Win32.HLLM.Sahay not detected?

Discussion in 'NOD32 version 1 Forum' started by Tinribs, Jan 21, 2003.

Thread Status:
Not open for further replies.
  1. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    Was sent a file by a colleague (zipped of course) because his av flagged up a warning, being new to such things he didnt know what to do.
    I scanned the file with my Nod32 and it found nothing, even unzipped it still failed to find anything wrong. An online scan with Dr Web indicated Win32.HLLM.Sahay, and so did Housecall, and also Kaspersky online.

    I've read up on it and it seems some sort of 'anti-worm' worm that attacks Yaha infected files (I believe)

    My question is why wasnt it picked up by Nod32?
    I have also submitted it to Eset for a proper evaluation.
     
  2. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    Detection for Sahay.A was added to NOD32 on 15 January. I don't know of any later variants.

    Unless it's a new variant which we haven't seen, your sample is probably non-functional ... in which case NOD32 would ignore it.

    No doubt the Eset Gnomes will have an answer for you shortly. :)
     
  3. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    Thanks Rod, I have asked for some feedback from 'the gnomes' ;) as I have submitted samples before but heard nothing back. Thanks for you time. :)
     
  4. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hi Tinribs,

    we'll check that :)

    jan
     
  5. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    This is getting a bit worrying now, I did my usual weekly back up scan with Kaspersky Pro which found 2 cases of Firkin Worm (I forgot to save the lod,sorry) and also 2 'droppers' which Nod32 didnt find, I take it that a dropper isnt detected as it hasn't released its payload but now I'm starting to lose confidence in Nod32, not only this but Kaspersky also found these Firkin worms in my temp ie files, now I know they are temp and not that important, but why wasn't I alerted to them while surfing?
    When I used to use Kaspersky as my on access scanner it often picked up such things and I felt secure knowing it was doing its job, I am beginning to rethink renewing my subscription as things aren't adding up here, Nods detection capabilities are well documented but it seems on my pc and away from a test lab I dont seem to be benefitting from this.
    I may be worried unjustly and I hope so but I feel some answers are due.
    Thanks
    Kev

    edit* F-Prot has also picked up the worms detected as BAT/Firkin.C (in temp int files)
    a rescan with Nod again missed them, not happy (despite being temp internet files)
    This worm was first detected nearly 3 years ago!!
     
  6. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    We get several "NOD32 didn't find this virus but PoopScan and DiddlyScan did" calls a week. In almost every case the "virus" is a "non-virus", and NOD32 deliberately ignored it. Mele20's Magistr "infection" is a classic example of this. FIVE scanners tagged her file, but NOD32 didn't. The file wasn't infected at all.

    NOD32 does detect Firkin ... provided there's a live Firkin to detect. :)

    It's a pity you didn't save a sample. There's a very slight possibility that it was a variant we missed.

    A dropper isn't a virus. It's benign until it tries to "drop" its cargo ... at which time AMON would prevent it from doing so. The late Clint Haines coded an engine which would create a virtually unlimited number of droppers for the virus of your choice. (He never released it ... he thought it was too lame.)
     
  7. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    Ok it seems I may have been too hasty regarding Win32.HLLM.Sahay .
    If you view my other thread entitled 'Version info' it seems something was wrong with my Nod32 installation.
    I uninstalled and reinstalled and tested this file again and sure enough it was detected as Win32/Sahay.A worm .
    Obviously Nod32 was not working properly until I sorted the problem, It seems the problem was that the main Nod scanner was using an old ruleset V1.337 instead of the new ones since.

    Problem solved, I apologise to Rod and all for any 'sensationalism' on my behalf. I just hope this problem with not using new updates rulesets doesnt happen again. :)


    edit* Problem solved, as my main scanner was using ruleset 1.337 and Win32/Sahay.A worm wasn't added until v1.346 this would explain why it wasnt detected!! I'm happy now, thanks guys and thanks to Jan ;)
     
Thread Status:
Not open for further replies.