Dropper.Microjoin.bx

Discussion in 'NOD32 version 2 Forum' started by phasechange, Jul 8, 2006.

Thread Status:
Not open for further replies.
  1. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    I have downloaded a highly dubious file (out of curiousity to test Ewido which I have a trial install of). Unsurprisingly scanning it with EWIDO found Dropper.Microjoin.bx however I scanned it with NOD32 first and it found nothing.

    Thoughts please?

    Fairy
     
  2. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    Just checked it using the KAV6 trial that's installed in my test envirnonment it also finds it. Do you think NOD32 would pick it up on execution? I'm not prepared to run it to find out :-D

    Fairy
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Since it's a dropper it would be interesting to know if the file dropped are detected by NOD32 or not. Send the file to support @ eset.com with a link to this thread and I'll take a look at it.
     
  4. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    I'll download it again and send it.

    Fairy

    /update

    Sent. Thanks
     
    Last edited: Jul 8, 2006
  5. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    are they detected, Marcos? :D
    I know ESET doesn't add too many Droppers if the files being droppped are detected and this is a good thing. No need to make the database huge. :)
     
  6. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    It is good, but also rather strange, at least for me. Since the security risks do not increase either way, I'd just say that one should either detect all droppers or not detect any droppers. :doubt:
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Tried to download and Antivir stopped it.
    Downloaded after disabling Antivir. I tried to upload it to jotti and virus total but failed due to busy servers there.
     

    Attached Files:

  8. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    nice to see that, but I think Marcos or anyone form ESET already analysed it isn't it?
    So, can he tell us if the file being dropped is detected or it has been added to detection?

    here's the scanning result from VirusTotal:
     

    Attached Files:

    Last edited: Jul 10, 2006
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks pykko.
     
  10. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    you're welcome aigle. :)
    anyway....I won't wait for an answer from ESET....they seem to be aversive to "undetected malware" threads. They could tell us: it's detected or not (the file being dropped)...very simple. No antivirus is perfect, but at least on their support forum they could say it clearly.
     
  11. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Or you can just find out for yourself, if you have the time and the right tools :p :D
     
  12. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I've runned it...nothing happened. Only my NOD32 icon get red then dissapeared and then my PC blowed. :D :D :eek: joking of course. :p
     
  13. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    hmmmm I wonder how the testing went?

    Fairy
     
  14. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I'm sure the file being dropped is detected. :)
     
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    And I'm positive that both the dropper and dropped files are detected :D
     
  16. ASpace

    ASpace Guest


    Good news ! :thumb:
     
  17. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    that's right Marcos! Here's the scanning result. :) :thumb:
     

    Attached Files:

  18. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    As the dropper wasn't detected by my NOD32 previously does this mean that it has now been added to the database? Or would it have been detected if I had executed rather than scanned the file.

    Thanks,
    Fairy
     
  19. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    When it's described as a dropper, it means that it drops a file. The file that was being dropped by this trojan was - correct me if I'm wrong - detected by NOD32 all along, but the dropper itself wasn't detected until recently (when ESET added detection for it).
     
  20. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    definition for the dropper has been added in version 1.1658 (20060713).
     
  21. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    Thank you and thank you Pykko. I thought this was the case I just wanted it explicitly stated for my all too literal mind :)

    The fact that the Dropper is now detected impresses me and increases my (already high) confidence in ESET. Another job well done.

    Fairy
     
Thread Status:
Not open for further replies.