My first worm - only KAV picked up

Discussion in 'malware problems & news' started by lynchknot, Aug 9, 2004.

Thread Status:
Not open for further replies.
  1. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Well, i'm sure other AV's may pick it up but all other security apps I have did not.
    MKS online scanner did not pick this up - Of course may not be geared for worms I suppose

    Here is my first worm P2P tibick
    [​IMG]

    After KAV reported it, I hit it with everything i've got here
    [​IMG]

    I've got Wormgard trial installed as well

    Of all the scanners I have availale, only KAV reported it - successfully deleted upon closing emule.

    Maybe this is a false positive? I wll take it to other online scanners then

    [​IMG]
     
    Last edited: Aug 9, 2004
  2. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Are part files even executable?

    I am not familiar with emule but is this just part of a file?

    Wow you sure got a lot of items in your context menu :eek:
     
  3. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA

    Yeah, nice of KAV (if it's legit) to pick it up as it arrived - even as a part file. performing google search did not turn up much info but KAv included this in definitions.

    I know, I need to clean up context menu a little. :D
     
  4. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    This has actually been debated before in the form of AV tests. How effective is it really for an AV to detect "part" of a malware? Especially when the "part" by itself is not dangerous or in some cases not even executable. If part files are not executable, and even if this is a legit virii/worm, i consider it as a bad detection.
     
  5. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    This is the first ever detection for me (with KAV) and i'm glad it was a part file - I would prefer that over a full live file - if this is truly a worm.
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  7. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Ab-so-bloody-lutely... so would I... don't give the buggers a chance to "breed" is my motto, LOL....

    It could also mean by part file, it grabbed it before it fully had a chance to dl.

    In a thread about using AVG, I pointed out that AVG [for me anyway] did not even detect the start of the eicar.com/.bat/.zip test files upon download, it waited until downloaded and then a scan done. I want mine to detect FIRST, not after dl'd.

    TAS
     
  8. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    hehee, it's a "newbie" :p
     
  9. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    the worm is??

    Submitted I take it?

    Good show... :D

    TAS..


    PS: Keep us informed of updating from KAV.
     
  10. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    No I mean it's relatively new submitted:

    W32.Tibick File infector 07/27/04
     
  11. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    This would actually make a little bit more sense to me. Though I do not know enough about this method of detection to know if it is reliable. I know DrWeb can also detect some suspicious/infected files in the download process. Doesn't NOD32 use something similar in the form of HTTP scanning?

    The problem for me is that if the file is not even executable what danger does it really pose? An example that comes to mind is that of perrun. A couple of years ago when it first came out, many at first thought that jpegs and txt files could now be used to infect computers. In fact it still required an executable to be run (proof.exe). Even if you were to click an infected jpeg or txt it would still have to trigger yet another exe (extrk.exe) for the payload to occur. If one only adds detection for the exes, it will be detected before it infects the computer or even before the payload occurs.

    I don't mean to start another argument on this subject, just thought i would provide another point of view :)
     
  12. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    LMAO, I see a Aussie amoungst us ;)

    :D :D :D
     
Loading...
Thread Status:
Not open for further replies.