Sober outbreak..heuristic detection :)

Discussion in 'NOD32 version 2 Forum' started by pykko, Nov 26, 2005.

Thread Status:
Not open for further replies.
  1. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Here's another great proof of NOD32 heuristics for a new variant of Sober...think I'm right, isn't it? :D
     

    Attached Files:

  2. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Looks that way, however I'm quite confused about this.
    NOD32 want's to send a sample to Eset when it finds a variant.
    If it finds a probable variant, it doesn't ask to send a sample to Eset.


    Here it will not ask to submit to Eset:
    IMON file [address removed] probably a variant of HTML/Exploit.CodeBaseExec trojan

    And here it want's to submit a sample:
    IMON file [address removed] a variant of Win32/TrojanDownloader.INService trojan

    I thought probably would require somone to take a closer look? :)
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    No, this one is actually a corrupted sample. We detect it because it's very common and users would not be happy to see a lot of suspicious files slipping through their servers :-] This sample is not detected by heuristics - it's detected by a signature for corrupted Sober's files.
     
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Hm, where is now "we only detect functional samples" line?
     
  5. Farbod

    Farbod Registered Member

    Joined:
    Nov 10, 2005
    Posts:
    88
    Nothing is 100%, even in math. :D
     
  6. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Well, they could call these: "corrupted files" :)
     
  7. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Well they do have a few damaged signatures - Probably not the same, altough one would think so :)
     
  8. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    There're garbage not working samples that simply doesn't harm your PC because there're bug in the code.
    In the other hand, there're damaged samples that doesn't work well but can have some harm to your PC.
    For example, let imagine a worm. An X worm is "designed" to spread via P2P and delete all *.MP3 files, however, due to a bug, the worm only is able to spread via P2P. Such damaged samples should be added and Eset add them.

     
Thread Status:
Not open for further replies.