about viruses variants' naming

Discussion in 'ESET NOD32 Antivirus' started by stimulator32, Jan 10, 2010.

Thread Status:
Not open for further replies.
  1. stimulator32

    stimulator32 Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    104
    Hello,

    can I rely on the ThreatSense naming of viruses that are detected by heuristics?

    I am very concerned with viruses names, but I have recently found that sometimes there is essential difference between their names whether they are detected by signatures or by heuristics!

    This means, there is a possibility that the names of viruses that are detected by heuristics (passive heuristic, active heuristic, generic signatures) are wrong and not accurate! And every time I see "a variant of", "probably" or "Gen." I should bear in mind that there is big chace that detection name to be fault!

    Here are some examples of viuses that have different names according to the detection method (signature or heuristic) :

    -C:\Users\stimulator32\Desktop\555\Net-Worm.Win32.Mytob.ay.zip » ZIP » Net-Worm.Win32.Mytob.ay - Win32/Mytob.GT worm
    When I disable the detection by signatures:
    -C:\Users\stimulator32\Desktop\555\Net-Worm.Win32.Mytob.ay.zip » ZIP » Net-Worm.Win32.Mytob.ay - probably a variant of Win32/Mydoom.CP worm

    -C:\Users\stimulator32\Desktop\555\Trojan-Banker.Win32.Banker.aajq.zip » ZIP » Trojan-Banker.Win32.Banker.aajq - Win32/TrojanProxy.Small.NBG trojan
    When I disable the detection by signatures:
    -C:\Users\stimulator32\Desktop\555\Trojan-Banker.Win32.Banker.aajq.zip » ZIP » Trojan-Banker.Win32.Banker.aajq - a variant of Win32/Injector.FP trojan

    -C:\Users\stimulator32\Desktop\555\Trojan-Banker.Win32.Banker.aarp.zip » ZIP » Trojan-Banker.Win32.Banker.aarp - Win32/Spy.Delf.NNB trojan
    When I disable the detection by signatures:
    -C:\Users\stimulator32\Desktop\555\Trojan-Banker.Win32.Banker.aarp.zip » ZIP » Trojan-Banker.Win32.Banker.aarp - a variant of Win32/Spy.Banker.AEMZ trojan

    -C:\Users\stimulator32\Desktop\555\Virus.Win32.Sality.o.zip » ZIP » Virus.Win32.Sality.o - Win32/Sality.O virus
    When I disable the detection by signatures:
    -C:\Users\stimulator32\Desktop\555\Virus.Win32.Sality.o.zip » ZIP » Virus.Win32.Sality.o - a variant of Win32/Kryptik.DF trojan


    (The viruses can be sent only to moderators for ascertainment).

    I suppose when the detection of a virus by heuristics is "a variant of Conficker worm" or "PE NewHeur virus" and after added to signature database became "Win32/Conficker AA worm" is acceptable and normal issue ..

    But when the issue was like my examples above, is it acceptable?

    Many Thanks in advanced ..
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The point is to detect malicous files regardless how they are named. With the current number of threats counting in dozens of millions it's impossible to create a separate signature for every single threat. No AV company is doing that and will never do, otherwise they couldn't use heuristics and 99,99% would be undetected.
     
  3. stimulator32

    stimulator32 Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    104
    Hello Marcos,

    Kaspersky company gives a specific signature for every single threat ..

    Avira do that else ..
     
  4. stimulator32

    stimulator32 Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    104
    Look at Kaspersky's signatures:

    10-01-2010 08-42-46 PM.png

    and Avira:

    10-01-2010 08-45-03 PM.png

    Every threat has a signature!!
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    This is absolutely not true. I've checked a buch of today's samples, more than 6000 were detected by Antivir as generic (according to their names, but that doesn't mean signatures without "gen" are necessarily not generic). Just to name some of them:

    TR/Crypt.ASPM.Gen
    TR/Crypt.CFI.Gen
    TR/Crypt.EPACK.Gen2
    TR/Crypt.FKM.Gen
    TR/Crypt.FSPM.Gen
    TR/Crypt.Morphine.Gen
    TR/Crypt.MWPM.Gen
    TR/Crypt.NSAnti.Gen
    TR/VB.Downloader.Gen
    TR/Vundo.Gen
    BDS/Hupigon.Gen
    DR/Delphi.Gen

    Similar situation with Kaspersky as well as any other AVs:
    Backdoor.Win32.IRCBot.gen
    Backdoor.Win32.Rbot.gen
    Backdoor.Win32.VB.gen
    Email-Worm.Win32.generic
    Heur.Backdoor.Generic
    Heur.Trojan.Generic
    Heur.Worm.Generic
    Trojan-Spy.Win32.Zbot.gen
     
Thread Status:
Not open for further replies.