Is this a real virus?

Discussion in 'NOD32 version 2 Forum' started by Pain of Salvation, Nov 28, 2005.

Thread Status:
Not open for further replies.
  1. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    398
    I´ve downloaded a virus simulator and NOD32 didn´t detect it... the problem is that I think its not just a simulator, its a real virus.. i´ve sent it to Eset and got no answer. Sent it to KAV and:

    Hello, it is a virus tool.


    --
    Best regards, Shvetsov Dmitry
    Virus analyst, Kaspersky Lab.

    e-mail: newvirus@kaspersky.com
    http://www.kaspersky.com/



    > Attachment: virsim.rar

    > The site i?ve downloaded this says its a virus simulator... but is this a
    > virus simulator or a real virus?
    >


    Is this a real virus?
     
  2. Farbod

    Farbod Registered Member

    Joined:
    Nov 10, 2005
    Posts:
    88
    This one received... :D
     
  3. Happy Bytes

    Happy Bytes Guest

    But we're not speaking about DFK Threat Simulator or? :eek:
     
  4. Farbod

    Farbod Registered Member

    Joined:
    Nov 10, 2005
    Posts:
    88
    No problem, harmless ;)

    Because a lot of AVs detect this DOS tool as a malware, so, Happy Bytes, it is now in your mail box. :D
     
  5. Happy Bytes

    Happy Bytes Guest

    Nope, it's not a real virus. So no danger :D
     
  6. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    398
    Thanks for the answers Eset! :)

    Just a question: So why KAV said this: "Hello, it is a virus tool."
     
  7. Farbod

    Farbod Registered Member

    Joined:
    Nov 10, 2005
    Posts:
    88
    Heh heh, good point...

    Because Kav detects this 'test file' as a Trojan :D

    Open notepad and write:

    @echo off
    resident.bat


    Then save it as a file. Is it a malware from your mind? :eek:
     

    Attached Files:

    • 555.png
      555.png
      File size:
      11 KB
      Views:
      208
  8. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    398
  9. Happy Bytes

    Happy Bytes Guest

    "Hello, it is a virus tool."

    A "tool" means that it's not a virus itself.
    You can have several different "virus tools" - some might encrypt existing virus and alternating them ---> Virus Tool. Such "TestVirus Dropper" you can classify as Virus Tools, even if they are NOT malicious.
     
  10. Farbod

    Farbod Registered Member

    Joined:
    Nov 10, 2005
    Posts:
    88
    But I don't think we add its signature as a virus tool :D
     
  11. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Another handy test file :p
    I wonder how many others there are I'm yet to hear of :doubt:
    :)
     
  12. gue_st

    gue_st Guest

    The question is, what you should do if you NEED that file.

    About year ago, while first evaluating NOD32, after week or so fiddling with some difficult micro code(for microsensor), I ended up with "probable virus".

    The access to file was blocked, the tools I was working with messed up too. I did not want to change NOD32 to exclude folders or extensions, and I cannot find "no action" option.
    Eset support was asking for file. I was asking for general solution and did not submit the file - it is not the standard practice with code used in security devices. In answer, Eset was probably suspecting that I am writing a virus and our discussion was over.

    Uninstalling solved the problem, but I would like to ask, what is the correct action in situation like this.

    Thanks.
     
  13. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    To submit the file. If the submitted file is evaluated like FP, then after next update will not be detected.
     
  14. gue_st

    gue_st Guest

    It definitely makes sense if you picked up that file somewhere.
    Or, even if it is some code of existing program that can appear on other computer.
    Or, if you are just playing around with something.

    But it does not, if you are working on something and know what you are doing.
    Or, there is no way that file can get to another computer - like microcontroller code.
    Or, if internal regulations prevent you from submitting the file.
    Or, if there is no time to wait until analysis and update is done.

    I understand that NOD32 is not just for home user surfing dubious sites.
    So, there should be some way to deal with such situations, and submitting file for analysis as main solution is just plain not serious (of course, it can be done with the purpose of improving NOD32).
     
  15. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Does adding it to the exclusions list not resolve your problem?
     
  16. oeuwe

    oeuwe Guest


    Submit the file to Eset, and if you cannot wait, disable AMON while the file is being analised in Eset labs.
     
  17. gue_st

    gue_st Guest

    I think that md5 exclusion directly from alert window should perfectly solve the problem.
    Otherwise, how can I exclude file which is not created yet and I don't know the name? Stupid tools I was using, was creating file first in temporary directory, under some random name.
    So, I would need to exclude all the directory, which I do not want, due to obvious reasons. I even think that ability to exclude directories is far more dangerous than ability to switch AV off.
     
  18. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    IMHO it would not. ESET has to investigate all the FP and analyse why it happened. Therefore MD5 is not good solution.
     
  19. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    And if you call the file resident.bat then you could successfully use your PC as a small heater just by running it. (after disabling AMON) :)
     
Thread Status:
Not open for further replies.