New Bagle downloader outbreak on the loose

seznam.cz reports increase of a new mass mailed Bagle downloader from 0 to 107 per one hour, a much higher increase is expected as known from the past

NOD32 has provided zero-time protection without update, thanks to the ThreatSense Early Warning System.

 

Are you saying here that NOD32 hasnt provoided an update for this as yet or they have ?

 

This dropper has been picked up by AH with no problem. Hour ago, it was on position 47 on the radar, 15 minutes ago it was on place 15 and is stil rising...

In plain text - NOD32 protected from the time 0

 

But as we can see F-Prot and VBA32 also detected it heuristically...
Just to counter-balance the praising...

 

Great to see some of the AVs providing good zero-time protection
on a significant outbreak like this!

 

i like the way that VBA32 can give the name of the probable threat too

 

NOD32 also gives it unless it's not based on any variant, then you get this weird but well known heuristic detection name...

 

You forgot about Poland....ugh I mean CAT QuickHeal heuritic detection.

 

The question is how the heuristics should work. You can see a lot of clean harmless files submitted to Jotti's scanner and marked as suspicious (or even as a known threat, e.g. Mytob worm) just because they are runtime packed and no further analysis is performed. This approach might be a kind of "proactive" protection, but remember that it's at the cost of flagging a lot of innocent files as suspicious. Mike knows much more than me about the heuristics of particular AVs so maybe he'll comment more on this subject.

 

As far as i know CAT QH has nonexisting heuristics. I also know McAfee tends to mark files as New.Malware.[some_letter] when they are packed with UPack for example or maybe MEW.

 

NOD32 does not use this approach, but smartly analyses files in a virtual environment to see what the files do and, based on the outcome of the observation, flags the files as clean or probably infected.

 

Yeah i know. AntiVir for example has such "heuristic" as optional setting and tags detected files as Packer\[packer_name]. Thats also reasonable way of doing it like this. You can uncheckcheck it at any time in settings.

 

Its a interesting feature of Antivir... maybe NOD32 v3 should have this opition too...

 

Another Bagle outbreak. Now already detected generically as a variant of Bagle A newer update is on the way...

Number of a variant of Win32/Bagle worm
2005-11-23 23 : 2097
2005-11-23 22 : 11
2005-11-23 21 : 0


Edited: The new Bagle downloader is already detected by a signature from update 1.1302.

 

Yup. I (personally) consider this QuickHeal DNA Scan as the biggest joke in the whole av field since early 90's. It will detect even a wet poop if it could be runtimepacked or would have an UPX signature.

I mean this has nothing to do with professional antivirus heuristic. Thats basically like playing lottery, where you might have out of 5000 one goal.

The magic in heuristic detection - i just repeat it even if i said this already - is not to detect almost every runtime packed malware only for the sake that it's runtime packed, the keypoint is always to know what you shouldn't detect! Thats by far difficulter than just flagging all things which are looking "suspicious".

I mean i also support the "trend" of flagging so called VX-Packers (special Morphine Versions for instance) as generic malware detection. But hey, you cannot do this with UPX, ASPack, FSG etc. These packers are actually also used to compress "normal" applications to reduce bandwith for downloading etc.

 

Norton users would be happy soon

Just got this on email and my NOD alarmed me Ewido also does not detect it yet.

http://img104.imagevenue.com/loc180/th_edc_lol.JPG

 

Last night if we consider the amount of malware in spreading was pure hell. In one moment, we have reached 17,2 per cent of infections on virus radar....

Almost one in five emails infected....

 

And our fellow Win32/Bagle.DR took a good part of the "market share"

 

I may be wrong of course, but I would feel better if more energy would be put in analysis when something was not detected, not in self-praising when it was.

I mean, everybody knows that NOD is a great program.
But, reading here, and also from contacts from tech support, I cannot feel that there would be a real interest in improving the program even more (and there are things to improve).

 

You are kidding right, so they should just stop the development of version 3

 

Kidding? Sure, anytime...

When I touch NOD32, I have that same feeling as with DOS program, everything works just fine, but that feeling...

 

I'll give you a ring-a-ding when you have developed your own antivirus app.

Also I do not consider this as 'self-promo', but rather as information about these new nasties.
It's also nice to know that you have been protected at all times.

 

Here's a suggestion - close this forum to non-registered users who seem to be self-important and (appernetly) have an anti-NOD axe to grind...

 

If they don't accounce things like this someone will start a thread asking "Does NOD32 detect this?" and in fact half the time that happens anyway so...

 

Religious beliefs probably should not extend to antivirus software?