IRC Bot not flagged by NOD32

Post it in the wishlist thread... it's sticky, you should be able to find it near the top of the v2 forum.

regards

Greg

 

Marcos, I have sent a sample through Control Center 3 days or more before and my Event Log still does not contain an item about successful submitting.. is this bad?

 

Are you sure it was a sample that could not already be submitted by someone else?

 

Myslim si, ze hej alebo je to aspon dost mozne, nakolko sa nachadzal pravdepobodne neznamy NewHeur_PE virus na priatelkinom pocitaci... ona chodi na internet skutocne malokedy a ked hej tak su to zvacsa slovenske alebo podobne... stranky.. Takisto som poslal "pravdepodobne variant" WebAnhacer(neviem presne ako sa to uz vola" a tiez ziadna udalost v Protokole o uspesnom odoslati sa v protokole nenachadza.. Myslim si ze by to mohlo byt lepsie spracovane a ked sa subor neposle lebo uz bol poslany tak aby bolo zretelne napisane v protokole apod....

 

Are you sure it was a sample that could not already be submitted by someone else?

---------------------------

What is this supposed to mean? You said if it was sent successfully and the ESET server received it, then it would add an entry back in the log. Now it appears that you're saying that if it was already submitted by someone else, then you wont get a log entry! That's a crock! If you submit something, then you should get something back saying it was received.

 

What Marcos is saying is that if the file has already been submitted by someone else, then your machine will not submit it again, as in they do not need to receive 5000 submissions of the same sample.

The person that does submit the file first will have an entry in their logs.

Hope this helps...

Cheers

 

That's exactly what I said and it's stupid. How is the person submitting it supposed to know that someone else has already submitted it?

Each sample submitted should get some sort of reply back that it was received.

 

Agreed, and good post Derek.

Cheers

 

Because i am creative enough..I could change a few bits of code and packing so that even bad boys already detected and updates realease or heuristics in place faster by one AV compared to another might still be an issue to you..

http://www.dslreports.com/forum/remark,13436505~mode=flat~days=9999~start=20#13446896

What is more important to me is how many people are infected with it at any given moment.

Currently there are 43 and counting variant of fast moving Win32/Mytob FAMILY. Combining malicious packages are the trend nowdays..I think every major AV is doing a good job for their customers in keeping down a threshold number as to when all their cunstomers are protected...espcially since we all know many are started locally in various countries like what we have seen with the Sober worm reappearing and that is the goal..keeping it contained.

 

So if instead of saying nothing there was a log entry noting that ESET already has a copy of the file, then would that in your view be sufficient reply back for that situation?

If you open quarantine, click 'Submit for analysis', browse to the infected file that wasn't detected, fill in the comment and your email address you can send any file that needs investigation, detected or not without needing to use outlook. I'm sure this would show up in your logs if ESET do not already have a sample.

 

Quote:
Originally Posted by BTW
Seems to me but didn't check that's for submitting suspected files found by NOD32 and/or in quarantine. This file was not suspected by NOD32 => I sent it from Outlook.

If you open quarantine, click 'Submit for analysis', browse to the infected file that wasn't detected, fill in the comment and your email address you can send any file that needs investigation, detected or not without needing to use outlook. I'm sure this would show up in your logs if ESET do not already have a sample.
__________________

As the file is not detected by NOD32, why should it be in quarantine ? I ought to put it by myself in the quanratine as NOD32 has no reason to put an unsuspected file into the quarantine...

 

The quarantine box give you the possibility to send a file to Eset without using your email software, any file ...
It is easy and fast. The file don't need to be in the quarantine folder, you can submit any file by browsing your drive. Click on the button 'Submit for analysis' and choose the file you want to submit

Regards

 

Well it seems to me that if you are really smvs at tweaker.net. But maybe you are not that person..but rather someone who just got a copy and submitted it..which is it ??

http://gathering.tweakers.net/forum/list_messages/1036449

then it answers a lot of questions for me..as to how the picture thing got on a PC in the first place.

And also why KAV and BD then finally detect it fast before the others.

But it also tells me more..that particular bot is easy to avoid in the first place
even of you get it in MSN renamed from someone you do not even know..you just dump it.

But if you are that curious to find out what is inside..you don't Infect your own system with the darn thing.

There are more than 1000 variant irc bot with a very short life span and only less than 100 or so people in a local area between the people they contact that get infected at time.

Please tell me if you are really a person who was infected with this picture_14.exe..what other text message did you receive with it..since you have not mentioned this yet ?

Also did you get it with MSN Messenger ?

