New Stration - AH in action

Discussion in 'NOD32 version 2 Forum' started by Marcos, Oct 20, 2006.

Thread Status:
Not open for further replies.
  1. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    There has been a new Stration outbreak during the night. Only very few AV (3) detected it, NOD32 was among them thanks to the recent update of advanced heuristics:

    Hour Count Infection Ratio (%) Infection Ratio

    2006-10-19 00:00 1 0.000 % 1/ 527.4 ths
    2006-10-19 01:00 0 0 %
    2006-10-19 02:00 2 0.000 % 1/ 221.9 ths
    2006-10-19 03:00 1 0.000 % 1/ 520.4 ths
    2006-10-19 04:00 3 0.001 % 1/ 165.1 ths
    2006-10-19 05:00 1 0.000 % 1/ 422.8 ths
    2006-10-19 06:00 1 0.000 % 1/ 430.5 ths
    2006-10-19 07:00 1 0.000 % 1/ 595.1 ths
    2006-10-19 08:00 0 0 %
    2006-10-19 09:00 0 0 %
    2006-10-19 10:00 0 0 %
    2006-10-19 11:00 0 0 %
    2006-10-19 12:00 0 0 %
    2006-10-19 13:00 0 0 %
    2006-10-19 14:00 0 0 %
    2006-10-19 15:00 0 0 %
    2006-10-19 16:00 0 0 %
    2006-10-19 17:00 0 0 %
    2006-10-19 18:00 110 010 11.577 % 1/ 8.6
    2006-10-19 19:00 153 867 16.367 % 1/ 6.1
    2006-10-19 20:00 113 474 12.605 % 1/ 7.9
    2006-10-19 21:00 97 687 11.104 % 1/ 9.0
    2006-10-19 22:00 43 552 7.776 % 1/ 12.9
    2006-10-19 23:00 460 3.178 % 1/ 31.5


    TOTAL 519.1 ths 3.215 % 1/ 31.1

    Source: www.virusradar.com
     

    Attached Files:

    Last edited: Oct 20, 2006
  2. CyberMew

    CyberMew Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    128
    Hey, is it of any chance named docs.zm9 and/or Update-KB9765-x86.zl9?

    docs.zm9 - probably unknown NewHeur_PE virus - quarantined - renamed to docs.vzm9
    docs.zm9 > ZIP > docs.log.scr - probably unknown NewHeur_PE virus

    MD5: 6e8eac7a57ea55e0eb4c8ac168ea822d
    SHA1: 63d58dcf5929be0d0c94903d363b46ec91b76b98
    packers: UPX

    -----------and----------

    Warning: NOD32 antivirus system found the following in the message:
    Update-KB9765-x86.zl9 - probably unknown NewHeur_PE virus

    File size: 11780 bytes
    MD5: 3a8e62630833f68fcd0edfbf39f3e688
    SHA1: a69e68df1ddb606ba44f456f9229a919d284ba28
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hard to say, there have been a couple of variants released afterwards (each detected by AH), maybe yours is one of the recent.
     
  4. CyberMew

    CyberMew Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    128
    I see.. I just went online to check my email and was shock to see "probably unknown NewHeur_PE virus" (probably 2nd time in my online life)

    By the way, I already sent the "docs.vzm9" (rename it to .zm9) via "Quarantine->Submit file for analysis" function to Eset's Labs. Not sure why it didn't sent in the Update.xxx one though.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It's not necessary actually, such files are submitted automatically if you leave the "Submit for analysis" check-box in the alert window ticked.
     
  6. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Hello!

    AH didn't update on my computer. I'm not protected!

    NOD32 antivirus system information
    Virus signature database version: 1.1818 (20061020)
    Dated: 20. oktober 2006
    Virus signature database build: 8229

    Information on other scanner support parts
    Advanced heuristics module version: 1.037 (20060926)
    Advanced heuristics module build: 1122

    Internet filter version: 1.002 (2004070:cool:
    Internet filter build: 1013
    Archive support module version: 1.050 (20060926)
    Archive support module build version: 1176

    Information about installed components
    NOD32 for Windows NT/2000/XP/2003/x64 - Base
    Version: 2.51.26
    NOD32 for Windows NT/2000/XP/2003/x64 - Internet support
    Version: 2.51.26
    NOD32 for Windows NT/2000/XP/2003/x64 - Standard component
    Version: 2.51.26

    Operating system information
    Platform: Windows XP
    Version: 5.1.2600 Service Pack 2
    Version of common control components: 5.82.2900
    RAM: 504 MB
    Processor: Intel(R) Pentium(R) 4 CPU 2.40GHz (2400 MHz)
     
  7. CyberMew

    CyberMew Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    128
    I didn't see it though, but it didn't show in Event Logs so I thought I might just help..since probably the system will remove duplicate files or something..
     
