Protected from GAOBOT?

Discussion in 'NOD32 version 2 Forum' started by Dazed_and_Confused, May 5, 2004.

Thread Status:
Not open for further replies.
  1. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Was just reading a post in the TDS-3 Forum regarding an unforunate user that was infected by W32.Gaobot.AFJ ( https://www.wilderssecurity.com/showthread.php?t=30581).

    According to TEMPNEXUS, KAV identified the strain. His comments regarding NOD32 and other AV's:

    Any ideas as to why NOD32 can't identify the strain, while KAV can? o_O
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    A quote from the thread you mention:

    dvk01
    Spyware Moderator

    At the last count there were over 900 different agobot versions actually in the wild

    I have found several new ones in the last week that nothing detected including KAV scanner, but all went to all the antivirus vendors including Diamond, unfortunately since all the "kiddies" have the source code for agobot and a tiny mutation stops automatic detection we are fighting a continual battle with this one.

    Seems to explain the question.
    :)
     
  3. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Hi, Ronjor!

    As you aptly quoted:

    Yes, that's why an AV can't detect them all, but the fact still stands that KAV caught this one and NOD32 didn't. :oops: I've been testing NOD32 for about three weeks now. So far so good - until I read this. Not to say that NOD32 is not a fine AV, but I can see that maybe I need to continue shopping around...
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Looking at your security portfolio, I would say you have all the bases covered.

    I use Nod because it is efficient and fast. I keep my system up to date as far as patches, and don't put myself at risk.

    I don't believe Nod will let you down. However, I do use a backup on-demand scanner too. Nod takes the lead though.

    Your system looks tightened up to me. :)
     
  5. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile

    >Yes, that's why an AV can't detect them all, but the fact still stands that KAV caught this one and NOD32 didn't.
    I've many worms that KAV doesn't detect and NOD detect those. No AV detect all, there're many malware than certain AV caught and the other no, it's logic.
     
  6. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks, Ronjor. :D

    I try my best to run a tight ship. But as TEMPNEXUS found, looks can be deceiving. I have to admit, NOD32 has worked well for me so far. But I was really shaken when I read about TEMPNEXUS' predicament. Last thing I want to be doing is rebuilding my file server. That can really ruin a weekend. :eek:

    PS. Hope all is well in the Lone Star State - Lived there most of my life!
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    I sent you a link that might help via mail.

    I really don't understand how anyone could leave Texas! :D
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    You do indeed run a tight ship, only one thing missing "Spyware Guard" another program by Javacool, available here at Wilders, it's pretty impressive.

    I wouldn't be too worried about Nod, it also is an impressive program, and Eset remain on the ball, they are very quick to update their databases, as well Nods heuristics are fantastic, I have personally seen it grab 2 new viruses BEFORE the patterns were updated. Now, I am a reseller, so some would say biased, however I have used the program for about 2 years, and have sold hundreds and hundreds of copies, even though there are plenty of other AV programs out there that I can make a lot more money from, and I am still REALLY impressed with Nod.

    Hope this helps...

    Cheers :D
     
  9. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Blackspear - Hi!

    Thanks for the suggestion. I actually looked at Spyware Guard, but found Webroot's Spy Sweeper to be a superior tool. Their Spyware Blaster seems to be a nice tool.
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Good news for you all - NOD32 detects all (even not yet known) variants of Agobot using Advanced heuristics.
     
  11. Gnam

    Gnam Guest

    Okay, can you explain this, please? :)

    Are you tallking about Imon or Amon? I can only see Standard and Deep options in both cases.

    Or are you talking about the right-click context menu add-on installation?

    Gnam,
    increasingly confused (and doubtful)
     
  12. Emil

    Emil Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    41
    Location:
    Romania
    Imon has the option to use advaced heuristic active by default. You could find it through imon->setup

    for the ondemand scanner you have to follow one of these two way:

    search on forum for NOD32SE, a shell extension for nod 32 that scan selected object from the context menu, with ah switch active (suppozing that you have already instaled NOD32)

    or

    launch nod32 from dos prompt \nod32 /ah.

    Marcos want to say if you use these, you could find Agobot.
     
  13. Emil

    Emil Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    41
    Location:
    Romania
    About using ah in AMON is a long and sad story. welcome!

    AMON have not the option ah, at least for the moment.
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    There will be an HTTP scanner intergrated in the upcoming version of program components. Of course, it will take advantage of all NOD32's features, like advanced heuristics, archive and runtime-packed files scanning, etc. The beta version is planned to be released any time soon and I'll bet you won't be dissapointed ;-)
     
  15. Someguy

    Someguy Registered Member

    Joined:
    Mar 23, 2004
    Posts:
    26
    I heard today in the news about a "Phatbot" worm, that would specialize in getting passwords from eBanking applications.

    Are those related, and does NOD32 detect this one? I could not find it in the Virus signature database updates.
     
