didn't found infection (sober.i)

Discussion in 'NOD32 version 2 Forum' started by Yoshman, Dec 20, 2004.

Thread Status:
Not open for further replies.
  1. Yoshman

    Yoshman Registered Member

    Joined:
    Aug 5, 2004
    Posts:
    44
    hi everybody the second :)

    we are running the linux version of nod32 on our webserver and one of our customers sometimes still get some viruses and is not happy about that :( or better he means nod missed some viruses, so i caught one of the mails and the question is, if nod really missed it or just see no danger, because the mail was in plain text and so also the code of the virus was in plain text and not as attached bat or com or exe or...!
    Please see attachement --> it is the text in the mailboxfile on the linux server
    Some other scanners on jotti's find a virus and some did not!?

    regards and thx
    steffen jeschke
     

    Attached Files:

  2. nod32_9

    nod32_9 Guest

    NAV reports this as a bug. Will post a scan from McAfee Virus Scan 8.0i later.
     
  3. jg88swe

    jg88swe Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    181
    Scan result:

    AntiVir 6.29.0.5 12.20.2004 Worm/Sober.I.Base64A
    BitDefender 7.0 12.20.2004 -
    ClamAV devel-20041205 12.19.2004 Worm.Sober.I
    DrWeb 4.32b 12.20.2004 Win32.HLLM.Sober
    eTrust-Iris 7.1.194.0 12.19.2004 -
    eTrust-Vet 11.7.0.0 12.20.2004 -
    F-Prot 3.15b 12.20.2004 W32/Sober.J@mm
    Kaspersky 4.0.2.24 12.20.2004 I-Worm.Sober.i
    NOD32v2 1.953 12.19.2004 -
    Norman 5.70.10 12.16.2004 Sober.I@mm
    Panda 7.02.00 12.20.2004 -
    Sybari 7.5.1314 12.20.2004 I-Worm.Sober.i
    Symantec 8.0 12.20.2004 -
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hello,

    NOD32 detected Sober.I heuristically without needing to update. I suspect the file is corrupted, but for me to tell for sure please send it to samples@eset.com
     
  5. Yoshman

    Yoshman Registered Member

    Joined:
    Aug 5, 2004
    Posts:
    44
    @jg88swe - i get nearly the same results with jotti's online malware scanner, BUT the question for me is, did nod32 really missed this virus OR did it just ignore it, because the "virus code" stands as text in the mail and not as a attachment!!!

    regards steffen
     
  6. nod32_9

    nod32_9 Guest

    VS 8.0i also reports this as a bug.
     
  7. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i scanned the text file with nod32 with the latest updates, and nod32 reported that it was clean.. i scanned the file online at computer associates/etrust, and their online scanner reported that the file was clean..

    kaspersky's online scan reported that the file was infected with "i-worm.sober.i"..

    my understanding is that a text file cannot carry a malware-payload..
     
    Last edited: Dec 21, 2004
  8. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i scanned the file at panda, and panda said it was clean.. i scanned it at trend micro's housecall, and they detected it as sober-i.. i couldn't manage to get symantec's online scanner to run, so i couldn't scan it, there..
     
    Last edited: Dec 21, 2004
  9. balthus

    balthus Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    13
    so what does this mean for us eset users?
    that certain types of viruses are being passed over?
     
  10. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    No virus is being passed over, the example in question is a text file. Text files can not perform any malicious acts as they can not execute code, they merely display it. A text file is the same as reading something on a piece of paper, yes it may be the code for Sober, but reading it will not harm you or your computer. As Marcos pointed NOD detected Sober.I heuristically without an update so it is safe to say NOD users are safe. As the thread points out some of the scanners at Jotti's site detect it as a virus, however, I view that as a false positve personally, as it is in a text file.
     
  11. nod32_9

    nod32_9 Guest

    Currently, it is not possible to introduce a bug via .txt files. However, some AVs may detect this as malware. When in doubt, quarantine the thing and submit it for analysis. Personally, I would delete it if I don't know the sender.
     
