NOD32 v2 keeps missing Virtumode :-(

Discussion in 'NOD32 version 2 Forum' started by mtp318101, Jul 5, 2008.

Thread Status:
Not open for further replies.
  1. mtp318101

    mtp318101 Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    9
    I've read Blackspear's sticky about virtumonde, but with that being said- I am having a terrible time with NOD32 missing these trojans. I'm running ver 2.70.39, and update daily. I have all the ThreatSense scanning options enabled. Once my system is infected, NOD32 sees the virus in memory, but it routinely fails to flag the initial dropper file.

    The most recent example I've come across is a 141K exe disguised as a rar file. 75% of the AV software @ the online AV engine aggregators identify the file as being infected. If this was a new re-pack of virtumonde, I could understand NOD32 not seeing it, but this file was first seen over two months ago.

    NOTE: I am NOT saying or implying that NOD32 is substandard for not identifying this file, nor am I saying that other AV software is better for *having* caught it. Rather, I'm just trying to understand why NOD32 doesn't seem to flag virtumonde droppers 'cause I am getting hammered by these darn things :-(

    Anyone's input is appreciated.
     
  2. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Yeah big increase in our clients over the past few weeks (WinAntivirus2008/XPAntivirus).....and most of the clients are people that I know aren't surfing bad sites or downloading things...(boring librarian type office staff).
     
  3. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    WinAntivirus2008/XPAntivirus are the culprits, right? This is malware, or am I not informed correctly?

    A friend of mine also 'installed' WinAntivirus 2008, claiming it was a new and very good virusscanner...
     
  4. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Yes....those are some common users of the trojan. And no..it's not a very good virusscanner...it's a "rogue" product.

    It's absolutely exploaded in infections over the past few weeks. I've had a lot of my end users getting it..and I'm seeing the same trend across many other tech forums....IT people seeing a huge rise in infections of this trojan. Add to this....a lot of light/normal users are catching it on their PCs...I'm talking about boring innocent ladies who are librarian type users....not just relating to kids catching this trojan at porn or warez sites.
     
  5. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Makes you wonder how those 'librarian types' get infected.
    Drive-by-downloads? This would mean that a lot of legit sites are infected with this crap as well...
     
  6. mtp318101

    mtp318101 Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    9
    Virtumonde (Vundo) is malware:

    http://en.wikipedia.org/wiki/Vundo_trojan

    We are getting these via email. We run a design firm, so getting email attachments (rar,zip,etc) is pretty common. We rely on NOD32 to catch these files in email, and upon running. I don't think ESET is including these Virtumonde "dropper" programs in its signature database- maybe to keep NOD32's scanning overhead low?

    To be fair to NOD32, as Blackspear said in his faq- malware writers design these files and then upload them to virustotal until they get a "clean" report. What gives me pause is that all the *other* virus programs *are* catching these. Again, in this example it was a small rar file seen by virustotal almost two months ago. And this is happening more and more- I've collected about 7 of these droppers, none are detected by NOD32.
     
  7. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    I had a customer bring me her computer with the same scenario. She downloaded it because some site told her she needed it. one of those "your computer is infected, click here to clean it" type of things.

    I installed NOD32 v3 and did several scans in safe mode and also threw on SuperAntispyware and did a few deep scans with it in safe mode. Plus I also cleared out all temp folders, and made sure there were no rogue entries in the registry and it seemed to fix it just fine.

    I know this won't be the "cure-all" for everyone, but it helped.

    *Turn off system restore
    *Clear out all temp folders
    *Do a full scan in safe mode

    I also install spywareblaster on all the systems I clean just to help out a bit too.
     
Thread Status:
Not open for further replies.