NOD32 don't know a worm - ESET don't react?!

Hello,

since the beginning of this week, a new worm spreads the world wide web.
I noticed, that NOD32 didn't know the virus - it was the first time that I notice NOD didn't know a worm

So I send more than one exemplar (alle different files) to NOD32 as it is shown in this faq: http://www.nod32.com/support/ans/9d.htm . I am shocked that ESET released a new update (NOD32 - 1.1092 (20050510) / posted 14:56 GMT +1), which didn't detect the worm, too. Now, 24h hours later, the worm ist still unknown!

http://www.heise.de/security/news/meldung/59415

Bitdefender: BehavesLike:Win32.ExplorerHijack
Kaspersky: Trojan-Downloader.Win32.Small.aty

I don't understand why ESET does not list the virus.

 

Many antivirus companies list baddies by a different name. Also, if it's picked up heuristically, not by signatures, it won't be listed.

Be sure you are using Blackspear's extra settings listed here...
https://www.wilderssecurity.com/showthread.php?t=37509

 

Well, if it is listed or not - that doesn't matter. It is only important, that the antivirus program detectes the virus and this is actual, what NOD32 didn't do.

And yes, NOD32 scans deep (like Blackspear wrote).

 

I'am shocked, all my company use nod32, who will be responsible if virus damage important documents?

 

If it was very dangerous worm it would be added to signatures immediately... Let's give ESET just enough time

 

IMO, I would say (apart the main responsability of the malware author) that the user who execute the trojan would be still responsible for his negligence. BTW, why are you saying that it is a worm? IMO it is a trojan.

 

Please understand me. I don't want to blame ESET.
I just want to know, why NOD32 don't detect this virus. As I have said before, since this worm, I didn't find any virus, which wasn't detected by NOD32.

I can only imagine the following reason:
This virus only configures the computer to download the real one (TROJ_DLOADER.LN). This is detected. So ESET thinks, that the "Loader" isn't important - but I would say it is wrong, because it would reconfigure your computer to load the virus everytime it starts up...

 

Just let's give them time... they will reply..

 

ok, mistakes happen, but i hope it won't repeat in future.

 

Thomas you and the anon boys posting crack me up ..nice work though..I am sure NOD will be whistling through that one with not much problem.

Best to all of you and regards to Jens.


Hier hättest du nicht drauf gehen sollen...









Dein Fehler

 

Since you have sent the virus to Eset, I'm totally sure, it will be added to virus database.
I'm sure Eset Team is taking care of it.
Let's wait for Cool Daddy or Marcos.

Best Regards,

DonKid.

 

Again, this is a Trojan. If you have sent the file to Eset, you can be sure that it is added if it is malware.

Like DonKid said, lets wait for HB

 

Well... wait wait... - I can't wait. If I get such a file, and wouldn't know "do not open files you don't know...", I would click it. 2mins later I will be infected - yeah. Sorry, it doesn't matter which antivirus product I am using, If a new virus is in the wild, every second counts!

I've got logfiles from my mailserver. Clamav is filtering and filtering. I hope you understand me. Every one can say "wait" - but it doesn't matter, If i am infected, the avp failed.

 

But you know, so you won't click it, right? Problem solved If you're "complaint" is that serious, contact Eset directly, or find an AV product that updates their defs seconds after a new threat hits the net.

 

Well, Whissi may know, but that does not mean that the next person who happens to use his computer also knows. It is not really fair to expect users of antivirus programs to know all the viruses in advance. Otherwise, why even use the program at all?

 

My experience with ESET? Two samples sent, both added within 48 hours.
Good enough for me.

 

I have to ask what your user is doing clicking on anything unless he/she is positive it is not a virus. Doing anything else is like playing russian roulette.

A good AV program is the LAST line of defence, it is not the first line. The first line is well trained users and fully updated systems that are properly configured. A good AV program is just a backup for when the above fails.

Almost every one I know who has ever been infected ran "good" AV software. However, had they bothered to understand just the basics they would never have been infected at all.

