New p2p-virus....Win32.Polipos ?

Discussion in 'other anti-virus software' started by izi, Apr 20, 2006.

Thread Status:
Not open for further replies.
  1. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Does KAV detect this virus?
     
  2. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
  3. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    still only DrWeb detecting it fully.
     
  4. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    the data below does not say if only some or if all are detected, I just show atm complesivly:
    AntiVir W32/Regenig
    Dr Web Win32.Polipos
    eSafe Trojan/Worm [100] (suspicious)
    F-Secure P2P-Worm.Win32.Polipos.a
    Fortinet W32/Polipos.V12
    Kaspersky P2P-Worm.Win32.Polipos.a
    McAfee (BETA) W32/Polipos (virus or variant)
    Panda (BETA) W32/Polipos.A
    Sophos W32/Polipos-A
    VBA32 Virus.Win32.Polipos.A
     
  5. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    I'm just acurious, but how many differerent occurrencies does this "Win32.Polipos" have nowadays, 500?

    Best regards,
    Firefighter!
     
  6. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    o_O wrong question.
    it has to be detected in every infected file, which is 'unlimited number'.
     
  7. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Thanks! I set that 500 only because there were about that many in VB tests.

    Best regards,
    Firefighter!
     
  8. Miyagi

    Miyagi Registered Member

    Joined:
    Mar 12, 2005
    Posts:
    420
    Location:
    Honolulu, Hawaii
    IBK,
    I and probably others really appreciate the effort you provide about any recent outbreak/new virus detection times from the various av's. As an end-user, the information you provide is very helpful to see how our antiviruses are faring. Also, I am glad to see other av experts like Severyanin (Dr.Web), Siarheika (VBA32), Inspector Closeau (former NOD32), Stefan Kurtzhals (Avira), and any others I missed, participate and give their input without flaming their competitors. Their professionalism and expertise are very well taken. Thank you all for providing a peaceful atmosphere. :thumb:
     
  9. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Vlk from Alwil Software is also hanging around a lot and gives helpful advices and explanations to users :) Guys from ArcaBit used to hang around too but haven't seen them for some time:doubt:
     
  10. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Try now ;)
     
  11. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    The number of 500 in the VB test is waaaaaaaaay too low. Actually, they have much lower numbers for some of the viruses in the polymorphic set, even below 50 samples. Ironically, some the most difficult polymorphic viruses have the lowest number of samples while some of the easier ones have larger numbers.

    And they didn't replicate the samples anymore after they created the initial test set. If they would replicate like 10.000 for each virus (of course carefully check if the samples still work - which makes the replicating ALOT of work), the test results would be very different.

    Their scoring system for polymorphic viruses is flawed IMHO. The goal of testing polymorphic detection is to test how reliable the detection is. So if you miss even just 1 working (!) sample of a set of 10.000, the virus detection is flawed and should be rated 0%. VB instead gives 99.9% because they only count the raw numbers of detected samples. This harsh measurement makes sense because you can replicate 10.000 samples that are identical to the 1 that was not detected.

    I talked to IBK some while ago about this, I hope he changes his polymorphic test accordingly. :)
     
  12. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    sure ;)

    btw, update:
    AntiVir W32/Regenig
    BitDefender Win32.Polipos.A
    Dr Web Win32.Polipos
    eSafe Trojan/Worm [100] (suspicious)
    eTrust-INO Win32/Polipos!Worm
    F-Secure P2P-Worm.Win32.Polipos.a
    Fortinet W32/Polipos.V12
    Kaspersky P2P-Worm.Win32.Polipos.a
    McAfee (BETA) W32/Polipos (virus or variant)
    Panda (BETA) W32/Polipos.A
    Sophos W32/Polipos-A
    VBA32 Virus.Win32.Polipos.A


    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_POLIPOS.A&VSect=P
     
    Last edited: Apr 22, 2006
  13. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    What about VBA32 ? They seem to detect it too (don't know if all of them), have no clue about cleaning so far (probably not available).
     
  14. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    sorry, forgot to add it. now added.
     
  15. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Where is KAV?
     
  16. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    In moscow :D

    F-Secure's Detection name is the KAV detection.
     
  17. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia

    Yea, and NOD32 is in Bratislava. Nod32 doesn't detect this virus. o_O
     
  18. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Thats because it's in Bratislava :p
     
  19. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Hey Mike!

    Did U create cleaner (signature) for this virus?
     
  20. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    So is this just detection by most of these AVs, or is it cleaning too?
    Would be nice to see NOD32 in that list too, unless they are holding out for the detection AND cleaning package...
     
  21. Ned Slider

    Ned Slider Registered Member

    Joined:
    Mar 24, 2005
    Posts:
    169
    Not sure about others, but KAV offers to disinfect infected files but is then unable to do so, and resorts to deleting the infected files. I suspect it may be a while before we see disinfection/cleaning capabilities against this particular malware :(

    Ned
     
  22. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    well, at least detection would be nice to be seen....
     
  23. FRug

    FRug Registered Member

    Joined:
    Feb 7, 2006
    Posts:
    309
    Since the virus trashes some files a 100% working repair routine will never exist. Also the repair routine of drweb takes about 45minutes to process approx. 800 infected files, and leaves quite a bunch of them in an infected state. I have not tested whether these were still working completely though. In any case, a repair routine that is not able to clean all infected working samples is useless, because you most likely end up repairing in an endless loop, with files getting reinfected all the time. Especially with a resident process-injection virus that hooks api calls such as polipos.

    IMHO there is no sane way to get around a complete reinstall for this particular nastie. You may be able to repair some exes and reuse them on your fresh install, however some of them, although repaired successfully, will still not work anymore (CRC self-checks etc).
     
  24. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
  25. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    lets open a book then - eset or symantec to add detection first?
    my money is on eset (literally - 2 licenses :) )

    ---edit: oops, i just read IBK's link again and see that symantec already added detection (thought it was just a write up of what the virus does)
     
    Last edited: Apr 23, 2006
Loading...
Thread Status:
Not open for further replies.