W32/Rbot-ACQ is a worm with backdoor Trojan functionality.
W32/Rbot-ACQ connects to an IRC channel and listens for backdoor commands from a remote attacker.
When first run the worm copies itself to the Windows system folder as MSNMSGRS.EXE.
The following registry entries are created to run MSNMSGRS.EXE on startup:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
strmsnmsgr
msnmsgrs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
strmsnmsgr
msnmsgrs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
strmsnmsgr
msnmsgrs.exe


And new one come up each day renamed

http://www.pcreview.co.uk/startup/MSN-id-3394.php


http://www.bleepingcomputer.com/startups/Cat-M.html

It all usually starts with a version of W32.Netsky repackaged for Messaging

http://www.srnmicro.com/virusinfo/netsky-ad.htm


http://msmvps.com/trafton/archive/2005/03/06/37762.aspx

http://msmvps.com/trafton/archive/2005/03/06/37763.aspx

 

C'mon, lets work together on this - the 'Submit for analysis' button on the quarantine tab lets you browse to a non-quarantined file on your system so even though this particular file was not in quarantine you can still ask to submit to ESET.

 

I've seen dozens of samples submitted manually despite of previously being detected and identified by name. Also, there are files from the prefetch folder which people think are infected and not detected because of a bug in NOD32, etc. Some people submit 4 (four) bytes files thinking they are infected and wondering why NOD32 did not pick them up...

 

Even the EICAR test file is only 68 bytes and it's tiny

 

That must drive you guys nuts at ESET

The prefectch for XP still confuses many people so I just give up and have them download a free 28K tool and give them a GUI to play with so they can feel CLEAN.


No You do not have a trojan in your PreFetch, What are those .pf files on my PC ?
http://forum.gladiator-antivirus.com/index.php?act=ST&f=70&t=26326&st=0#entry97074

 

Hello,

No, I am not that person.

I presume KAV detected it because it can handle more than 600 runtime packers and the other AV only a few ones, like NOD32.

No I didn't get it through MSN Messenger: I don't accept files even from my own contacts I just visited purposely the site to d/l the worm in order to analyse it for I has been asked for by one of my customers

I know there is a miriad of variants, I just wonder :
1. Why advanced heuristic don't catch it (probably because of an exotic runtime packer)
2. Why they did not add it in the DB next DB update after submission
3. Why no answer, even automatic after submission through Mail or from NOD32 GUI ; there is a good suggestion from a reseller : any submitted sample should get an answer even if the sample is already submitted by some one else, it's easy to send a reassuring message telling they received the mail or the sample : that's what I do for my own bizness by respect for my customers, especially when they try to help me, as I said before I don't care about this cheap bot for myself :-D.

Regards,

 

@BTW

Good glad we establised that..so did you just then scan that picture_14.exe thingie with your NOD..or did you actually then try to infect a PC with MSNMSGRS.EXE that had NOD running and want to tell us it failed to do that with the way you have NOD set up ?

And if you read the link I posted and understand Dutch..you will know why ( in the timeframe you speak of) KAV and BD then finially ID that one..but before that time..neither could stop it..just state it looks suspicious.

 

So sorry, I don't understand Dutch and it's hardly understandable with an online translator ;(

No NOD32 did not prevent it My blocker warned that the prog tried to write a RUN key in the registry
(my customer running NOD32 had these keys in his registry according to HijackThis and he runs MSN Messenger but he didn't know if he got it through MSN Messenger :
O4 - HKLM\..\RunServices: [strmsnmsgr] msnmsgrs.exe
O4 - HKCU\..\Run: [strmsnmsgr] msnmsgrs.exe
and it was no netsky variant

 

You missed one since there are three.

W32/Rbot-ACQ
is a worm with backdoor Trojan functionality.
W32/Rbot-ACQ connects to an IRC channel and listens for backdoor commands from a remote attacker.
When first run the worm copies itself to the Windows system folder as MSNMSGRS.EXE.
The following registry entries are created to run MSNMSGRS.EXE on startup:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
strmsnmsgr
msnmsgrs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
strmsnmsgr
msnmsgrs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
strmsnmsgr
msnmsgrs.exe


I guess you do not then even have NOD ..but best I guess to give "your customer" the benefit of the doubt his NOD was updated and set up correctly.

NOD32 Setup Tutorial (for Advanced Protection)
Screenshots courtesy of © Blackspear 2004
http://www.nod32-av.com/setup/nod32setup.htm

I just want to make sure no one is cheating on Fred Cohen's Proclamtion.

Goedel Incompleteness Theorem is a two way street and I like all the facts.

"Catastrophe may be inevitable, but it need not be crippling."

I see neither catastrophe or any hint of crippling on that bugger and as you say "as I said before I don't care about this cheap bot for myself :-D."

Thanks again for submitting it..best to you in your own bizness.

It is strange that your customer would not know where he/she got picture_14.exe.

I suspect it was from Messenger..hope you warned them to be careful.

I don't think anyone else will ever be hit with picture_14.exe.

What do you think ?

 

Why do you think they are so hard to detect..and where is the rest of the files derek ??

W32.Picrate.A@mm

http://securityresponse.symantec.com/avcenter/venc/data/w32.picrate.a@mm.html