New version of Byte-Verifier not caught

Discussion in 'NOD32 version 2 Forum' started by spy1, Jan 16, 2004.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    http://www.dslreports.com/forum/remark,9085665~mode=flat

    Iwent to the site indicated ( ww w.netcult.ch/elmue/ElmueSoft-en.htm ), I have the two files in my JAR cache and neither a right-click scan by NOD32 v.2 - and one by the "Advanced Heuristic" scanner - pick anything up. Nor does a full scan.

    What's up? New version? Not really a variant of BV? Do I have to click on one or both of those files to get NOD to "see" it? Pete

    *Oh, yeah, the full-scan screen is telling me this in relation to the jar_cache: G:\Documents and Settings\Pete Yevchak\Local Settings\Temp\jar_cache31638.tmp - error opening (file locked) [4]
     

    Attached Files:

  2. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    BUMP
     
  3. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    The worker.class file is a new trojan, I've sent it to ESET.
    The others file are exploits, I've sent it to ESET.
    Waiting for a Eset reply,
     
  4. spamcat

    spamcat Registered Member

    Joined:
    Oct 9, 2003
    Posts:
    28
    Location:
    North Carolina, USA
    Does anyone know if today's update addressed this?

    sc
     
  5. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Not yet, I've sent it today.
     
  6. spamcat

    spamcat Registered Member

    Joined:
    Oct 9, 2003
    Posts:
    28
    Location:
    North Carolina, USA
    I actually sent a copy to Eset on Saturday, so I figured this would be the first major update after the weekend and that perhaps they would include it.

    Thanks. sc o_O
     
  7. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hello,
    Eset analyze more important samples like the recent Bagle and viruses that maybe can be in-the-wild.
    I believe that Eset is working in this sample and will made a update to cover it ASAP. Anyway, I've sent it directly to Eset's virus analysts.
     
  8. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    I recently check this, and NOD detect it as:
    Java/Exploit.Bytverify Trojan.
    The extrange is that it isn't appear in the NOD32 Update.
     
  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    NOD does detect the original ByteVerifier from way back when - it's the latest version/permutation of it that's referred to in that thread that I was posting about. It may not even have the same name.

    TrendMicro lists it as JAVA_FEMAD.B ( http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JAVA_FEMAD.B )

    Kaspersky detects it also, but i can't find any info on it on their site for some reason. Pete
     
  10. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    NOD now detect this variant, I've downloaded all files from the web page that you indicate.
     
  11. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    It would be nice if you'd clue me in on what NOD's calling the thing, s_c.

    A screenie of the detection would be even better. Pete
     
  12. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Look at screenshot.
     

    Attached Files:

    • byv.JPG
      byv.JPG
      File size:
      94.6 KB
      Views:
      970
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thank you. Pete
     
Thread Status:
Not open for further replies.