Poison rat

Discussion in 'NOD32 version 2 Forum' started by starforce, Jun 26, 2007.

Thread Status:
Not open for further replies.
  1. starforce

    starforce Registered Member

    Joined:
    Jun 26, 2007
    Posts:
    6
    hilo m8
    Nod32
    maybe the worst updates.
    You know that PI 2. has been released a few days ago-
    30 days exactly- and it is still undetected to NOD32.
    why wtf alot of pips trust on you pleas explanation
    :mad:
    regards
    starforce
     
    Last edited: Jun 26, 2007
  2. ASpace

    ASpace Guest

  3. sasa843

    sasa843 Registered Member

    Joined:
    Feb 1, 2007
    Posts:
    113
    Location:
    Serbia, Europe
    Please try to explain much better Your question!
    I am also interested in how would You pronounce what You wrote in Your first post?
     
  4. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Please allow me to translate. :rolleyes: Some sort of malware (I'm guessing a trojan) wqs detected by the original poster 30 days ago and it is apparently still not detected by NOD. Therefore NOD's updates are the worst and NOD is letting all it's users down. Oh, and he wants an explanation for this apparent oversite.
     
  5. ASpace

    ASpace Guest

    Very kind of you ... :D :D
     
  6. Zebbie79

    Zebbie79 Registered Member

    Joined:
    Jun 26, 2007
    Posts:
    7
    Yeah, they are always slow (I send a lot of samples to different AVs). Hopefully this thread will speed them up. I tested some poison-servers on virustotal, almost all big AVs detect it except NOD32, Symantec and McAfee.
     
  7. Zebbie79

    Zebbie79 Registered Member

    Joined:
    Jun 26, 2007
    Posts:
    7
    And I sent this to them the same day it was released and since most AV:s has added detection but not NOD32 they cannot be trusted by me.:thumbd:
     
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    https://www.wilderssecurity.com/showpost.php?p=1028952&postcount=20
     
  9. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Is he talking about poison ivy ~Link removed~ - (not-a-virus:RemoteAdmin.Win32.Poison Ivy.20) (Backdoor.Win32.PoisonIvy.j for Server)

    Thanks,

    Chris
     
    Last edited by a moderator: Jun 26, 2007
  10. starforce

    starforce Registered Member

    Joined:
    Jun 26, 2007
    Posts:
    6
    +sorry for my english big love frome israel i was at work so i cenot reply to the posts end rat is Backdoor.Win32.PoisonIvy lol it undetected to nod32?
    why so? run time end scan time
    p.s
    sory for the pips
     
    Last edited: Jun 27, 2007
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    There's a signature for this sample
    Code:
    Win32/RemoteAdmin.PoisonIvy.230 (3)
    in the newest update.
     
    Last edited by a moderator: Jun 29, 2007
  12. starforce

    starforce Registered Member

    Joined:
    Jun 26, 2007
    Posts:
    6
    not the server the server is undetected so far 31 one days :mad:
    run timr scan time
    norton the worst av cen detected end nood notttt why?
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    o_O :blink:

    NOD32v2 2359 06.27.2007 Win32/RemoteAdmin.PoisonIvy.230

    File size: 2105798 bytes
    MD5: fd287794107630fa3116800e617466a9
    SHA1: 19862253caacadd621aaa74b78b334c01f4f346c
     
  14. starforce

    starforce Registered Member

    Joined:
    Jun 26, 2007
    Posts:
    6
    the clint is detected not the server only the rat not the server ?
     
  15. Zebbie79

    Zebbie79 Registered Member

    Joined:
    Jun 26, 2007
    Posts:
    7
    Just did a scan. The server is now detected as Win32/Poison.K. Better late than never.:cool:
     
  16. starforce

    starforce Registered Member

    Joined:
    Jun 26, 2007
    Posts:
    6
    what version of sig you have?
    i have sig ver no 2359 2706.2007
    the server not cetected
     
  17. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    is this thread about the poison/ratt tour going down this summer? :D
     
  18. WigglyTheGreat

    WigglyTheGreat Registered Member

    Joined:
    Jul 10, 2006
    Posts:
    137
    lol ha ha
     
  19. innocent

    innocent Registered Member

    Joined:
    Jul 8, 2007
    Posts:
    1
    Sorry to resurrect this thread but it is kind of important (to me at least).

    I'm an official NOD32 reseller, although not sold much lately as I have nearly wound up my business. I've been proudly shouting the virtues of NOD32 for about 4 years now and I've been very pleased with how it's been received, it's detection rate and it's very low footprint.

    However, 2 weeks ago I had cause to question my loyalties.
    I noticed on a Friday night, whilst doing a little housekeeping, that I had 2 instances of Firefox running in processes.

    Shut Firefox that was using about 35mb and then then tried to kill the FF using 3502kb in task manager.

    It restarted within 20 seconds.

    Spent about 10 mins trying to kill it. Then spent another hour or so trying to find out what was happening.

    Finally found the answer on Mozilla forums - it was a Poison Ivy (PI) infection.

    Now then, starforce's post is actually almost identical to a post on the support forum for PI (yes they have support forums, open to anyone) bragging that the latest version of PI went undetected by NOD32.

    The server element can be encrypted and hidden using rootkits, it sat on 2 of my systems and the keylogger data was frightening.

    If you want to read up then go here:

    hxxp://poisonivy-rat.com/

    and the forums can be found here:

    hxxp://forums.chasenet.org/

    obviously change the xx's for tt's

    PI is sold as a Remote Administration Tool (rat), for sys admins and the like. However, it's primary use seems to be to use it for unlawful purposes - the forum seems to support this.

    This is the first time I have ever had an infection on any of my systems, and to be hit twice is hard to swallow.

    I know how it got on my systems (teach me to help a friend!) so all I'd say is be very careful about your faith in your AV - mine is very much shaken and it will take a while for Eset to convince me they should be the prime choice for my customers.

    Regards
     
  20. The_Duality

    The_Duality Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    276
    Location:
    Liverpool, UK
    There does seem to be a number of threads around regarding missed viruses... I think NOD needs to catch another big zero-day virus via heuristics to restore everybody's faith. It has done it before, and im sure it can do it again :)

    I, too sometimes feel that NOD could do better, but then again - no AV will catch everything, and I have never had a big problem with a virus before.

    Ill just sit and pray that something comes up that makes me glad im an Eset customer once again.
     
  21. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Eset keeps improving the heuristics. It all boils down to the sample set you use for comparing AVs, I could give you tons of examples where you would be protected with NOD32 only so please stop this bashing that NOD32 is getting worse in detection.
     
  22. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    By the way, I could not download any PR from hxxp://poisonivy-rat.com. Each file available on that website was blocked by NOD32.
     
  23. The_Duality

    The_Duality Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    276
    Location:
    Liverpool, UK
    I was not "bashing", as you put it. the fact I still use NOD on my machine is testament enough to that. My post was merely commenting on the fact that the hundreds of other posts bashing NODs apparent 'lack of detections' can be demoralising for other customers - and I was suggesting that NOD may block another large threat pro-actively in the future which would make everyone swallow their words if they dared bash NODs detection rate.

    Nevertheless I apologise if it seemed like I was bashing :)
     
  24. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Id like to see screenshots of those samples that only nod detects uploaded on jotti,etc. Put your mouth to the test please.
     
  25. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    No, we will not have anyone goading ESET Staff with such silliness. As already pointed out multiple times, every single antivirus (inclusive of NOD32) will miss samples at some point in time; 100% detection is not plausible with current technology.

    Blackspear.
     
Thread Status:
Not open for further replies.