Nod not detecting new dumaru virus

Discussion in 'NOD32 version 2 Forum' started by dvk01, Feb 13, 2004.

Thread Status:
Not open for further replies.
  1. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I am a bit concernedthat NOD isn't detecting the new dumaru virus

    I have advanced heuristics using the right click shell power extension

    I though NOD had very good heuristics

    When Dr webb and KAV detect heuristically and now have a virus definition for this one a part of the mydoom infections, whty haven't NOD

    TDS detected as an unknown kety logger immediately, nod should have at least done that


    Norton have had a write up about it for 2 days now and NOD haven't even got detection

    I have sent copies of the viral files to them, ( from an infected machine via one of the tech forums) I can only assume that the NOD users are so well protected that they never got infected by any form of the virus so no-one could find any files to send in.
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Nod has been detecting Dumaru since the following, with various versions through to ".U"

    NOD32 - v.1.505 (20030909)
    Virus signature database updates:
    Win32/Blare.A, Win32/Dumaru.J

    to

    NOD32 - v.1.621 (20040211)
    Virus signature database updates:
    IRC/SdBot.OE, IRC/SdBot.OF, IRC/SdBot.OG, IRC/SdBot.OH, IRC/SdBot.OI, Win32/Doomjuice.B, Win32/Dumaru.U

    http://www.nod32.com/support/info.htm

    Cheers :D
     
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    That's why I'm suprised it hasn't detected the latest one dumaru ah

    I thought it must have a close enough signature for NOD heuristics to autodetect as KAV & Dr Webb and TDS have

    this is Symantec write up about it
    http://www.sarc.com/avcenter/venc/data/w32.dumaru.ah@mm.html

    sorry the forum software won't make a link so copy & paste please
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    dvk,

    NOD32 detects this one, named w32/Mimail.U - database update v1.624 (20040214) ;)

    regards.

    paul
     
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Hate to disagree paul, but It isn't detecting it

    I have copies of this worm/virus in 2 different places on my computer, they are the exact copies that I sent to NOD & Pieter

    TDS detects them, KAV detectsthem, Housecall online detects, DR webb online detects, Norton online detects

    NOD does not detect, either by doing a full system sca, or by just scanning the folder nor does it detect by using Advanced Heuristics in the shell extension

    I can only conclude that NOD is not detecting it

    Any ideas why?
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    dvk,

    Obviously a misunderstanding from my side as for naming the little bugger: this one shows up on other AV vendor sites as "aka" w32/Nimail.U - and is databased under that name by Eset.

    I only can conclude this one hasn't been databased yet by Eset.

    regards.

    paul
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I've seen it listed as mimail z on some sites

    that is the main problem we have, Why can't teh Antivirus vendors get together and at least agree on a name for these so we can check a bit more easily

    I've sent copies, Pieter has copies and I think he has sent them, all senyt yesterday am. I will resend in case they have been misplaced

    IF you want a copy for your own interest or to check let me know please

    EDIT:

    I've resent again to NOD at 17.09 GMT let's see if they misplace this set
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    One practical reason: update the databases as soon as possible - coming with their own name - or verifying with all sortalike companies first, agreeing on just one name, and database a nastie at the least 24 hours later. Personally, I do opt for the first solution ;)

    Pieter no doubt has sent copies to all major players involved ;)

    Thanks for the offer! Pieter is a good source here.

    I do applaud your effort! I'm pretty sure it will be a matter of time an this one will be databased.

    regards.

    paul
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Pleased to announce that it was included in update 1.627 on 18.02.04

    A bit slow in my book considering samples were sent on the 13th and I have personally seen several infected machines that I have had to manually clean for the users.

    Especially since Nortona dn others including AVG also had samples at the same time and included them much quicker than NOD

    Still all NOD users are protected now so that is one good thing
     
  10. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Yeah, indeed that does seem extremely pathetic to me. I used to think that NOD32 was not a "kitchen sink" type of AV utility, but that it was at least really good at prevalent threat detection. If it's not always good for that, either, then what is it good for? (Please--for anyone who wants to snipe at me for that position--explain to me exactly how it is acceptable for it to take 5 days to add a prevalent virus to the database, while other vendors already have it covered.)
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    All I would assume is that because NOD were one of the first to have detection for the original DOOM virus and protected it's users, then they wouldn't be infected by the dropped worm.

    This might be a reasonable view to take, except many people recommend NOD because the original antivirus wasn't protecting the user and they were infected and got NOD to cure the infections.

    I know NO antivirus is 100% effective and on the whole I am more satisfied with NOD than other antiviruses, both is speed of scanning and in detecting and preventing or removing viruses.

    They just need to be a little bit quicker in including some of the newer viruses/trojans/worms/ whatever
     
  12. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    It should have been detected sooner. <==

    Good thing no VB100 test was taking place during that ITW detection failure time lapse. But then again, I'm sure if they knew a VB100 test was coming up, they would have rushed it right in.
     
  13. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Hi Nameless
    I think you may have hit the nail on the head there!
    Steve
    (I think same kind of charge can be levelled at most if not all AV vendors with respect to your observation regarding if a VB100 test was imminent,you knw that I feel it can/is used as a marketing tool!)
     
  14. F4

    F4 Guest

    Please, no anti-virus program can detect, respond all viruses 100% including NOD32, Kaspersky, McAfee or others.

    I think the ICSA Labs test result is enough to prove that almost well known anti-virus program can give their users with an equal protection in ITW field. VB100 isn't everything in anti-virus industries.

    http://www.icsalabs.com/html/communities/antivirus/labs.shtml
     
  15. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    An antivirus can't compensate for all ills. It is just a tool. It is a mistake to rely on any one program to protect you. Practice safe computing instead. A link.

    http://www.teamanti-virus.org/rules.html
     
  16. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    It does look like NOD was a bit slow on this one.

    However, it has been my experence that NOD is usually one of the first AVs to provide timely updates for new viruses.
     
Thread Status:
Not open for further replies.