Nod detection

I just downloaded a programme called secretary organiser from here...

~ snip ~ please do not post links to Trojans ~ Blackspear

It seems a reputable site however that file secratary.exe contains a trojan ..identified by tds3 as

scan Control Dumped @ 12:47:19 22-01-05
Positive identification: TrojanDropper.Win32.Small.nm
File: c:\downloads\secretary.exe
Boclean also halts detects it (after execution)and stops it...

01/21/2005 20:47:52: C:\WINDOWS\SYSTEM\SRCHBAR.DLL
Trojan horse was found in above file
SEARCHBAR6 TROJAN STOPPED by BOCLEAN!
Active trojan horse was shut down. System now safe.
Trojan horse was removed, registry cleaned.

What i cant understand is that none of nods "profiles" detects it even though they have full seetings enabled i.e scan all files run packers etc,deep heuristics.Yet when i execute the file nod does pop up with this...
file
C:\windows\system\~glh0002.tmp
virus
win32 trojandownloader .agent.y trojan
How does nod detect after execution but not before if the settings are all teh same in all profiles?.
tia
ellison

 

sorry for the link blackspear.I wasnt sure whether to post it.However as the site is reputable , and many people are sure to download from the site , then isnt naming the file and the site, in the intrests of those that dont want to inadvertently get infected ?It seems odd to me to snip the site name (unless its some warez site of course)as it warns potential downloaders to the dangers.
ellison

 

Just don't want the innocents wandering there and trying out their anti-viruses to see if it works or not.

Can you please send an email to support@nod32.com with the link and also a link back to this thread.

Let us know how you go...

Cheers

 

It is an expectation thing, I think most AV catch viruses, but aren't great with trojan. Most anti-trojans are great with trojans, but aren't anything like any good with viruses...

It's why I have both, and so do you (TDS)!

But the other thing is that sometimes neither product will see the nasty until it runs, for whatver reason.... compressed, encrypted, etc. It isn't until it runs that it look familiar.

 

ronjour...
Im not exactly sure how to as i cant find any contact info.I have however posted in the forums there pointing out the trojan in the file.

Blackspear...
have done as you requested.

Atangel...
Yes its a good idea to have layered security.Possibly the detection after running is maybe a file of somesort being planted in system folder .

ellison

 

NOD doesn't unpack, on-demand scanner will detect
it..If you open the file AMON will catch it.. Happened to me last week, that's why BOclean is on my machine..