Does Nod32 detect "Win32.Swen.A" ?

For more information:

http://www.f-secure.com/v-descs/swen.shtml
http://www.sophos.com/virusinfo/analyses/w32gibef.html
http://www3.ca.com/virusinfo/virus.aspx?ID=36939
http://vil.nai.com/vil/content/v_100662.htm
http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWEN.A
http://www.viruslist.com/eng/viruslist.html?id=88029

 

Yes it does.

 

sure, it did this yesterday

ww

 

I went to www.NOD32.com trying to find out if W32.Swen.A was covered by NOD. I could not find any information rearding this virus on the site. I looked everywhere including virus definitions with no luck.

So the question is:
How are we suppose to be able to determine if NOD32 will detect a certain virus if it is not listed on the site for lookup?

Or did I not look at all the info on the site and missed it?

Daniel M

 

NOD32 - v.1.512 (2003091
Virus signature database updates:
VBS/Jarda.A, VBS/Killer.A, VBS/Tabe.A, Win32/Apdoor.A, Win32/BO.139264, Win32/BO.143360, Win32/Dirtxt, Win32/Dumaru.D, Win32/Dumaru.J, Win32/HLLW.Perdex.A, Win32/HLLW.Tefuss.A, Win32/HLLW.Tefuss.E, Win32/IRC.SdBot.BC, Win32/Pander.A, Win32/Pesin.B, Win32/Pkasa.C, Win32/Poetas.A, Win32/Qozah.1386, Win32/Qozah.1751, Win32/Qozah.2344, Win32/Renol, Win32/Renol.A, Win32/Renol.B, Win32/Renol.C, Win32/Ronoper.V, Win32/Sality.D, Win32/Scrambler.C, Win32/Scrambler.D, Win32/Seppuku.9728.A.dropper, Win32/Seppuku.F, Win32/Seppuku.F.dropper, Win32/Sheng.A.unp, Win32/Small.F, Win32/Sowsat.G, Win32/Spelac.A, Win32/Spelac.A.dropper, Win32/Stator.B.unp, Win32/Swen.A, Win32/Symten.A, Win32/Symten.B, Win32/Symten.B:UPX, Win32/Sysnom.H, Win32/TrojanProxy.Zebroxy.B, Win32/Vote, Win32/Wukill.A, Win32/Zaffi.A

 

thanx guys

 

Dah, I got bit

The info in the updates, as you kindly point out, is really not structured for easy lookup (although that is no exuse for my oversight). It would be much easier to put the info in a lookup table such as the virus definitions page.

Thanks for pointing out that I need better eye glasses. ha ha ha

Daniel M

 

I agree to Daniel M. I really think www.nod32.com needs to revamp the site for more userability and centralization issue. I am happy that they post the regular def updates on time but adding information of "Win32.Swen.A" on a timely manner will be acknowledging just like NAI and Symantec websites are. NOD32 is an excellent antivirus. Website needs to be tweaked just to be ahead of the big guns. When both becomes top, all happy users need to visit NOD32 website for all the virus information. No need to keep checking other sites. Keep up the good work ESET!

 

Just a little addition... Swen was detected by NOD32's heuristics before the signature update. That means that NOD32 users that has their e-mail scanned by the NOD32 module IMON has been protected against Swen for months.

Best regards,
Anders

 

Kia Ora, Anders.

I can verify that NOD32 detected Swen before it was updated.

There's a lot of NOD32 bashing going on at DSL Reports about NOD32 heuristics not detecting Swen. I don't usually post on forums but I got so mad at all the BS that I posted this, after asking Rod from NOD32 Australia for permission to quote his e-mail:

You NOD32 Bashers talk a load of BS.

NOD32 detected Win32/Swen.A as an unknown worm in 35 of my e-mails on the 19th of September. It had not been updated since the 11th of September.


