NOD32 don't know a worm - ESET don't react?!

Discussion in 'NOD32 version 2 Forum' started by Whissi, May 11, 2005.

Thread Status:
Not open for further replies.
  1. Whissi

    Whissi Registered Member

    Joined:
    May 11, 2005
    Posts:
    51
    Location:
    Germany
    Hello,

    since the beginning of this week, a new worm spreads the world wide web.
    I noticed, that NOD32 didn't know the virus - it was the first time that I notice NOD didn't know a worm :eek:

    So I send more than one exemplar (alle different files) to NOD32 as it is shown in this faq: http://www.nod32.com/support/ans/9d.htm . I am shocked that ESET released a new update (NOD32 - 1.1092 (20050510) / posted 14:56 GMT +1), which didn't detect the worm, too. Now, 24h hours later, the worm ist still unknown!

    http://www.heise.de/security/news/meldung/59415

    Bitdefender: BehavesLike:Win32.ExplorerHijack
    Kaspersky: Trojan-Downloader.Win32.Small.aty

    I don't understand why ESET does not list the virus.
     
  2. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
  3. Whissi

    Whissi Registered Member

    Joined:
    May 11, 2005
    Posts:
    51
    Location:
    Germany
    Well, if it is listed or not - that doesn't matter. It is only important, that the antivirus program detectes the virus and this is actual, what NOD32 didn't do.

    And yes, NOD32 scans deep (like Blackspear wrote).
     
  4. hhm

    hhm Guest

    I'am shocked, all my company use nod32, who will be responsible if virus damage important documents?
     
  5. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    If it was very dangerous worm it would be added to signatures immediately... Let's give ESET just enough time:)
     
  6. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    IMO, I would say (apart the main responsability of the malware author) that the user who execute the trojan would be still responsible for his negligence. BTW, why are you saying that it is a worm? IMO it is a trojan.
     
  7. Whissi

    Whissi Registered Member

    Joined:
    May 11, 2005
    Posts:
    51
    Location:
    Germany
    Please understand me. I don't want to blame ESET.
    I just want to know, why NOD32 don't detect this virus. As I have said before, since this worm, I didn't find any virus, which wasn't detected by NOD32.

    I can only imagine the following reason:
    This virus only configures the computer to download the real one (TROJ_DLOADER.LN). This is detected. So ESET thinks, that the "Loader" isn't important - but I would say it is wrong, because it would reconfigure your computer to load the virus everytime it starts up...
     
  8. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    Just let's give them time... they will reply..
     
  9. hhm

    hhm Guest

    ok, mistakes happen, but i hope it won't repeat in future.
     
  10. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    :D :D Thomas you and the anon boys posting crack me up :p ..nice work though..I am sure NOD will be whistling through that one with not much problem.

    Best to all of you and regards to Jens.


    Hier hättest du nicht drauf gehen sollen...









    Dein Fehler :)
     
  11. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    Since you have sent the virus to Eset, I'm totally sure, it will be added to virus database.
    I'm sure Eset Team is taking care of it.
    Let's wait for Cool Daddy or Marcos.

    Best Regards,

    DonKid.
     
  12. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Again, this is a Trojan. If you have sent the file to Eset, you can be sure that it is added if it is malware.

    Like DonKid said, lets wait for HB :D
     
  13. Whissi

    Whissi Registered Member

    Joined:
    May 11, 2005
    Posts:
    51
    Location:
    Germany
    Well... wait wait... - I can't wait. If I get such a file, and wouldn't know "do not open files you don't know...", I would click it. 2mins later I will be infected - yeah. Sorry, it doesn't matter which antivirus product I am using, If a new virus is in the wild, every second counts!

    I've got logfiles from my mailserver. Clamav is filtering and filtering. I hope you understand me. Every one can say "wait" - but it doesn't matter, If i am infected, the avp failed.
     
  14. Yogi'sFirst

    Yogi'sFirst Registered Member

    Joined:
    Feb 23, 2005
    Posts:
    6
    But you know, so you won't click it, right? Problem solved :D :D If you're "complaint" is that serious, contact Eset directly, or find an AV product that updates their defs seconds after a new threat hits the net.
     
  15. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Well, Whissi may know, but that does not mean that the next person who happens to use his computer also knows. It is not really fair to expect users of antivirus programs to know all the viruses in advance. Otherwise, why even use the program at all? :rolleyes:
     
  16. Ailric

    Ailric Guest

    My experience with ESET? Two samples sent, both added within 48 hours.
    Good enough for me. ;)
     
  17. Wodahs

    Wodahs Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    15
    I have to ask what your user is doing clicking on anything unless he/she is positive it is not a virus. Doing anything else is like playing russian roulette.

