SCKeyLog.g

Discussion in 'NOD32 version 2 Forum' started by Daniel_SE, Oct 20, 2004.

Thread Status:
Not open for further replies.
  1. Daniel_SE

    Daniel_SE Guest

    How long does it take for Eset to include a definition of a virus into their signature database? To this date they have 10 different versions of SCKeyLog included in the database and I stumbled across another version, which is not yet included, SCKeyLog.g and submitted it to Eset the same day (2004-10-17).

    SCKeyLog.g was NOT detected by NOD32, despite deep heuristics and all bells and whistles on, but was detected with AVPDOS32.

    Because I live in Sweden I sent the file to support@eurosecure.com (http://www.eurosecure.com/) and the reply I got was, roughly translated, "It looks like a new version of SCKeyLog. Thank you for the submitted file." It will be detected with a future update of definitions."

    So, how long does it take for a virus to be included in the signature database?
     
  2. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Hi, many AV companies use different names for the same virus, which can make it difficult to tell when that virus is in the detections.

    If you get an unidentified virus please send it to samples@eset.com

    The latest update [1.900] has added detections for a few win32/spy trojans,
    I believe your trojan is covered here.

    A link to the latest definitions

    http://www.nod32.com/support/info.htm
     
  3. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    even the webpage you posted seems alittle behind, they list the current definitons as 1897, not 1900.
     
  4. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    It was 1.900 when I looked at it.
     
  5. Daniel_SE

    Daniel_SE Guest

    If you get an unidentified virus please send it to samples@eset.com

    Sent!

    The latest update [1.900] has added detections for a few win32/spy trojans,
    I believe your trojan is covered here.

    I don't. NOD32 still doesn't detect the virus/trojan.
     
  6. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Could I just ask a few questions,

    Did Nod32 identifiy the trojan at all?

    Which scanner gave you the name SCKeyLog.g?


    Hopefully ESET will get back to you shortly regarding the sample you have sent to them.

    Some web research I have done shows very little info available on this name, Sophos virus info has some, but Symantic, Mcafee do not. This leads me to believe that it has other aliases.

    Please let us know when ESET get back to you, and any details they might have, thanks.
     
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    There seem to be quite a few variants of it...

    It is a very new Trojan, and Eset seem to behind the eightball on this one...

    Cheers :D
     

    Attached Files:

  8. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Thanks for that Blackspear, where did you get that image from if u dont mind me asking?
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Under "Resorces" at www.virusbtn.com or direct link here

    Cheers :D
     
  10. Daniel_SE

    Daniel_SE Guest

    Like I stated in my first post: SCKeyLog.g was NOT detected by NOD32, despite deep heuristics and all bells and whistles on, but was detected with AVPDOS32.

    NOD32 didn't detect anything suspicious at all with the file.

    I had some problems with my SMTP so the mail with included file to samples@eset.com has probably just arrived at their offices.

    The AVPDOS32 scan was not done by me, but I submitted the file to http://virusscan.jotti.dhs.org/ and both Kaspersky and BitDefender detected SCKeyLog.g.
     
  11. Daniel_SE

    Daniel_SE Guest

    Forgot to mention that Eset have 10 different definitions of SCKeyLog in their database:

    20040924 Win32/Spy.SCKeyLog.O
    20040524 Win32/Spy.SCKeyLog.224
    20040511 Win32/Spy.SCKeyLog.J
    20040123 Win32/Spy.SCKeyLog.C
    20030503 Win32/Spy.SCKeyLog.E
    20030428 Win32/Spy.SCKeyLog.F
    20030210 Win32/Spy.SCKeyLog, Win32/Spy.SCKeyLog.20, Win32/Spy.SCKeyLog.A, Win32/Spy.SCKeyLog.B
     
  12. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I have put the question to Eset, and are awaiting a response, either here or by email...

    Cheers :D
     
  13. Daniel_SE

    Daniel_SE Guest

    I guess I should have contacted Eset headquarters immediately, instead och their Swedish affiliate...:

    Hello,

    thanks for the sample. It is a setup package of a trojan NOD32 has been
    able to detect as Win32/Spy.SCKeylog.G.
    A signature was added for this file as well. It will be available in the
    next update.

    Best regards,
    ESET s.r.o.
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Yes, always better to send any unknown viruses to samples@eset.com

    And both samples were added, each was a slightly different variant.

    Cheers :D
     
  15. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Thanks for keeping us up to date with your progress Daniel, its good that ESET got back to you so quickly.
     
Thread Status:
Not open for further replies.