----- Original Message -----
From: "NOD32 Australia" <nod32@nod32.com.au>
To: "Mike&Mary" <maori_mary@*******.com>
Sent: Friday, 19 September, 2003 14:01
Subject: Re: Unknown virus in e-mail
>
>
> Hi Mary,
>
> ----- Original Message -----
> From: "Mike&Mary" <maori_mary@*******.com>
> To: "NOD32 Australia" <nod32@nod32.com.au>
> Sent: Friday, 19 September, 2003 11:08
> Subject: Re: Unknown virus in e-mail
>
> > Thanks for the quick reply. The source of the 1st e-mail was from
> > Belgium, sent on the 16th, another 2 from Holland on the 17th, and
> > another 32 from all over the world on the 18th, but I was away for a
> > week and I didn't switch my computer on from the 11th until today.
> > NOD32 is set to update every hour, but I downloaded my e-mail
> > before I got the new updates.
>
> If you go into Control Center>Scheduler/Planner and tick both update
> task boxes NOD32 will update whenever you connect to the Internet,
> then every hour while you're connected. Just wait a few seconds and
> you'll have the latest definitions before you collect your email.
>
> > Another 14 came in since I emailed you half an hour ago, blocked
> > as Win32/Swen.A worm. I put some rules in Mail Washer to stop
> > the buggers on my ISP.
>
> Good move!
>
> This one will be BIG. We've had another 300+ in the past half hour,
> and I heard on the news a few minutes ago that some Australian
> government department has had over two thousand hits since
> yesterday.
>
> > I don't think I can claim to be the first. Message Labs reckon they
> > caught the first one on the 13th, from Slovakia. Are you sure you
> > NOD guys didn't write it?
>
> Hahahahahah! You've been listening to the rumors that I was Dark
> Avenger in my younger days! ))
>
> > Mary
> > --- Maori isn't what you look like - it's who you are! ---
>
> rod
>
>
> > ----- Original Message -----
> > From: "NOD32 Australia" <nod32@nod32.com.au>
> > To: "Mike&Mary" <maori_mary@*******.com>
> > Sent: Friday, 19 September, 2003 10:22
> > Subject: Re: Unknown virus in e-mail
> >
> > > Hi Mary,
> > >
> > > Thanks for the sample.
> > >
> > > Your virus is Win32/Swen.A ... added to yesterday's database.
> > > It looks like you may not be updating NOD32 often enough. I
> > > recommend setting your updater to its default "Every 1 hour".
> > >
> > > Your copy from Belgium is the earliest Swen.A I've heard about,
> > > btw. It didn't start to appear in large numbers until yesterday,
> > > and it's already a plague. We had 600+ infected emails waiting
> > > this morning.
> > >
> > > Regards,
> > >
> > > Rod Fewster
> > > NOD32 Australia
> > > PO Box 29
> > > Kallangur 4503
> > > Phone 07 3204 5000
> > > NOD32 Antivirus : http://www.nod32.com.au
> > > Outpost Firewall : http://www.antivirus.com.au/outpost
> > > Remote Administrator : http://www.antivirus.com.au/radmin
> > >
> > > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
> > > NOD32 is the outright winner of Australian PC User
> > > "Best Antivirus Program of 2001" Award
> > > "Best Antivirus Program of 2002" Award
> > > "Best Buy" of 2001 and 2002
> > > and
> > > holds an unequalled 23 Virus Bulletin VB100% Awards!
> > > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
> > >
> > >
> > > __________ NOD32 1.512 (2003091 Information __________
> > >
> > > This message was checked by NOD32 Antivirus System.
> > > http://www.nod32.com
> > >
> > >
> > __________ NOD32 1.512 (2003091 Information __________
> >
> > This message was checked by NOD32 Antivirus System.
> > http://www.nod32.com
> >
> >
>
>

(I have Rod Fewster's permission to quote the above e-mail.)

 

Said by Mary:
>There's a lot of NOD32 bashing going on at DSL Reports about NOD32 heuristics not detecting Swen

Yep. Technodrome and I got really beat up there. I'm glad you came along and was delighted when you posted that email from Rod. That still didn't shut them up though. In fact, Vamp (at least it appeared to be him) came back and posted anonymously and other anonymous posters jumped in. One compared me to Technodrome! I took that as a nice compliment. (The bashing of NOD continued to rage even in IMs there. It was so bad that one "buddy" declared I was no longer a friend or "buddy" and was obviously "demented" because I wouldn't "see the light" about NOD). Finally, when the anon posts became outrageous they were eliminated and the thread was finally locked.

Said by Anders:
>That means that NOD32 users that has their e-mail scanned by the NOD32 module IMON has been protected against Swen for months

Not just IMON users. I don't use IMON. I scan all attachments and downloaded files using Paolo's shell extension. I never, ever execute anything without first saving to the hard drive and then scanning so I was protected also. I disagreed completely with the bashers at DSLR who kept insisting that Eset should have made adv. heuristics an available option to be checked in the on demand scanner and in AMON. I think the way it is set up currently is just right except I do think Paolo's extension should be made a part of NOD32 as many, including myself, do not know enough DOS to easily use the command line adv. heuristics scanning without the shell extension.

Said by Jsurfers:
>Website needs to be tweaked just to be ahead of the big guns. When both becomes top, all happy users need to visit NOD32 website for all the virus information. No need to keep checking other sites.

This I agree with. It has been discussed here before many times. I feel at a disavantage over at DSLR (my home site) because I can't see any information on most new viruses at the NOD site, whereas, the supporters of other av can find the information very fast at their av site and they post this and gloat and I can't combat this notion that NOD is not up to snuff sometimes because of the lack of information at the NOD site. That really needs to be improved. I realize there has been some improvement and I appreciate that, but this an area where Eset needs to do more improvement soon if NOD is to really go big time and compete successfully with the "big boys". The USA site is especially a joke. Rod's site is the best and is the one we USA users use and send new people to. That is embarrassing that our own site is lacking.