Nod32 missed Backdoor Trojan

Discussion in 'NOD32 version 2 Forum' started by Raptess, Nov 23, 2004.

Thread Status:
Not open for further replies.
  1. Raptess

    Raptess Guest

    Been using Nod32 now for almost 12 months, its been fantastic :)

    Lately I've been having problem with my Windows XP Firewall.. It will auto disable itself, over and over each time I turn it back on.
    A complete scan with Nod32 did not detect anything, so I tried another antivirus program.

    'eTrust' is what I tried, and it detected a 'Backdoor-CCB' Trojan located in my scvhost.exe file which was causing the problem. I would have sent in a copy of it, but its been removed from my system now.

    I'm pretty sure I know where I got it from to start with, so I may even download the file again just so I can send in the trojan for the Nod32 guys to see.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hi Raptess,
    no AV program will ever guarantee 100% detection of every single virus in the world, that would be so-called "perpetum mobile" in the antivirus world. However, Eset endeavours to get a 1st-class detection ratio exploiting the superb advanced heuristics which has been able to detect several thousands of not yet known viruses, worms and trojans.

    Whenever you find your machine behave in a fishy manner, please download the utility HijackThis (http://209.133.47.12/~merijn/files/HijackThis.exe) and send the log created to support@nod32.com for analysis.
     
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Raptess, that would be appreciated, if you can download the file, please zip it up and send it to samples@nod32.com

    Cheers :D
     
  4. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    You mean "perpetuum mobile", which (for those who don't want to bother looking it up) means "perpetual motion". I looked it up, but still don't understand how it applies here. I assume it means "an impossible, never-ending job".

    But the point is a good one. When I ran KAV 5.0 (that is, before being driven clinically insane by its astonishing CPU usage), I found two or three trojans that it missed (but TDS-3 caught). I submitted them, and they were added, but the point is made: No single AM product is perfect, even the venerable KAV.

    ---------
    P.S. I didn't become infected with these trojans; I merely came across them on Usenet, and downloaded them to test KAV 5.0. I'm glad I did. BTW, one of the trojans was what TDS refers to as "Trojan.Win32.Golid.b". The others I'm not sure of, since I can't find the emails I sent. It doesn't matter anyway.
     
  5. kairii

    kairii Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    76
    look no disrespect, and i'm a happy nod32 user, but i'm kinda sick and tired of eset pple and the mods in here keeps saying how great nod32's heuristics is.........please next time when someone complains about nod32 not detecting some viruses.....it would be better to say something like..."we will do some more research and we will update our database soon...." or something along the line.........
     
  6. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    Don't forget that it can also be that the other package gave a false alert... NOD32 will not do that on that file and then it is the bad one? I don't agree on such a thought.
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Nod heuristics are very good on viruses and worms but not so good on trojans and adware

    the name scvhost.exe has been used recently for several different malwares including sdbot agobot & about 9 or 10 different adware trojans

    If it kept shutting down the firewall I would assume it to be an agobot or sdbot variant and they are almost impossible to detect heuristically without getting too many false alarms as much of the code inside them is simialr to a lot of legitimate remote access applications

    any antivirus is only able to detect when samples are sent to it so my advice is don't complain when an antivirus doesn't recognise your particular bug but send them a copy of the file

    If they don't add detections or reply that it's harmless in a reasonable time then complain here where the mods or eset staff can pick up on it

    I submit lots of files to eset & kav that I obtain in my "research"

    sometimes I don't get a reply from them but normally detections are done within 24 hours frequently within a couple of hours but every time a file has turned out innocent I have had a reply fairly quickly
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Great advice Derek, thank you.

    Eset are growing at a rapid rate and with this need all the help that they can get with new samples from those that find them, the address is: samples@nod32.com

    Cheers :D
     
  9. Yeah Right

    Yeah Right Guest

    Is Eset not included among other av's and the sharing of newly detected viruses? If so, they should have had it in their defs quite awhile ago, obviously they didn't. This particular virus was added by most vendors to their defs in April 2004. What's up Eseto_O
     
  10. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I'd love to know how you came into that bit of information, since you don't even know what version or variant of the "Backdoor-CCB" trojan was missed.
     
Thread Status:
Not open for further replies.