John

 

Nod32 is a very good av.I have never had a problem nor have I ever got any sort of bug, so to speak. It updates quite frequently and its hueristics are great. Check out virusbulletin. It hasn't missed an "in the wild" virus for a long time.Just my 2 cents.

 

I don't expect it - but If I found a virus, which isn't detected and send it into the lab, I expect, that they will work asap on it.

If I shouldn't expect those behavior, I am wrong with this product.

It is, yes. Till now, I thought it was perfect. But...

Wodahs:
You are right, but however - don't you think the av company have to react? You don't need a "backup line", which fails If you need it...

 

It's been said several times on this forum that Eset picks up signatures on a per-need basis. I for one do not think adding a signature for a trojan downloader that does not add any entry to the registry nor the url it attemtps to download other malicious files from does not work should take priority over working worms, trojans and other malware...

 

But this one adds registry keys.

 

How do you know? We analysed it and there's NO function for writing into the registry.

 

This trojan injects code into the internet explorer for a NON-EXISTING download file. This is done via CreateRemoteThread. That's it.

 

Hi Whissi,

Are you sure you have sent all of the virus components you found to ESET and the other vendor ?




Troj/Divlo-A is a downloader Trojan. Aliases Trojan-Downloader.Win32.Small.aty


Troj/Divlo-A will inject its downloading code into Internet Explorer in an attempt to hide its activity and bypass firewalls.

At the time of writing, Troj/Divlo-A downloads and runs Troj/Dloader-NC.


http://www.sophos.com/virusinfo/analyses/trojdivloa.html


Troj/Dloader-NC is a Windows downloader Trojan.
When run the Trojan drops a DLL component with a random name into the Windows folder. The dropped DLL component with the random name then injects the Trojan into the Windows Internet Explorer process.
When the randomly named DLL component is run, the Trojan drops another file smartdrv.dll into the Windows folder and runs it.
The randomly named DLL component and SMARTDRV.DLL is also being detected as Troj/Dloader-NC.
When SMARTDRV.DLL is run, the file attempts to download files from various remote websites to the Windows folder as smtXX.tmp (where XX is any random sequence of letters and numbers) and run them.
The Trojan also creates the following registry entries:
HKLM\SOFTWARE\Classes\CLSID\(random classID 1)
(default)
<random name>
HKLM\SOFTWARE\Classes\CLSID\(random ClassID 1)\InprocServer32
(default)
%WINDOWS%\<dropped DLL filename>
HKLM\SOFTWARE\Classes\CLSID\(random ClassID 1)\InprocServer32
ThreadingModel
Apartment
HKLM\SOFTWARE\Microsoft\clsid
(random ClassID2 )
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
(random classID 1)
""
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
USB
<path to Trojan>
HKCU\Software\ODBC
last_download_id
HKLM\Software\ODBC
last_download_id http://www.sophos.com/virusinfo/analyses/trojdloadernc.html

Now this new other one out there again called Whistler is the real nasty one to watch for

http://www.sophos.com/virusinfo/analyses/trojwhistlerf.html

 

And I mention above that nasty Whistler Trojan for this reason.

Do you see here where sophos has only added a detection for it on 10 May 2005 ?


http://www.sophos.ch/virusinfo/analyses/trojwhistlerf.html

Well Norton has been detecting it since
Discovered on: September 24, 2001
Last Updated on: April 15, 2002 04:55:05 PM



http://www.sarc.com/avcenter/venc/data/w32.whiter.trojan.html

And the actions of this Trojan depends on how it was configured by the hacker


So my thoughts to you are these.

Trojan-Downloader.Win32.Small.aty is an annoying IE hijacker that is easy to clean and it appears you have a firewall that stopped it from further progress.

I would not be too concerned that MY AV did not pick it up immediately even after it was submitted.


But I would be very concerned if it could not detect and stop something like Whistler because that type will destroy my PC and its files.