New Bagle downloader outbreak on the loose

Discussion in 'NOD32 version 2 Forum' started by Marcos, Nov 23, 2005.

Thread Status:
Not open for further replies.
  1. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    seznam.cz reports increase of a new mass mailed Bagle downloader from 0 to 107 per one hour, a much higher increase is expected as known from the past

    NOD32 has provided zero-time protection without update, thanks to the ThreatSense Early Warning System.
     

    Attached Files:

    • vt7.jpg
      vt7.jpg
      File size:
      65.3 KB
      Views:
      1,383
  2. Albinoni

    Albinoni Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    709
    Location:
    Perth, Western Australia
    Are you saying here that NOD32 hasnt provoided an update for this as yet or they have ?
     
  3. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    This dropper has been picked up by AH with no problem. Hour ago, it was on position 47 on the radar, 15 minutes ago it was on place 15 and is stil rising...

    In plain text - NOD32 protected from the time 0
     
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    But as we can see F-Prot and VBA32 also detected it heuristically...
    Just to counter-balance the praising...
     
  5. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA

    Great to see some of the AVs providing good zero-time protection
    on a significant outbreak like this!
     
  6. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    i like the way that VBA32 can give the name of the probable threat too
     
  7. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    NOD32 also gives it unless it's not based on any variant, then you get this weird but well known heuristic detection name...
     
  8. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    You forgot about Poland....ugh I mean CAT QuickHeal heuritic detection.
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The question is how the heuristics should work. You can see a lot of clean harmless files submitted to Jotti's scanner and marked as suspicious (or even as a known threat, e.g. Mytob worm) just because they are runtime packed and no further analysis is performed. This approach might be a kind of "proactive" protection, but remember that it's at the cost of flagging a lot of innocent files as suspicious. Mike knows much more than me about the heuristics of particular AVs so maybe he'll comment more on this subject.
     
  10. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    As far as i know CAT QH has nonexisting heuristics. I also know McAfee tends to mark files as New.Malware.[some_letter] when they are packed with UPack for example or maybe MEW.
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    NOD32 does not use this approach, but smartly analyses files in a virtual environment to see what the files do and, based on the outcome of the observation, flags the files as clean or probably infected.
     
  12. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Yeah i know. AntiVir for example has such "heuristic" as optional setting and tags detected files as Packer\[packer_name]. Thats also reasonable way of doing it like this. You can uncheckcheck it at any time in settings.
     
  13. POS

    POS Guest

    Its a interesting feature of Antivir... maybe NOD32 v3 should have this opition too...
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Another Bagle outbreak. Now already detected generically as a variant of Bagle :) A newer update is on the way...

    Number of a variant of Win32/Bagle worm
    2005-11-23 23 : 2097
    2005-11-23 22 : 11
    2005-11-23 21 : 0


    Edited: The new Bagle downloader is already detected by a signature from update 1.1302.
     

    Attached Files:

    Last edited: Nov 23, 2005
  15. Happy Bytes

    Happy Bytes Guest

    Yup. I (personally) consider this QuickHeal DNA Scan as the biggest joke in the whole av field since early 90's. It will detect even a wet poop if it could be runtimepacked or would have an UPX signature.

    I mean this has nothing to do with professional antivirus heuristic. Thats basically like playing lottery, where you might have out of 5000 one goal.

    The magic in heuristic detection - i just repeat it even if i said this already - is not to detect almost every runtime packed malware only for the sake that it's runtime packed, the keypoint is always to know what you shouldn't detect! Thats by far difficulter than just flagging all things which are looking "suspicious".

    I mean i also support the "trend" of flagging so called VX-Packers (special Morphine Versions for instance) as generic malware detection. But hey, you cannot do this with UPX, ASPack, FSG etc. These packers are actually also used to compress "normal" applications to reduce bandwith for downloading etc.
     
  16. 4234

    4234 Guest

  17. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    Last night if we consider the amount of malware in spreading was pure hell. In one moment, we have reached 17,2 per cent of infections on virus radar....

    Almost one in five emails infected....
     

    Attached Files:

  18. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    And our fellow Win32/Bagle.DR took a good part of the "market share"
     

    Attached Files:

  19. gue_st

    gue_st Guest

    I may be wrong of course, but I would feel better if more energy would be put in analysis when something was not detected, not in self-praising when it was.

    I mean, everybody knows that NOD is a great program.
    But, reading here, and also from contacts from tech support, I cannot feel that there would be a real interest in improving the program even more (and there are things to improve).
     
  20. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    You are kidding right, so they should just stop the development of version 3 :rolleyes: :rolleyes: :rolleyes:
     
  21. gue_st

    gue_st Guest

    Kidding? Sure, anytime...

    When I touch NOD32, I have that same feeling as with DOS program, everything works just fine, but that feeling...:D
     
  22. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    I'll give you a ring-a-ding when you have developed your own antivirus app. :p

    Also I do not consider this as 'self-promo', but rather as information about these new nasties.
    It's also nice to know that you have been protected at all times.
     
  23. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    Here's a suggestion - close this forum to non-registered users who seem to be self-important and (appernetly) have an anti-NOD axe to grind...
     
  24. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    If they don't accounce things like this someone will start a thread asking "Does NOD32 detect this?" and in fact half the time that happens anyway so... ;)
     
  25. gue_st

    gue_st Guest

    Religious beliefs probably should not extend to antivirus software?
     
Thread Status:
Not open for further replies.