  12. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    One of the very best ways of getting infected is by opening mail only from people you know. The following is part of a document that we send to our Nod32 customers:


    Safe Practices / Viruses / Hoaxes etc

    1. Viruses and Anti-virus Programs

    a) Update your Nod32 anti-virus. As with ALL anti-virus programs, Nod32 can only protect you from what it knows about. New viruses are written, distributed and found daily, it is very important for you to update and check that Nod32 is being updated regularly. This is an automated function within Nod32, however, we advise that at least once a day you check and know for sure that Nod32 is actually up-to-date, just to be sure, it is a man-made program and one day it will fail, you DO NOT want to find out there was a problem with updating 3 months ago. This is just an additional security step to make it that little bit safer.

    b) Use Nod32 to scan EVERY new file that you download from the internet, or that you place into your computer by disk or other means. Make a routine WEEKLY scan of your computer.

    c) NO ANTI-VIRUS PROGRAM IS PERFECT, nor can it compensate for:

    UNSAFE SOFTWARE PRACTICES.

    No anti-virus program will ever detect all viruses all the time; viruses are being written and distributed daily.

    PRACTICE SAFE COMPUTING.

    Be cautious when opening files, DO NOT OPEN obvious file extensions typically used by viruses and sent by email to you, such as .pif .scr .bat

    d) Have you ever heard or said, “I only ever open attachments from people I know”, well this is one of the best ways to receive a virus, the infected email more than likely has NOT been sent by your friend, their email address has been harvested by a virus and the virus is sending emails as though it is coming from your friend.

    e) Never open software from "warez" sites or “peer-to-peer” programs like Kazaa until they have been scanned with a fully up-to-date Nod32.

    f) Pay attention to files with multiple extensions. Generally, the last extension is the relevant one. For example, a file named song.mp3.exe is an executable program (.exe) and not an MP3 file.

    Note, however, that if you are using Outlook Express and see a file with three extensions, Outlook Express may consider the second extension to be relevant, so that a file named song.mp3.exe.jpg is an executable program (.exe), it is neither an MP3 file nor a JPG file.


    Cheers

    Blackspear.
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    AMON would have detected it as soon as you had saved it as an eml file, opened it in Outlook Express and saved the attachment. As I had stated before, NOD32 detected Sober.I heuristically without needing to update. As far as it stays in a text form, it's safe and cannot do any harm. If you manage to save it as a real file, AMON will spring into action.
     
  14. SteelyDon

    SteelyDon Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    81
    Location:
    Southern Ontario
    It seems to me that plain text of a virus' code is a virus in imagination only.

    :p
     
  15. ASL

    ASL Guest

    Since last week I was getting a lot of these plain text sober.i 'worms' on my Astaro Security Linux (KAV engine), before the sender IP's where blacklisted. I first try to block IP's, but then the messages would be routed over our fallback mailserver at our provider Xs4all which also scans for viruses and didn't find any infection.
    The remainder are now rejected using a regular expressions that rejects all messages containing "\*-\*-\* Anti_Virus: No Virus was found" :)
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Over the last few days I have been receiving about 20 Sober.I emails per day, this is one prevalent virus at the moment.

    Cheers :D
     
    Last edited: Dec 22, 2004
  17. Ga1tar

    Ga1tar Registered Member

    Joined:
    Apr 11, 2004
    Posts:
    118
    Location:
    U.K
    Feeling a little left out here as I have not seen any yet
     
  18. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    LOL, I can share if you like ;) :D

    :D :D :D
     
  19. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,763
    Location:
    Texas
    The pc group I belong to helps out a lot with their gateway antivirus and spam filter. Some still get manage to make it past the gates.
     
  20. Yoshman

    Yoshman Registered Member

    Joined:
    Aug 5, 2004
    Posts:
    44
    Many thx for all your repleys and answers AND the best of all - our customer now believes me (and U) and doesn't call me the whole day anymore ;)

    another question --> i posted a second thread about nod32 didn't scan some mails! could u help me there to?

    regards
    steffen
     
  21. Mikkel

    Mikkel Registered Member

    Joined:
    Dec 8, 2004
    Posts:
    35
    Agree If it is in a txt file it is no danger but there could be the next virus has in it to rename this file to eks .bat :)
     
  22. solarpowered candle

    solarpowered candle Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    1,181
    Location:
    new zealand
  23. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  24. solarpowered candle

    solarpowered candle Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    1,181
    Location:
    new zealand
    lol are you currently getting lots of (1) or have the (2) s hit oz as here.
     
  25. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I was getting 20 a day of "i", it has slowed in the last 12 hours though.

    Cheers :D
     
Thread Status:
Not open for further replies.