    A good AV program is the LAST line of defence, it is not the first line. The first line is well trained users and fully updated systems that are properly configured. A good AV program is just a backup for when the above fails.

    Almost every one I know who has ever been infected ran "good" AV software. However, had they bothered to understand just the basics they would never have been infected at all.

    John
     
  18. benton4

    benton4 Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    158
    Location:
    Oregon
    Nod32 is a very good av.I have never had a problem nor have I ever got any sort of bug, so to speak. It updates quite frequently and its hueristics are great. Check out virusbulletin. It hasn't missed an "in the wild" virus for a long time.Just my 2 cents.
     
  19. Whissi

    Whissi Registered Member

    Joined:
    May 11, 2005
    Posts:
    51
    Location:
    Germany
    I don't expect it - but If I found a virus, which isn't detected and send it into the lab, I expect, that they will work asap on it.

    If I shouldn't expect those behavior, I am wrong with this product.


    It is, yes. Till now, I thought it was perfect. But...

    Wodahs:
    You are right, but however - don't you think the av company have to react? You don't need a "backup line", which fails If you need it...
     
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It's been said several times on this forum that Eset picks up signatures on a per-need basis. I for one do not think adding a signature for a trojan downloader that does not add any entry to the registry nor the url it attemtps to download other malicious files from does not work should take priority over working worms, trojans and other malware...
     
  21. Whissi

    Whissi Registered Member

    Joined:
    May 11, 2005
    Posts:
    51
    Location:
    Germany
    But this one adds registry keys.
     
  22. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    How do you know? We analysed it and there's NO function for writing into the registry.
     
  23. Happy Bytes

    Happy Bytes Guest

    This trojan injects code into the internet explorer for a NON-EXISTING download file. This is done via CreateRemoteThread. That's it.
     
  24. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Hi Whissi,

    Are you sure you have sent all of the virus components you found to ESET and the other vendor ?




    Troj/Divlo-A is a downloader Trojan. Aliases Trojan-Downloader.Win32.Small.aty


    Troj/Divlo-A will inject its downloading code into Internet Explorer in an attempt to hide its activity and bypass firewalls.

    At the time of writing, Troj/Divlo-A downloads and runs Troj/Dloader-NC.


    http://www.sophos.com/virusinfo/analyses/trojdivloa.html


    Troj/Dloader-NC is a Windows downloader Trojan.
    When run the Trojan drops a DLL component with a random name into the Windows folder. The dropped DLL component with the random name then injects the Trojan into the Windows Internet Explorer process.
    When the randomly named DLL component is run, the Trojan drops another file smartdrv.dll into the Windows folder and runs it.
    The randomly named DLL component and SMARTDRV.DLL is also being detected as Troj/Dloader-NC.
    When SMARTDRV.DLL is run, the file attempts to download files from various remote websites to the Windows folder as smtXX.tmp (where XX is any random sequence of letters and numbers) and run them.
    The Trojan also creates the following registry entries:
    HKLM\SOFTWARE\Classes\CLSID\(random classID 1)
    (default)
    <random name>
    HKLM\SOFTWARE\Classes\CLSID\(random ClassID 1)\InprocServer32
    (default)
    %WINDOWS%\<dropped DLL filename>
    HKLM\SOFTWARE\Classes\CLSID\(random ClassID 1)\InprocServer32
    ThreadingModel
    Apartment
    HKLM\SOFTWARE\Microsoft\clsid
    (random ClassID2 )
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
    (random classID 1)
    ""
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    USB
    <path to Trojan>
    HKCU\Software\ODBC
    last_download_id
    HKLM\Software\ODBC
    last_download_id http://www.sophos.com/virusinfo/analyses/trojdloadernc.html

    Now this new other one out there again called Whistler is the real nasty one to watch for ;)

    http://www.sophos.com/virusinfo/analyses/trojwhistlerf.html
     
    Last edited: May 12, 2005
  25. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    And I mention above that nasty Whistler Trojan for this reason.

    Do you see here where sophos has only added a detection for it on 10 May 2005 ?


    http://www.sophos.ch/virusinfo/analyses/trojwhistlerf.html

    Well Norton has been detecting it since
    Discovered on: September 24, 2001
    Last Updated on: April 15, 2002 04:55:05 PM



    http://www.sarc.com/avcenter/venc/data/w32.whiter.trojan.html

    And the actions of this Trojan depends on how it was configured by the hacker :mad:


    So my thoughts to you are these.

    Trojan-Downloader.Win32.Small.aty is an annoying IE hijacker that is easy to clean and it appears you have a firewall that stopped it from further progress.

    I would not be too concerned that MY AV did not pick it up immediately even after it was submitted.


    But I would be very concerned if it could not detect and stop something like Whistler because that type will destroy my PC and its files. :ninja:
     
Thread Status:
Not open for further replies.