New Trojan Downloader?

Discussion in 'NOD32 version 2 Forum' started by covaro, Jul 20, 2006.

Thread Status:
Not open for further replies.
  1. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    http://www.notmyblog.com/images/trojan downloader.jpg

    Little bugger I was pointed to browsing around over @ broadbandreports (Didn't link cause the posts include the link to DL this puppy). DL'ed it into a VM and confirmed that NOD32 doesn't detect it. Ran it, and NOD does pick up a couple little buggers it attempts to DL and install. Just to checkup, I checked the registry and what not, and it looks like a couple little bugs (pieces of bugs maybe?) did slip through. On a pass through with EWIDO it picks up a couple .dlls labeled:
    Trojan.Mezzia
    Adware.Virtumonde

    The Downloader and the DLLs have been submitted for analysis via the internalsubmission tool in NOD32.

    -Cov

    Note: Yes, the VM is clean. It gets reset to a blank slate after every use.
     
    Last edited: Jul 20, 2006
  2. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    you should better submitt it to sample [at] nod32.com rather than the internal submission tool in NOD32. ;)
     
  3. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Thanks covaro :)
     
  4. Proactive Services

    Proactive Services Registered Member

    Joined:
    Jan 10, 2006
    Posts:
    153
    Location:
    Petersfield, Hampshire, UK
    Could you elaborate on this statement-surely they perform the same function?
     
  5. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    the internal submission tool in NOD32 is for heuristically detected viruses. Non detected samples should be submitted to sample [at] nod32.com.
    This is what I know. Marcos can confirm it.
     
  6. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    I can submit via email when I get home tonight.

    -Cov
     
  7. Proactive Services

    Proactive Services Registered Member

    Joined:
    Jan 10, 2006
    Posts:
    153
    Location:
    Petersfield, Hampshire, UK
    Hmm so why the ability to submit for analysis items in quarantine?
     
  8. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    they've added 4 Trojan.Downloader.Small in version 1.1672. Maybe they've added yours also because they're monitoring VirusTotal also and since you've scanned your file there.... ;)
     
  9. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    All files that are sent to VT and Jotti's are automatically submitted to any products that do not detect them.
     
  10. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Items in quarantine are files flagged by NOD32 as unknown viruses (with heuristic engine).
     
  11. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Items in quarantine are whatever you have configured your NOD32 to put there regardless of by what mechanism the detection is, or what you have put there manually....
     
  12. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    yes, that's right but the send feature was designde especially for heuristic detection as far as I know. ;)
     
  13. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    I'm pretty sure that it's just for whatever things need to be sent to ESET - Have you read that somewhere?
     
  14. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Just a thought...
    Doesn't ESET have two different e-mails for samples submission; one for heuristic detection (sample(at)eset.com) and one for unknown (samples(at)eset.com)? How will the program know where to send the samples?
     
  15. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    Yup, she was detected now... go ESET. :cool:
     
  16. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    nice to hear that. ;)
     
Thread Status:
Not open for further replies.