Just came across a cool file that just nuked everything.

Discussion in 'NOD32 version 2 Forum' started by tempnexus, May 8, 2005.

Thread Status:
Not open for further replies.
  1. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    I just came across a cool file that just nuked everything off my VM. It did not get picked up by NOD32 nor BoClean.
    So do no execute a file that in a decription says:
    TEMPERASER MFC

    The icon is of a blue bubble that says "chat" the exact file size is 606,208 bytes.

    KAV ID it, same goes for Mcaffee, Avast but the rest are haveing problems inlcluding Norton.
    TDS-3 detects it as KILLFILES.hi
    So be careful.

    Yeah did send it to NOd32 and others.


    P.S.
    Nod32 in question is 2.5 beta at max settings.
     
  2. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    ArcaVir and Dr.Web detect this Trojan too.

    NOD32 does not, it seems :(
     
  3. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Over the years of testing different anti-viruses I concluded that Nod32 is low on resources but not really something I would fully trust. They are trying I know that.
    But that file is quite old and it has been around the net for a while. And inlcuding that fact that a free AV detects it and a paid does not is kind of :oops: .
    It would be a childplay if the file was nothing more but a worm, but in fact this file nukes your whole harddrive! :) It leaves the running icons in place so you think that your protection is working...but once you duble click on it you will realize that nod32.exe blah blah.exe can not be found error. :)
     
  4. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Good thing I've got McAfee on my bro's PC........I came only two days ago to the NOD community :)

    Not saying NOD is bad - I've submitted many files to Jotti where NOD heuristics caught - the heuristics work 80-85% of the time :)

    And that is what I love about NOD (apart from Daddy Cool Happy Bytes of course :D)
     
  5. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    you have never tested it against spyware or trojans haven't you? :) :) :)
    The heuritics don't fare so well there.
     
  6. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Spyware...No.

    Trojans...yes. Still quite good. From my observation, NOD32's heuristic trojan detection was better than BitDefender or ArcaVir - both of which have a nice heuristics engine (not as good as NOD32 though) :)

    Signature wise - BitDefender is better, and NOD32 is roughly equal to ArcaVir :)
     
  7. Holden4th

    Holden4th Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    69
    So you just doubled clicked on a file (with eraser in the file name) that you knew nothing about and thought, "Oh well, I've got an AV, all will be well". What a wonderfully astute move!

    And, perchance, did this file arrive via e-mail from someone you'd never heard of? Another example of your sagacity?
     
  8. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    Well, I understand what you mean Holden4th but I find too that NOD32 should have reacted. If KAV, Avast and Mcafee gave a howl NOD should have done the same. Especially since it's an older file it should have been something detected by at least the heuristics, or not?
     
  9. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    You'd want this detected by heuristics? Are you serious? Heuristics are behavioral directed techniques. Detecting this by heuristics would run the risk of flagging every drive/folder cleaning program in existence. No, this is one that needs signature coverage - either specific or generic.

    Blue
     
  10. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    I don't care which part of NOD would have detected this :)
    Of course the heuristics is not the most probable piece to do that...

    But not deteing anything at all, while other programs do (by signatures) is not cool.
     
  11. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Edwin,

    It's in that heuristics "is not the most probable piece to do that", it's that heuristics is not the piece period. I'm being a little strident on this point since users or potential users of NOD32 might not understand the issues behind the words and view this as a significant shortfall of the heuristics component in NOD32, which it is decidedly not.

    Naturally, being able to deal with this type of program would require a sample to develop a robust signature, which apparently has be provided by the original poster.

    Even at that, I am somewhat less sanguine at the direction that posters are indicating in this thread. Not all bad outcomes are due to malware - I am ignoring all specifics in this particular case since I have not seen the file in question. The fact of the matter is, it's likely that a renamed, but valid, automated disk eraser utility would perform precisely the job described in thread, as would a simple batch file with the single command "DEL /S C:\*.*" Bad outcomes if run inattentively to be sure.

    Blue
     
  12. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I would like to report that this sample should be added soon (say, a week or so at the maximum:)) as Eset should have recieved this sample because some others have also sent it.
     
Thread Status:
Not open for further replies.