Why it is still "unknown" ?

I am not the OP but I am aware of the threat posed by this, I think he got it from here.

http://isc.incidents.org/

BlackWorm Summary (NEW)

Published: 2006-01-24,
Last Updated: 2006-01-25 00:17:00 UTC by Johannes Ullrich (Version: 1)

About BlackWorm


Over the last week, "Blackworm" infected more then 700,000 systems as measured using a counter web site used by the worm to track itself. This worm is different and more serious then other worms for a number of reasons. In particular, it will overwrite a user's files on February 3rd.

At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures.

The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( 'DATA Error [47 0F 94 93 F4 K5]').

We will try to post more detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.

The first thing you should do is to update your anti virus signatures.

This page will be updated as new information becomes available. Please see the end of the page for references to other sites. Use only this url to link to this page: http://isc.sans.org/blackworm Naming

As usual, this worm/virus has collected a number of names from various vendors. It is so far known as: Blackmal, Nyxem, MyWife, Tearec among other names. Update: we have been informed that the CME number will be 'CME-24'. cme.mitre.org should shortly list this number.
How would I get infected?

The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new "zip file" icon on your desktop.
What will BlackWorm do to my system?

It will disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.
Removal

Anti virus vendors offer removal tools. Microsoft provides detailed instructions for manual removal. However, there are two important reasons to rebuild "from scratch":

1. BlackWorm uses the same tricks to install itself as other viruses/worms. It may not be the only one on your system. Antivirus will not detect all viruses, and the removal tool will only remove this specific worm.
2. BlackWorm will allow remote access to your system, and additional malware may have been installed via this backdoor.

 

Well, that is funny. Obviously you need to learn to read.
I didn't say I am refusing to submit that virus, and no need to try put words in my mouth. By the way, I am about the same age as you, so your *psychological treatment is totally inappropriate.

What I was saying is that when I didn't want to submit one particular file, it was not possible, because option to NOT submit didn't work properly, unless I disabled Threatsense net. But then I am not able to submit anything (or, so I think,because I have already pressed *submit for analysis* button for THAT unknown virus about month ago now.

If you are interested what I didn't want to submit - that was of course not a virus, but a network filter I wrote and which exists only on one computer. I believe, if I would put it on your computer, it would be a piece of malware maybe. That is why I do not want to submit it, and I hope that I have the rights to do so. If there is ANY option in NOD, it HAS to work properly; that should be obvious even to moderator.

Really? I didn't say a word, nor did I imply about which is better. This is you who started that.
What I was saying is that you cannot only rely on submitted samples for virus analysis, because that automatically excludes the undetected ones without obvious activity. That makes the famous argument *if you didn't submit, why you are complaining* quite silly. Did I gain write something too difficult?

I did not, nor could I if I wanted, force you to reply. But, if it is that kind of reply without properly reading the post, with the only intent to accuse me in imaginary trolling, then no reply at all would be better maybe.
What is remarkable, that Eset staff only kicks in to sing along - *yes,yes, he is trolling, it's a waste of time*, not see the constructive things, which, despite your misunderstanding, were in that post.

And finally, I have to repeat that Eset is not giving Cristmas presents but SELLING software, so it would be better if they would look for information presented in any form, not play that spoiled child who needs some special approach.

 

So gue_st, just to be clear on what you are saying...

There is one particular file on your computer that is for your own personal use. Ordinarily, it could be considered a virus on anybody else's computer, so NOD32 detects it as a virus. Now, since this is your own personal file for your computer only, you do not wish to submit it to Eset. The problem is, Threatsense.Net keeps asking you to sumbit it. The only way you can figure out to make it stop is to totally disable Threatsense.Net.

However, now "Malware #2" comes along from the internet, and you actually would like to submit it. Trouble is, you can't, because Threatsense.Net has been disabled. If Threatsense.Net would have let you tell it to ignore your "personal" file, then you would not have this problem.

Am I on the right track?

Unless I am missing something, I still think that excluding this file through AMON should get around this problem. Once AMON has learned to ignore it, then you should be able to clean out the Quarantine section and turn Threatsense.Net back on.

As for your question from another thread about copying this file from a CD to the hard drive, I thought that copying it to an excluded folder was a rather clever idea. Even if it sounds like a comedy, what is the matter with that? If it works, it works....

By the way, was the title, "probably stupid NOD32 behaviour", supposed to be a joke from "probably unknown virus"? I think it took me about a week to get the joke. I must be kind of slow.

 

Don't worry alglove it took me about the same to get it.

I have a simple question though, this mysterious file is designed to be a "Network Filter" as you call it, and yet it also was designed to only work and reside on a single computer? Networks by definition must have more than one computer and if it is only "filtering" it shouldn't set off any bells unless of course it is monitoring the system and relaying what it intercepts to another system, but then it wouldn't fit the definition you gave it as only relating to one system. Care to elaborate gue_st?

 

Or making an excluded folder to compile it into

 

Just an addendum to what's been said - disabling ThreatSense won't remove the option to submit the particular file. It will just render the checkbox in the alert window disabled, but you will still have the possibility to tick it.

 

Since AMON is the module detecting it, it really does not matter whether the program is sending data or not. The mere fact that the file is being opened/created/executed is enough for AMON to scan it, at which point the heuristics decide that the contents look like a virus.

In this case, the "mysterious file" is never even given the chance to execute (because AMON won't let it) unless gue_st makes some sort of exclusions.

 

Thanks, that's what I have understood in the beginning.

But, I have already submitted the virus I mentioned in this thread(by ticking *submit for analysis, with ThreatSense.Net disabled) already before it was even detected by Kaspersky, about 1 month ago. As it was still unknown so long, I was sure this is intentional, and therefore this thread - I am still sure that *unknown* is not the right classification in this case when you have a sample and virus is known already to other AV companies.

Then again, after posts by dvk01 and Happy Bytes, where they say this is my fault the virus is still *unknown, because I didn't submit it(when I actually did), I have understood that the only reasonable explanation is that NOD32 actually does not submit sample with ThreatSense.Net disabled.

Finally, instead of knowing what would happen if I forgot to refuel my car in the desert, I would preffer to know the following -
1. are all the viruses, detected heuristically, really unknown to Eset, or there are cases when they are intentionally not included in database? This is important to know, because if I find a generally known virus(let's say, 2 months old for example), detected by NOD as unknown, I need to know - I need to submit it or not. Is it useful to submit old viruses again and again?
2. how can I verify if the sample is really submitted? It says something like *placed on submission queue*, which doesn't really mean *submitted*. I haven't found anything on Eset website that woud show the submited new threats, or anything chronologically listed at all.

 

Not all files submitted will necessarily be sent - for example, if ESET already has a sample on file then why do they need another identicle one? ThreatSense sorts this out before the sample is forwarded.
When a file is actually sent, it is noted in the event log, for example:

18/01/2006 2:10:06 AM Kernel The file 'F:\WINDOWS\Temporary Internet Files\Content.IE5\3AXY5H9A\optimize[1]' has been sent to Eset's labs for analysis.

 

In that case, it might be nice to know why the file was not submitted. For example, "The file ..... was not sent because Eset already knows about it."