Why is the MORTO worm not detected by ESET?

Discussion in 'ESET NOD32 Antivirus' started by aaristotle, Aug 29, 2011.

Thread Status:
Not open for further replies.
  1. aaristotle

    aaristotle Registered Member

    Joined:
    Aug 20, 2007
    Posts:
    7
    We had a number of PCs infected by the MORTO worm on Friday, however the only way we were able to detect and remove it was to use Microsoft Security Essentials. Even now over 24 hours after MSE was able to detect the worm ESET still don't have an updated signature that can detect this worm. Why has there been such a delay?
     
  2. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,752
    Location:
    Toronto Canada
    You submitted a sample or samples to Eset of course.
     
  3. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada
    no AV are ALWAYS perfect.....:doubt: :(
     
  4. NoobStick

    NoobStick Guest

    Joined:
    Jun 23, 2011
    Posts:
    0
  5. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,033
    Location:
    California
    Hello,

    As far as I know, specific detection was added in virus signature database 6421. Before that, I believe it was detected generically as being a variant of the Win32/Agent.SYL family (detection introduced in virus signature database 4868).

    Regards,

    Aryeh Goretsky
     
    Last edited: Aug 30, 2011
  6. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada
    if so, why it didnt work ??
     
  7. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,033
    Location:
    California
    Hello,

    Sometimes, a specific detection is added for something which was previously detected using a more general means of detection, because people look for a threat by a common name.

    Oh, and detection of the second version of the worm, Win32/Morto.B, was added in virus signature database 6422.

    Regards,

    Aryeh Goretsky
     
  8. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada

    o_O it is not just detection but cleaning also, aaristotle did said he need to use MSE to clean all pc because NOD32 didnt do it :doubt: :blink:
     
  9. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,752
    Location:
    Toronto Canada
    Your right. While detection is important so is removal.
     
  10. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Would Smart Security's IDS have prevented the worm from infecting?
     
  11. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,033
    Location:
    California
    Hello,

    If you have a sample of the worm which is detected but not removed, please submit it to ESET's virus lab.

    I think if ESET Personal Firewall were running in Policy Mode the worm would be blocked, but I have not verified that.

    Regards,

    Aryeh Goretsky
     
  12. jprosper

    jprosper Registered Member

    Joined:
    May 25, 2010
    Posts:
    4
    Our network was also infected by this worm last week and it forced us to remove one of our main servers completely offline so that we could clean it up. We are very disappointed that ESET did not catch this. We are using MS Security Essentials to clean the Server and we are nervous about what other infections ESET may miss in the future.
     
  13. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,065
    did you contact eset about the infection? and have you submitted a sample to eset?
    one product cant detect 100%
     
  14. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,750
    Location:
    EU
    MortoB detected.
     

    Attached Files:

  15. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,750
    Location:
    EU
    And from this same sample auto generated report to my e-mail adres.

    9/1/2011 18:57:16 - Module HTTP-filter - Bedreigingswaarschuwing geactiveerd op computer LAPTOP: htp://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx bevat Win32/Morto.B worm.

    _________ Informatie van ESET NOD32 Antivirus, versie van database viruskenmerken 6427 (20110901) ________

    This same sample was detected earlier yesterday as well.

    Gerard
     
    Last edited: Sep 1, 2011
  16. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Hi lodore:

    Right! Not 1 is 100% thus the layers.

    I suspect the original poster has not submitted the sample(s) it does make one wonder if the worm was what he said it was, no data, no screen shots nothing.

    Should be able to at least post the "fix" from MSE log right?
     
  17. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,065
    yup and if eset can detect the file im sure eset sysrescue disc could remove the file. plus if any files are undetected you can submit files from the sysrescue.

    i dont get why the OP didnt contact Eset or attempt to submit a sample.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.