"IrcConnect 3.0" virus not detected!

Discussion in 'NOD32 version 2 Forum' started by redgob, Jul 28, 2004.

Thread Status:
Not open for further replies.
  1. redgob

    redgob Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    10
    I noticed it because it was connecting on irc.quakenet.com continuously!

    It was a file named schot.exe in the system32 folder.

    I tried to scan the file with nod32 (v2 latest update) and it didn't detect it at all.

    Finally I used an online virus scanner that succeed to identify the virus.

    It's an old virus in nod32 database since 2002.

    Finally I have dowloaded and installed the nod32 beta and... miracle it works! the beta detected the virus.

    Could you explain me why nod32 v2 can not always detect virus that are well known? :doubt:
     
  2. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
    Last edited: Jul 28, 2004

  3. That's interesting. If it's in the NOD32 database as being recognized, the it should detect it, unless it's some sort of new variant. Did you submit it to them for a "look see"? Someone from ESET should give a good explanation to this!
     
  4. redgob

    redgob Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    10
    I notified ESET a few days ago by sending a message to their support and I've no answer today, perhaps they are not interested...

    Also I've just post my infectedfile to www.virustotal.com, here is the report:

    -------------------------------------------------------------------------
    Virus Total
    _______________________________________________

    Scan results
    File: svchot.exe
    Date: 07/28/2004 19:12:55
    ----
    BitDefender 7.0/20040728 found [Backdoor.Irccontact.3.0]
    ClamWin devel-20040719/20040727 found nothing
    eTrustAV-Inoc 4641/20040727 found [Backdoor/IRC.Contact.30.Server]
    F-Prot 3.15/20040728 found nothing
    Kaspersky 4.0.2.23/20040728 found [Backdoor.IrcContact.30]
    McAfee 4382/20040728 found [IRC-Contact]
    NOD32v2 1.824/20040727 found [Win32/IrcContact.30]
    Norman 5.70.10/20040727 found nothing
    Panda 7.02.00/20040728 found [Bck/Irccontact.A]
    Sybari 7.5.1314/20040728 found [Backdoor/IRC.Contact.30.Server]
    Symantec 8.0/20040727 found nothing
    TrendMicro 7.000/20040726 found nothing
    -------------------------------------------------------------------------

    So I don't understand why it didn't work on my PC, perhaps virustotal is using the beta or perhaps something was going bad with my previous nod32 install... o_O
     

  5. From the looks of it, they are using the V2 of NOD32 so I'm not sure why it didn't work on your pc. How are your settings and what definition date are you using?
     
  6. redgob

    redgob Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    10
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I would "tweak" your Nod32 settings up, see the sticky thread of mine at the top of this forum.

    If you don't here from Eset within a few days of sending a email, please always resubmit the file.

    Hope this helps...

    Cheers :D
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Hi Redgob,
    please post me a PM with the exact date and subject of the email you sent as well as the address you sent it to. I wonder if you could resend it to support@nod32.com in case you used a different address.
     
  9. redgob

    redgob Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    10
    Sorry but I used an online form: http://www.nod32.com/support/supreq_us.htm
    and I gave an email adress from http://www.jetable.org that I have forgotten.

    It seems somthing gone wrong with my nod32 installation, perhaps a problem during update?

    If you want I can send you a copy of the virus.
     
  10. redgob

    redgob Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    10
    Thx but with the beta and default settings the virus is detected.

    In fact I haven't submited the file... A bit reluctant to send viruses to people.
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    That's what they want you to do zip it up and fire it off to samples@nod32.com

    This way they can work out why there was a problem, or if there is a new variant of a virus etc...

    Cheers :D
     
  12. redgob

    redgob Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    10
    It's done ;)
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Can you keep us in the loop as to the results, always interesting to see what the final outcome is...

    Cheers :D
     
  14. redgob

    redgob Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    10
    The outcome is: nothing.

    I sent the virus and no answer...

    Ok the virus is know detected by the beta, but what about all people that doesn't use it ?

    I don't feel secure anymore using nod32.
     
  15. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Did you send Marcos a PM, as he requested?

    Cheers :D
     
  16. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Hmm... I wonder... Did you enable NOD32 to "diagnose Runtime packers" in the scan setup? Perhaps that's why your NOD32 isn't detecting it?
     
  17. redgob

    redgob Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    10
    No : I answered in this thread
     
  18. redgob

    redgob Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    10
    I used default settings, I don't know if it includes "diagnose Runtime packers". It's something related to real-time protection no?

    If, it's not the matter : if I scan DIRECTLY the infected file with nod32 v2 it doesn't dectect the virus.

    If I scan the same file with nod32 v2 beta it detects it.

    I made a clean install of nod32 v2 and had same result.
     
  19. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Does it detect it when you "Tweak" Nod32, as in my sticky thread?

    Cheers :D
     
  20. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    Hummm it´s strange.
    It should work.
    I always use my settings to maximum power.
    Follow the Blackspear advice and try it out.
    Be sure to click to "scan all files" and not just the defaults one.
    I´m sure we can trust NOD32 forever.
    Do you want a example ?
    Panda antivirus until today, if you use the heuristics to maximum, it detects Adobe Reader as a virus, and automatically send some files to quarantine. Or you use it in default mode, or have to exclude those files from scanning.And this is happenning with the new version too.
    NOD32 is thousand of years ahead from others antivirus.
    I´m sure Eset knows what happened.
    Let´s wait.

    Best Regards,

    DonKid.
     
  21. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
    There's a good reason the Heuristics in Panda are disabled by default, they're rubbish.
     
  22. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Redgob,
    please send me a PM with the email address you sent the sample from, I have access to the samples email box so I'll be able to check if it actually arrived. As far as I see, there are no emails left unanswered from the past.

    You should always get a reponse within a few hours (or 1-2 days at maximum) depending on the severity of the sample.
     
Thread Status:
Not open for further replies.