  8. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    blackspears, great job by Eset. I was curious if you might say who were the other few AVs that were able to do this like Eset. Might make a difference to some with their current setups. Thanks, and again, good job Eset.
     
  9. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    NOD update AH. Finally!!

    NOD32 antivirus system information
    Virus signature database version: 1.1818 (20061020)
    Dated: 20. oktober 2006
    Virus signature database build: 8229

    Information on other scanner support parts
    Advanced heuristics module version: 1.038 (20061019)
    Advanced heuristics module build: 1123
    Internet filter version: 1.002 (2004070:cool:
    Internet filter build: 1013
    Archive support module version: 1.050 (20060926)
    Archive support module build version: 1176

    Information about installed components
    NOD32 for Windows NT/2000/XP/2003/x64 - Base
    Version: 2.51.26
    NOD32 for Windows NT/2000/XP/2003/x64 - Internet support
    Version: 2.51.26
    NOD32 for Windows NT/2000/XP/2003/x64 - Standard component
    Version: 2.51.26

    Operating system information
    Platform: Windows XP
    Version: 5.1.2600 Service Pack 2
    Version of common control components: 5.82.2900
    RAM: 504 MB
    Processor: Intel(R) Pentium(R) 4 CPU 2.40GHz (2400 MHz)
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    PM sent

    Edit: OK, disregard my PM
     
  11. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Thanks Marcos!
     
  12. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    This is something which never happened before - radar on 20 per cents

    OMG...
     

    Attached Files:

  13. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    virus-writers are very active mrtowlman! :D An ESET also protecting. :p
     
  14. fduranti

    fduranti Registered Member

    Joined:
    Oct 15, 2006
    Posts:
    11
    Just to be sure to be updated... from my nod32 i get the following version/build. The internet filter seems a bit older on my version... is it normal?



    NOD32 antivirus system information
    Virus signature database version: 1.1818 (20061020)
    Dated: venerdì 20 ottobre 2006
    Virus signature database build: 8229

    Information on other scanner support parts
    Advanced heuristics module version: 1.038 (20061019)
    Advanced heuristics module build: 1123
    Internet filter version: 1.001 (20031104)
    Internet filter build: 1012

    Archive support module version: 1.050 (20060926)
    Archive support module build version: 1176

    Information about installed components
    NOD32 for Windows NT/2000/XP/2003/x64 - Base
    Version: 2.51.30
    NOD32 for Windows NT/2000/XP/2003/x64 - Internet support
    Version: 2.51.30
    NOD32 for Windows NT/2000/XP/2003/x64 - Standard component
    Version: 2.51.30
     
  15. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Yes it is.
     
  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    There is no difference between Internet filter 1.001 and 1.002, just a very minor unimportant fix. We'll probably release v. 1.002 as an automatic update to avoid this confusion.
     
  17. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
  18. fduranti

    fduranti Registered Member

    Joined:
    Oct 15, 2006
    Posts:
    11
    Thanks all for the answer :D
     
  19. anotherjack

    anotherjack Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    224
    Location:
    Louisiana
    Mine must be even newer, since AMON doesn't trigger on them at all... Scanning with NOD32 identifies them as NewHeur_PE, but I can copy and extract them all day long without AMON making any noise whatsoever...!

    I've already submitted one of them.

    :eek: :blink:

    Update - AMON v1.1819 now picks them up. :D
     
    Last edited: Oct 20, 2006
  20. CyberMew

    CyberMew Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    128
    Yup, both of the copies I had are now detected as xxx.KG in 1.1819. Good good. :D
     
  21. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    A bit off-topic (and maybe worth starting a new thread), but...

    I wonder why AMON is letting you manipulate files that are detected as "probably unknown NewHeur_PE virus"? Should it not block it and give a warning? Or at least, that's how I thought AMON worked?

    I tried it on my PC with a file that is detected as "probably unknown NewHeur_PE virus" (even one that is a false positive: Advanced Spyware Remover, by the way). AMON quarantined the file if I tried copying it or moving it, but it lets me move my mouse over it and even run it? Isn't that a bit strange behavior for AMON? Does that mean that AMON does not block the execution of files detected by Advanced Heuristics?

    By the way, I also tried it with a real, live trojan that NOD32 detects as "probably unknown NewHeur_PE virus", same thing as with the false positive (I am able to put my mouse over it and even run it without any warning from AMON).

    Is this behavior with AMON intended? The same thing does not happen with files that AMON detects by signature.
     
  22. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Note that files detected as NewHeur_PE are detected by advanced heuristics. As you can see in the AMON setup, advanced heuristics is only used when scanning newly created/modified files.
     
  23. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Great job, ESET Team! :D
     
  24. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    well done Eset!
     
  25. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Interesting how Eset guys can "optimize" the heuristics engine for specific family of malware....This shows that Eset engineers are very bright! :)

    Great job, Eset and a congratulations to the bright people who were able to make this possible!
     
Thread Status:
Not open for further replies.