e-card virus issue

Discussion in 'ESET NOD32 Antivirus' started by bsilva, Mar 12, 2009.

Thread Status:
Not open for further replies.
  1. bsilva

    bsilva Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    238
    Location:
    MA, USA
    Hello All,

    There's a new email virus going around. It comes in as e-card. Don't open it. We have multiple computers infected. NOD32 v3 is not even catching it.

    I forwarded the email with the virus to support at eset.com and labeled it as a virus.

    It disables the eset service and then marks it for deletion. We've had to reinstall it on a bunch of computers.
     
  2. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Re: e-card virus

    Hello, it's necessary to upgrade your NOD32 to version 4, which includes new Self-Defense module. It protects whole program against unauthorized disabling. You can send then a log from SysInspector module for detailed analysis, also.
     
  3. bsilva

    bsilva Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    238
    Location:
    MA, USA
    Re: e-card virus

    We have over 1800 hundred computers... Not that easy. Also, thought you couldn't kill the eset service even in version 3.
     
  4. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    Re: e-card virus

    Nope that was a myth, same as the effectiveness of AH. :)
     
  5. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Re: e-card virus

    How can you say that AH isn't effective? When you compare AV according to detection rate in "zoo" test, you have to know that important factor is rate between detection and false positives. ESET's policy is don't produce many FPs. If they want, sensitivity can be higher, but then a lot of users will write "What has happend ESET?" Will viruslab work on fixes then?

    You can read this e.g.
     
    Last edited: Mar 12, 2009
  6. bsilva

    bsilva Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    238
    Location:
    MA, USA
    Re: e-card virus

    Just tested version 4 on a workstation and it also shutsdown the gui but the service looks like it's running. If you try to start the GUI it dissappears in a second.
     
  7. bsilva

    bsilva Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    238
    Location:
    MA, USA
    Re: e-card virus

    After more testing... the service does start after a reboot and the GUI does come back. We are now scanning to see if it finds anything.
     
  8. bsilva

    bsilva Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    238
    Location:
    MA, USA
    Re: e-card virus

    Windows defender is catching it as Trojan:Win32/Vundo.gen!AJ

    Resources: C:\Users\windowsuser\appdata\local\temp\javainst.exe

    This is a windows 7 PC.
     
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
  10. bsilva

    bsilva Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    238
    Location:
    MA, USA
    Re: e-card virus

    Thanks, after I spoke with Support they gave me that Address to email.
     
  11. bsilva

    bsilva Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    238
    Location:
    MA, USA
    Re: e-card virus

    So after a day and 4 updates from Eset, we are still battling these viruses. Eset is not catching it, we've sent multiple samples. We are using Sophos and Symantec to clean it.

    This is not good for Eset. :thumbd:
     
  12. bsilva

    bsilva Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    238
    Location:
    MA, USA
    Re: e-card virus

    Norton sees it as Trojan.Vundo

    I believe I see some signatures for it but it's still not catching.
     
  13. elavoie

    elavoie Registered Member

    Joined:
    Mar 13, 2009
    Posts:
    6
    Re: e-card virus

    Having the same issue over here.
    Never had such an issue with ESET before.
     
  14. bsilva

    bsilva Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    238
    Location:
    MA, USA
    Re: e-card virus

    I've been a customer since version 1 never had this problem. Are you dealing with the e-card virus (Trojan.Vundo)?
     
  15. elavoie

    elavoie Registered Member

    Joined:
    Mar 13, 2009
    Posts:
    6
    Yes Trojan.Vundo or 25 different names eahc AV vendor chooses, i am a customer since v2, i also installed v4 and scanned the zip file, nada no detection, submitted the file to eset, i am surprised it has taken more than 24hr to fix this.
     
  16. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    Re: e-card virus

    Yeap welcome to my world, I hunt, test and submit malware to Anti-Malware companies and ESET is OK in my book but the load AH brings does not warrant it's detection capability.

    IN 2.7 when it was light on resource it was my #1 choice but now with it's resource load and nice % of missed samples it has slowly slipped down the ranks.

