Themida protector to evade detection by antivirus programs, but with web protection and PUA enabled this protector itself will be detected and download of the malicious file blocked."]

Marcos - Anyone: The Web Access Default does NOT Check Potentially Unwanted/Unsafe Apps and this Bagle issue begs the question, "So Why Not?".

Would Web Access Setup be the Only place to check the 2 PUA's, or should all Modules with them be checked. The tough part for amateurs setting up ESS is we don't recognize the cases where (i.e.) "don't check something here because it may often slow you down, but it doesn't matter because another Module X will stop it anyway".

Anyone's clarification on Where to Check the two PUA's is appreciated!

 

When installing EAV/ESS, it is mandatory to enable or disable detection of potentially unwanted applications and this step cannot be skipped. If you choose to leave detection of PUA disabled during installation and decide to enable it later, you'll need to do that for every module as some people might prefer having PUA disabled for all modules but web protection. This is the only way how to proactively protect against new Bagle variants as signature detection can only be added when we receive the particular sample from users or other sources.

 

Thanks, Marcos.
[Quote: "When installing EAV/ESS, it is mandatory to enable or disable detection of potentially unwanted applications and this step cannot be skipped."]

I have always checked to Activate PUA's, but having done that still wonder why the two PUAs' checks would THEN be ERASED as Part Of My Choosing module DEFAULT Setups often Recommended as OK for Most Users. Per your Reply that fact creates a Self-Defeating reality of NO PUA Protection against Bagle unless Default is changed, or an "Oh by the way, Default Kills Bagle Protection" disclaimer is offered so a user can know to manually check them "again".

I'll Check PUA's everywhere and see what happens with loading speed. Thanks again.

 

V4 always asks the user whether to enable or disable detection of PUA during installation regardless of whether they choose installation in typical or advanced mode.

 

hello, the detection is enabled; however if i right click on any infected file or the .exe file that is injected in every .zip file present on the machine ESET does not detect any possible threat.

There is not much to say, eset cant detect this bagle variation, stop. I think everyone expect from an antivirus 'on demand scan' to detect any possible threat. Consider that this bagle is actually cleared by free software (findykill) and i dont talk about injected infection, but also running services, registry keys and so on.

 

Please read what I wrote above. With PUA enabled, WEB access protection detects and blocks every new variant of Bagle. Providing that you have PUA and web access protection enabled, there's no chance you'd successfully download a new variant of Bagle from the web.

 

a worm is not a 'potentially unwanted application' it is a malware, both features where active. What use if the antivirus protect from the download while when asking to performa a scan on the infected files it say 'no threats detected'? Make sense for you?

 

I repeat, new Bagle variants can only be blocked proactively by web access protection with PUA enabled as it is the protector itself that is detected and blocked. Otherwise it is necessary to receive a sample of Bagle first in order to add signature detection. I think everyone wants to be protected proactively so:
1, keep potentially unwanted applications enabled
2, keep web access protection enabled

 

this mean that ESET does NOT detect the bagle, as reference, bagle.cez variant was added to kaspersky database on 21 december, 8 days are passed so since and ESET still does not detect this variant (and who know how many others!)

again, both were active - no protection, detecting its protector but not the worm is little thing when the result is that the antivirus in use does not protect the machine.

Again: both features were active, this variation is know at least from 8 days and eset database is not yet up to date but rely on a secondary measure for detection.

Do ESET protect from new threats only if downloaded from the web?

 

Once a new variant of Bagle is detected as a variant of Themida by the web protection module and download is blocked, there's no chance it would get into and infect the computer.

You're complaining about not detecting that Bagle. Have you already submitted it per the instructions here? If not, do so so that the virus researchers can analyze it and add signature detection for it.

 

just say eset doesnt offer p2p and messenger protection, we will understand.

 

I always check POA wherever I see it. I also check AH and Runtime Packers and have no issues.

 

alas, this wont have any effect against bagle variations that are unknown to eset, as previously dais, eset protect against unknown variants ONLY if downloaded from web, not if sent from a messenger or via p2p.

 

I only care about the web, like 99 percent of most users.

 

you should say: "I only care about the web, like 99 percent of most ESET users, as since there is no protection against p2p and messengers at all"

that would be correct.

 

why on Earth would the Real Time protection with PUA enabled not block that same protector? Or would it?

 

Re: ESET does not detect Bagle variation

Ask Kaspersky what? I've some samples that aren't detected by KAV and one sample that only ONE AV detect, NOD32 as NewHeur_PE virus (heuristically) and is being spread using a link. Apparently in my case I need to ask to ESET

 

Re: ESET does not detect Bagle variation

I'd like to note that the Bagle variant mentioned in this thread is already detected by ESET. In order to be protected against any new Bagle variant, keep web access protection enabled as well as detection of Potentially unwanted applications for web protection. I can't tell now if it will be possible to add proactive protection to other modules as well, but what I can promise is that we'll strive for being among first to detect new Bagle variants by all modules.

 

send as as described in Marcos post , i send yesterday two and they are already in the definitions .. i think that all files copied to pc are scanned with Esets AV..
if u are not sure if the file is use a sandbox or second scanner like malwarebytes..

JR

 

I´ve been a user of nod32 since about 2005 and has always been my favorite AV.

However I think eset is falling behind the competition.

I´ve been in the past infected with bagle with nod32, but continued to be my Antivirus.

Recently, with eset smart security installed, another bagle variant infected me, through a compressed program I downloaded from emule – Advanced heuristics and unwanted applications activated.

I made a scan before and after the decompression and nothing came up.

When I clicked on the installer the computer automatically restarted. None of the security applications loaded, their services couldn’t be started. When I tried browsing to pages with security programs the browser crashed (chrome, explorer or firefox), etc.
None of the security apps could be installed or run (for example: Gmer, antivirus, hjackthis etc etc etc) and when trying to run windows on safemode a blue screen prevents it.

I was infected with bagle. Some of the infected files I remember were winupgro.exe, wintems.exe, srosa.sys, etc

This was the result of being to lazy to upload the file (which I thought was benign) to virus total and being depending solely on Eset and windows firewall for protection.

As you can see in this result from virus total, eset don´t detect one of the infected files:

http://www.malwarebytes.org/forums/index.php?showtopic=33966&pid=172486&st=0&#entry172486

I spend 4 hours cleaning the infection. I replaced eset smart security and have increased my level of protection.

I now have:
- Windows security essential for antivirus
- Online Armor free for firewall
- Geswall free for policy restrictions on programs and safe surf
- Returnil free for virtualization when needed
- Thinking on having also a restoration tool like "eaz fix", "comodo time machine", "acronis". Any sugestions here?

My suspicious on the level of protection provided by eset were confirmed after I´ve seen this test:
http://www.youtube.com/user/languy99#p/u/63/R2yHMeKzIW8

I sincerely hope to see another level of protection on Eset SS 5.

Regards

 

Ditto, I too think ESET is loosing ground on the competition. I do hope things change for the better as I do like ESET products. I'm hanging in as long as I can but they are not making it easy!