Undetected Worm (False Negative)

I was hit by a worm that installed IEExplore32.exe (W32/Rbot-GRE) and NOD32 (2335) didn't detect it, nor will it clean, I sent the file for analisys but still can't get rid of it. It's reported by sophos (W32/Rbot-GRE) and removeit pro.

Hope they fix it soon as this one is on the wild...

tisazalay

 

Hello !

To be 100% sure it is real threat submit the file to VirusTotal for analysis (write a new email to scan[at]virustotal.com with a subject SCAN and with enclosed the suspected file in its basic form) . Provide ESET with the results but don't post them here

Send the suspected file(s) to email support[at]eset.com along with a link to this thread and more information . Good luck !

 

I did an online scan there, this is the result:

http://www.virustotal.com/vt/en/resultadof?4f0a22754fd3fd05debc5653c28b9224

I can't send the file from hotmail, gmail or my ISP SMTP server cause it's been rejected.
One note though, the virus updates from virustotal are somewhat old as the 13 of june sophos update is supposed to detect it as a worm. I'm using 2335 of NOD32.

tisazalay

 

You need to encrypt the file in an archive (e.g. .zip), with the password "infected" - and attach that to the e-mail. The AV at the e-mail server will not then detect it. As HiTech_Boy said, include a link to this thread in the e-mail body. Im sure Eset will add it soon enough

 

He won't be able to send an archive using a Gmail account (AFAIK).
He has to either send it from different account or rename the "infiltration.zip" to the "infiltration" and of course mention that fact in the e-mail

 

OK, I sent the worm inside an encrypted file with the password being infected. And a link to this thread.

I managed to clean the problem with the free Removeit SE.

The worm is a multidropper that when ran is partially detected by nod32 (detects a dropper) but it allows another program with the name IEExplorer32.exe to be installed. The later can't be removed with del as it recreates itself pretty fast.

tisazalay

 

Fantastic, ESET should add it to their database soon.

Im glad you were able to sort out the problem! Im surprised that NODs heuristics did not catch it, but then again, try to name an AV solution that catches 100% of everything!

Matt

 

Password-protecting the archive would do the trick in this case

 

I used hotmail (Live), and was able to send it password protected, although hotmail did complain about it being encrypted , but sent it.
I guess they'll sort it out for monday or tuesday since updating the threat database seem to be just a bit slower on weekends.

tisazalay

 

OK, problem solved, as of update 2336 ( 20070618 ), the file that prompted my concern is detected as Win32/TrojanDropper.Agent.NFD.

Thanks.

tisazalay

 

Very good , ESET !

Thanks for letting us know , Tisazalay !

 

Hello

A work (in progress) for submit samples :

http://assiste.com.free.fr/p/antivi...yer_un_echantillon_par_email_a_l_analyse.html

Sincerely