    IN my own personal(take it as you may) testing from the things I find, so far in Heuristic detection Avira seems to take the crown, however they have larger # of False Positives...but now is the CAtch 22.
    What's worse for you?
    A FP that you can unquarantine (all my Anti-malware is set to quarantine or report not to act auto) or a Large spreading infection that can fester in your system for weeks without you even knowing about, only to be detected by now "updated" signatures (or maybe never?)....just look at Hartland Data Center Breach...the infection has been in their systems since Feb of 2008 and it collected data for MONTHS before they found it. :)

    So yeah those are the things you have to ask yourself. Everything lets things through, that is the fact of life, hence the need for layered defenses, however, currently Malware writers are winning and Anti-malware companies are playing catchup while consuming greater amount of computer resources to run their software.

    P.S.
    Also don't hold your breath with ESET adding some malware defs, in the past it took them sometimes few weeks to add the samples. Sometimes they add it in hours sometimes in weeks, sometimes NEVER...or at least soo long that I just gave up on checking. I don't follow up on submissions to ESET, I submit to about 40 different vendors, and if the e-mail does not bounce back then I don't re-send. If Eset fails to add it, then it's up to them...and yess all are ziped or rared with "infected" as password.


    Ok I am off my soapbox now.
     
    Last edited: Mar 13, 2009
  17. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    There is a lot of VUNDO's out there.

    Your best bet if ESET is not responding is to install 15 Day Trail of NORTON (since they seem to catch it...according to what you said) and run scans on the systems that way.

    I know, it's a pain if you have to do it in MULTITUDES! The first thing with VUNDO is to take the system of the net, so the infection does not update itself and elude your detection.
     
  18. elavoie

    elavoie Registered Member

    Joined:
    Mar 13, 2009
    Posts:
    6
    Norton, i don;t think so, i use other tools, and yeah Eset seems to have degraded since v2, v3 was quite a disapointment. we will see how they play catch up.
    I ubmitted ot one of those site that scans with multiple engines, a fewe picked it up, 2 tools i loked into in the past: Fortinet and CA any feedback on this?
    I am tempted 2 use 2 different AV to scan emails instead of relying on one.
     
  19. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    The typical update is usually within 24 hours, I've been sending files for months and has never really been any longer than that, with the exception of weekends.

    If you want you can PM me a link and I will forward it in my next daily batch.
     
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I couldn't find such file sent to samples[at]eset.com. This is the only address where you should send suspicious files or false positives. If you have actually sent the file in question to this address, please PM me the subject of the email or your email address so that I can look it up.
     
  21. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    The only reason I recommended Norton in this part was for the fact that someone reported that Norton detects it.
    So instead of going onto "what other AV company detects it" hunt, I just went through the Occam Razor.
     
  22. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    So I gather you'll recommend installing NOD32 back as soon as Norton misses a threat :)

    Missing threats is pretty normal for any AV even though not desired by users. There's no perfect AV in the world that detects every single threat, that's a matter of fact whether one likes it or not. 100% detection could be achieved only if detection was based on whitelisting legit files which would, on the other hand, produce tons of false positives.

    As I have written, any suspicious file should be sent in an archive protected with the password "infected" to samples[at]eset.com. Samples from infected systems that are sent by our users are handled with higher priority. Usually they should be included in one of the upcoming updates released within the day.
     
  23. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372

    No in this case the reason why I recommended it is because the user wants to clean the system ASAP or so it seems, so why wait for an updated detection when it's already being detected by someone else?
    Then he/she/it/IT, can just remove Norton and keep ESET and perform a followup Eset scan when Eset updates the defs.
     
  24. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Consider how persistent on a system Norton is, I would never consider installing it as a cleanup for anything.
     
  25. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    That's true, but I think they fixed it with 2009, since 2009 seemed to uninstall correctly from my VM.

    Another thought would be to run the free Symantec Online Scanner and at least ID the files and their locations, I don't know if Symantec Online Scanner allows you to delete the infection or if it just ID's it.
     
Thread Status:
Not open for further replies.