"IrcConnect 3.0" virus not detected!

I noticed it because it was connecting on irc.quakenet.com continuously!

It was a file named schot.exe in the system32 folder.

I tried to scan the file with nod32 (v2 latest update) and it didn't detect it at all.

Finally I used an online virus scanner that succeed to identify the virus.

It's an old virus in nod32 database since 2002.

Finally I have dowloaded and installed the nod32 beta and... miracle it works! the beta detected the virus.

Could you explain me why nod32 v2 can not always detect virus that are well known?

 

Happened to me too with another trojan https://www.wilderssecurity.com/showpost.php?p=222181&postcount=22 never did find out why

 

That's interesting. If it's in the NOD32 database as being recognized, the it should detect it, unless it's some sort of new variant. Did you submit it to them for a "look see"? Someone from ESET should give a good explanation to this!

 

I notified ESET a few days ago by sending a message to their support and I've no answer today, perhaps they are not interested...

Also I've just post my infectedfile to www.virustotal.com, here is the report:

-------------------------------------------------------------------------
Virus Total
_______________________________________________

Scan results
File: svchot.exe
Date: 07/28/2004 19:12:55
----
BitDefender 7.0/20040728 found [Backdoor.Irccontact.3.0]
ClamWin devel-20040719/20040727 found nothing
eTrustAV-Inoc 4641/20040727 found [Backdoor/IRC.Contact.30.Server]
F-Prot 3.15/20040728 found nothing
Kaspersky 4.0.2.23/20040728 found [Backdoor.IrcContact.30]
McAfee 4382/20040728 found [IRC-Contact]
NOD32v2 1.824/20040727 found [Win32/IrcContact.30]
Norman 5.70.10/20040727 found nothing
Panda 7.02.00/20040728 found [Bck/Irccontact.A]
Sybari 7.5.1314/20040728 found [Backdoor/IRC.Contact.30.Server]
Symantec 8.0/20040727 found nothing
TrendMicro 7.000/20040726 found nothing
-------------------------------------------------------------------------

So I don't understand why it didn't work on my PC, perhaps virustotal is using the beta or perhaps something was going bad with my previous nod32 install...

 

From the looks of it, they are using the V2 of NOD32 so I'm not sure why it didn't work on your pc. How are your settings and what definition date are you using?

 

Defult settings and update every hour...

The virus is 9 months old:
http://www.megasecurity.org/trojans/i/irccontact/Irccontact3.0.html

 

I would "tweak" your Nod32 settings up, see the sticky thread of mine at the top of this forum.

If you don't here from Eset within a few days of sending a email, please always resubmit the file.

Hope this helps...

Cheers

 

Hi Redgob,
please post me a PM with the exact date and subject of the email you sent as well as the address you sent it to. I wonder if you could resend it to support@nod32.com in case you used a different address.

 

Sorry but I used an online form: http://www.nod32.com/support/supreq_us.htm
and I gave an email adress from http://www.jetable.org that I have forgotten.

It seems somthing gone wrong with my nod32 installation, perhaps a problem during update?

If you want I can send you a copy of the virus.

 

Thx but with the beta and default settings the virus is detected.

In fact I haven't submited the file... A bit reluctant to send viruses to people.

 

That's what they want you to do zip it up and fire it off to samples@nod32.com

This way they can work out why there was a problem, or if there is a new variant of a virus etc...

Cheers

 

It's done

 

Can you keep us in the loop as to the results, always interesting to see what the final outcome is...

Cheers

 

The outcome is: nothing.

I sent the virus and no answer...

Ok the virus is know detected by the beta, but what about all people that doesn't use it ?

I don't feel secure anymore using nod32.

 

Did you send Marcos a PM, as he requested?

Cheers

 

Hmm... I wonder... Did you enable NOD32 to "diagnose Runtime packers" in the scan setup? Perhaps that's why your NOD32 isn't detecting it?

 

No : I answered in this thread

 

I used default settings, I don't know if it includes "diagnose Runtime packers". It's something related to real-time protection no?

If, it's not the matter : if I scan DIRECTLY the infected file with nod32 v2 it doesn't dectect the virus.

If I scan the same file with nod32 v2 beta it detects it.

I made a clean install of nod32 v2 and had same result.

 

Does it detect it when you "Tweak" Nod32, as in my sticky thread?

Cheers

 

Hummm it´s strange.
It should work.
I always use my settings to maximum power.
Follow the Blackspear advice and try it out.
Be sure to click to "scan all files" and not just the defaults one.
I´m sure we can trust NOD32 forever.
Do you want a example ?
Panda antivirus until today, if you use the heuristics to maximum, it detects Adobe Reader as a virus, and automatically send some files to quarantine. Or you use it in default mode, or have to exclude those files from scanning.And this is happenning with the new version too.
NOD32 is thousand of years ahead from others antivirus.
I´m sure Eset knows what happened.
Let´s wait.

Best Regards,

DonKid.

 

There's a good reason the Heuristics in Panda are disabled by default, they're rubbish.

 

Redgob,
please send me a PM with the email address you sent the sample from, I have access to the samples email box so I'll be able to check if it actually arrived. As far as I see, there are no emails left unanswered from the past.

You should always get a reponse within a few hours (or 1-2 days at maximum) depending on the severity of the sample.