Excellent Eset. Heuristic again...

Discussion in 'NOD32 version 2 Forum' started by sir_carew, Dec 26, 2005.

Thread Status:
Not open for further replies.
  1. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hello,
    Today I executed a downloader in my VM that is spreading via MSN Messenger. The downloader downloaded a new variant of Bagle.
    NOD32 previously detected this (I scanned it without Signature enabled) as Probably unknown NewHeur_PE virus. Today was added to database.
    That probes again that heuristic is very important.
    I'm happy with Eset for two things:
    1) Proactively detected
    2) Only few AVs are currently detecting this new variant.

    Here's VirusTotal results:
    AntiVir 6.33.0.70 12.26.2005 no virus found
    Avast 4.6.695.0 12.24.2005 no virus found
    AVG 718 12.23.2005 no virus found
    Avira 6.33.0.70 12.26.2005 no virus found
    BitDefender 7.2 12.27.2005 Win32.Bagle.EF@MM
    CAT-QuickHeal 8.00 12.24.2005 (Suspicious) - DNAScan
    ClamAV devel-20051108 12.26.2005 no virus found
    DrWeb 4.33 12.26.2005 no virus found
    eTrust-Iris 7.1.194.0 12.26.2005 no virus found
    eTrust-Vet 12.4.1.0 12.25.2005 no virus found
    Fortinet 2.54.0.0 12.26.2005 suspicious
    F-Prot 3.16c 12.26.2005 no virus found
    Ikarus 0.2.59.0 12.23.2005 no virus found
    Kaspersky 4.0.2.24 12.27.2005 no virus found
    McAfee 4659 12.26.2005 W32/Bagle.gen
    NOD32v2 1.1340 12.26.2005 Win32/Bagle.EF
    Norman 5.70.10 12.26.2005 no virus found
    Panda 8.02.00 12.26.2005 no virus found
    Sophos 4.01.0 12.26.2005 no virus found
    Symantec 8.0 12.27.2005 Bloodhound.Beagle
    TheHacker 5.9.1.061 12.25.2005 no virus found
    VBA32 3.10.5 12.26.2005 suspected of Email-Worm.Bagle.1

    Keep the good work Eset! :)
     
  2. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Sorry but this is certanly not a heuristic detection...
    It could be before but this is signature detection.
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It was detected by heuristics / generic detection and thus Eset could be the first to have detected it by exact signature as well.
     
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I said it could (NOD32 detected large range of Beagles,MyTobs and Mydooms) but in this very specific case it's obviosuly signature detection.
     
  5. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Good to see that NOD32 would have detected it zero-time with heuristic
    and that NOD32 was also one of the first AVs to provide signature detection.
     
  6. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Another thing that surprises me more here is Symantec actually detecting ITW sample with HEURISTICS! You won't see that too often:D
     
  7. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    I think it's heuristic.
    I scanned the file without the option Signature in ThreatSense options.
    Just take a look at the screenshot.
    Cheers.

     

    Attached Files:

  8. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Yep,

    like RejZoR said, before it was by heuristics, as we can see on your last image, but on the first was by the signature added by them...

    Good and quick work, ESET ;)
     
  9. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Well, RejZoR, think Symantec made a mystake. :p
    They'll release a news: "We're sorry. We weren't supposed to detect this malware heuristically. It won't happen again." :D
     
  10. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    Not heuristic, just generic.
     
  11. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    :) Re-read the OP. His case is a detection by heuristic. His databases were out of date or he executed this in his VM before the update was available.
     
  12. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Bloodhound is Norton's heuristic tagging. Generic or not it's heuristic (which in these days use mix of generics for signature based heuristic detections, something like NOD32 does queit often).

    No, his detection was signature no matter what you say.
    Do you see somewhere "probably a variant" or "a variant" or "probably new unknown heur_PE"? No, it's signature. But if you see any of those it's some form of heuristic detection which is not in this case. Doesn't matter if you disable signatures and it's then reported by heuristics module. It's still signature detection in his case.
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    In this case, the sample was already detected by a signature. If you turn off signatures, it will be detected as a variant by a generic signature. With NOD32 2.0, it would be detected by advanced heuristics as a NewHeur_PE virus.
     
  14. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Yeah, all i'm saing that in this case above was signature and nothing else.
    I don't care what happens when you disable signatures or anything else.
    Thats what i'm saing for the whole time.
     
  15. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    ok, RejZoR! As for me is very clear! :) :p
     
  16. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    ok, that's nice to know, but what kind of foolishness would turning off signatures be?
     
  17. johnpeter

    johnpeter Guest

    heuristic detection....
     
  18. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Oh god...
     
  19. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    That is either generic or signature detection, otherwise it wouldn't have a name.
    Although generic usually is something like: Probably a variant of xxx.xx / A variant of xxx.xx
    Must be sig.
     
Thread Status:
Not open for further replies.