Imon detected it, but AMON did not... why?

Discussion in 'NOD32 version 2 Forum' started by POS, Nov 23, 2005.

Thread Status:
Not open for further replies.
  1. POS

    POS Guest

    Yesterday I´ve reicived an e-mail trojan. Dowloaded it and IMON blocked it. Today, i´ve downloaded again, IMON and AMON didn´t detect it... Tried the NOD32 scanner, and it did not detect it... Submited to Virustotal, and NOD32 and KAV and others didn´t detected it... maybe it was a false positive and some nod32 update have fixed this false positive? I don´t think so, because i´ve tried to execute the aplication, but zonealarm blocked it...
     

    Attached Files:

    Last edited by a moderator: Nov 23, 2005
  2. POS

    POS Guest

    .....
     

    Attached Files:

    Last edited by a moderator: Nov 23, 2005
  3. POS

    POS Guest

    Screenshot from nod32 quarantine (Imon detected it yesterday):
     

    Attached Files:

    Last edited by a moderator: Nov 23, 2005
  4. POS

    POS Guest

    None can help me? I´ve submited the file to Eset, but didn´t get answer yet...
     
  5. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    I've seen this happen a few times (speedfan for one). It probably was a false/positive and they fixed it.
    But just to be on the safe side, keep it in quarantine and submit it to virustotal or jottis in a few days.
     
  6. POS

    POS Guest

    But I really think its not a false positive. I´ve reicived it on my e-mail, and it has all the characteristics of an bad mail... like "click here and get a gift..."! Very suspicious...


    Also, I´ve submited it to Kaspersky, and the answer is:

    "Hello.
    Malicious software was found in the attached file.


    INFECTED Trojan-Downloader.Win32.Banload.iv


    It's detection was included in the next update.
    Please update your base nomore later. 1 hour.
    Thank you for your help.
    -----------------
    Regards, Leonid Khovansky
    Virus Analyst, Kaspersky Lab."

    Congratilations for Kaspersky for the fast answer. i´ve submited it to Eset about 2 hours ago, and didn´t get answer. Tired to wait, submited to KAV Labs about 12 minutes ago, and just got the answer...
     
  7. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    I would wait for Marcos or Happy Bytes to give more information.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'm waiting for more info from our engineers right now :) Most likely it ceased to be detected because the generic signature for SpyBanbra was rebuilt. This is not SpyBanbra, but seems to be actually a trojan downloader.
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    From the next update, it will be detected as follows. You can consider this an official response from Eset:
     

    Attached Files:

    • nod.jpg
      nod.jpg
      File size:
      54.7 KB
      Views:
      28
  10. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Hi POS:

    The file, if run, attempts to download the real infiltration (same name or voxcard2.exe which NOD32 stops with IMON (if running/enabled) or AMON).

    This would be as Marcos stated - a Trojan Downloader

    It is packed with UPX 1.25

    http://www.badsite1.com/images/voxcard.exe a variant of Win32/Spy.Banbra.DT trojan
    http://www.badsite2.com/doc/voxcard2.exe a variant of Win32/Spy.Banbra.DT trojan
    http://www.badsite3.com/images/voxcard.exe a variant of Win32/Spy.Banbra.DT trojan

    AMON file C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\G1QVSLEB\voxcard[1].exe a variant of Win32/Spy.Banbra.DT trojan quarantined - deleted Event occurred on a new file created by the application: c:\voxcard.exe. The file was moved to quarantine. You may close this window.


    If allowed to run freely, it creates:
    c:\windows\wupdmgr.exe - a variant of Win32/Spy.Banbra.DT trojan (set to run from HKLM/Software/Microsoft/Windows/CurrentVersion/Run at boot)
    c:\Explorer.EXE - a variant of Win32/Spy.Banbra.DT trojan
     
    Last edited: Nov 24, 2005
  11. POS

    POS Guest

    When Will be the next update?
     
  12. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Is this it?

    NOD32 - 1.1301 (20051123) / posted 20:37)
    Virus signature database updates:
    Win32/Bagle, Win32/Rbot (4), Win32/Spy.Banbra.DT, Win32/Spy.Bancos.U (2), Win32/Spy.Banker.NGX (2)
     
  13. POS

    POS Guest

    No, its not. Just downloaded the file again and nod32 still does not detect it...
     
  14. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    It will in the next update (1.1302)
     
  15. POS

    POS Guest

    I know, but when will be update 1.1302 avaliable? A lot of people here in Brazil are reiciving this e-mail with this trojan...
     
  16. POS

    POS Guest

    Also KAV has just done an update, and now it can detect this malware... Eset must be faster...
     
  17. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    It is now detected in the 1.1302 definitions. ;)

     
  18. POS

    POS Guest

    Just a last question:

    I´ve testes the trojan yesterday, when NOD still coudn´t detect it... I´ve executed it, and it start downloading 2 others trojans ( Win32/Spy.Banbra.DT) ... NOD32 IMON said it has stopped both trojans... so I blocked internet conections using Zonealarm and everything was just fine... But after this, I opened Windows Explorer and NOD32 found the Win32/Spy.Banbra.DT trojan there... (c:\), and deleted it...


    What I don´t understand is: Didn´t NOD32 IMON block it? It said it has blocked, so why the trojan was there? By the way, I think the trojan was corrupted, so if NOD32 AMON detected it, is it considerated a False Positive?

    Only iexplorer.exe is configured to High efficience in IMON..
     
  19. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    You executed it, well aware that it was infact a trojan? ...
    Do a complete system scan and delete anything NOD finds.

    And also, it seems to me that you downloaded the file before the 1.1302 update was released, so it could be that file AMON detected later on. Do remember that your browser has a cache where it stores files in. Unpacking programs stores files in the %temp% folder, like Winzip and WinRAR.
     
    Last edited: Nov 24, 2005
  20. POS

    POS Guest

    I think you didn´t understand what I meant... its not your fault, I´m brazilian, and my english is very poor...

    The trojan voxcard.exe that I´ve executed downloads other 2 trojans. NOD32 didn´t have a signature for this trojan untill 1.1302 update. But NOD32 has the signatures for the other 2 trojans that voxcard.exe downloads..

    So, I´ve executed the trojan voxcard.exe, and it has downloaded 2 others trojans (both called Win32/Spy.Banbra.DT). When downloading, NOD32 IMON, said that has blocked the two Win32/Spy.Banbra.DT trojans. But after all, when I opened Windows Explorer, NOD32 AMON has detected one of the two Win32/Spy.Banbra.DT ( after this I´ve made a scan and nod32 found the other).

    The question is: Why the Win32/Spy.Banbra.DT trojans were in my HardDisk if NOD32 said that IMON has blocked both?
     
  21. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Ah now I understand :) I agree, that's pretty weird actually.

    Edit:
    Ok you say IMON blocked 2 threats. In the signature update it says: Win32/TrojanDownloader.Banload.NAB (2)
    The (2) indicates that another 'subsignature' was added - That's probably why it is detecting it now :)

    If only the trojan was added "voxcard.exe" there would be no ().
     
  22. POS

    POS Guest

    But NOD32 IMON has detected the other 2 trojans before the update... and it said it has blocked both... so why they are in my HD?
     
  23. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Because there is a total of 4 threats.

    1: The trojan itself (added in the update)
    2: The file that it downloads (blocked by IMON)
    3: Another file that it downloads again (blocked by IMON)
    4: The new subsignature (added in the update) Thats why you see: Win32/TrojanDownloader.Banload.NAB (2)
    :)
     
    Last edited: Nov 24, 2005
Thread Status:
Not open for further replies.