  16. Habiru

    Habiru Registered Member

    Joined:
    May 4, 2004
    Posts:
    43
    Location:
    Fredericton
    Security Portfolio: TDS3; NOD32; PortExplorer; ZAPro; RoboForm; Anonymizer; SpywareBlaster; Spybot S&D; VisualZone; WindowsWasher; RegProtect; AdAware; ABICoder; IMSecure; Eraser; Spy Sweeper; Thawte Personal E-Mail Certificate

    You are using IMSecure with NOD32 with no problems??
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
  18. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    I beg to differ. :) Especially to what happened to me a few days back. Unless within the last few days you guys decided to add another gen def. I used a full NOD32 configuration along with /ah flag, packet scanning, deep heritcs, all extensions the works and I scanned a BARE EXE file. IT was not compressed nor anything it was just sitting there, so I openned NOD32 with /ah flag then checked all the necessary items (DEEP herutics blah) then pointed my nod via custom scan to the folder (1 option) and then to the file itself....neither the whole folder (that contained the file) nor the naked file were detected (4 days ago). I've sent the sample to NOD32 and I got a reply that it was received...let me give it a scan (I have it on my memstick).
    Ok it's getting detected as:
    File E:\win32\win32.exe is infected with trojan Win32/Agobot.NAB. NOD32 cannot clean this infiltration. (it was deleted)
    Doing a quick cross reference with NOD32 database we see that it was added on v.1.750 (20040505).

    I don't fully trust Nod32 well you shouldn't trust any AV :), but I use it as my main Real Time scanner. The reason for NOD32 being my RT scanner is it's low resource footprint but I also have a few ONDemand scanners which are also scheduled to do a system scan at night (them being KAV 4.5, Bitdefender FREE, Panda 7, Norton 2004).

    P.S.
    The AV's which deteced this starain were Norton Professional 8 (the system got infected on Thurs Apr 27 with Norton running, I upped the defs manually...since it killed the symantec site access...with the May 2nd batch and it is then that Norton Cought it...Nod32 at that time was still silent), Antother one that cought it was KAV 4.5. Bitdefender did not see it neither did CA 7 Promotion (both IncoulateIT and VET).

    Cheers,
     
  19. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Actually I have not used IM Secure in the past few weeks, although it is on my PC. For the most part I don't instant message much at home. Occassionally my kids do, but they have not used my PC in a while. I assume there is a conflict?
     
  20. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Luckily I didn't have to do that since the wall stopped it and well Norton got it so all I had to do is kill the process via DiamondCS APS and then just manually enter the registry and clean up the startup portion of it.
    After that I've ranned a full scan with 3 diff AV's and came up clean.
    I thought of that Catastrophic failure event when building the server so it has a few backups up it's sleave, worst comes to worst we would have to reimage the system, and the complete images are taken every two weeks with incremental every 5 days. The images are also scanned for infections every 6 days (1 CPU is deticated for just AV, AT and Firewall managment, the 2nd one is for serving). The system has RAID 5, so reimageing would be quite fast (if we could recover the onboard RAID image) but if that got hosed we would just recover via removable HD which would take a lot longer but that is the last case scenario. :)

    My system is secured tight but the server well, it's not really mine and some people who use it don't know what to do if a message pops up asking them to peform an security action i.e.: "New Registry key added to starup do you want to accept?". KNowing them they would say YES to everything bad and NO to the important stuff, thus in the end makeing my work 5 times harder (trying to figure out what they screwed up :) ). That's why I needed to install a dumbdown security systems so most of the guess work is taken out of the equation. (reason why BoClean got installed and designed for automated removal). I go and check the TDS-3 once every 2 weeks to make sure that there are no known infections detected and I also peform a full TDS-3 system scan (too bad that there are no known good scripts that do that job for you :( ).

    Cheers,
     
  21. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    As I have already mentioned above, the upcoming version of program components will include an HTTP scanner which will use advanced heuristics for detection not yet known trojans when browsing the web. With the scanner installed, there won't be any chance a new variant of Agobot could slip through NOD32 before the appropriate signature is added to the database.
     
  22. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Ditto.....
     
  23. thecrow

    thecrow Registered Member

    Joined:
    May 8, 2004
    Posts:
    23
    ive had agobot on my system 3 times
    its a nasty bugger

    it have happened before i had all newest windos patches installed
    so getting those is VERY important as it cant get into an updated system

    last time i had it it
    i started installing nod right after the windows install
    then i ran windows update but it infected me while i was downloading the update
    30 min was all it took online to get infected
    i know
    should have installed sygate right away
    but did things in wrong order an got infected

    once agobot was in it disabled NOD32
    everytime i tryed to scan it would shut the scan down in max 10 secs

    i ended up doing a windows reinstall to remove it.. :oops:
     
  24. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    A simple, inexpensive, router will protect you from a lot of nasties.
    When I went to broadband, I hooked up a router first.
    From the first day I found out what a cookie on my computer was for, I have read all I can on being secure on the net.
    No one can protect you against your computing habits but you. :)
     
  25. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    I've one variant of Agobot that I sent to ESET and now it's detected, however it wasn't detected by AH. I've many agobot, spybot, spyboter, etc and it was the first not detected by AH.
     
Thread Status:
Not open for further replies.