Sober outbreak..heuristic detection :)

Here's another great proof of NOD32 heuristics for a new variant of Sober...think I'm right, isn't it?

 

Looks that way, however I'm quite confused about this.
NOD32 want's to send a sample to Eset when it finds a variant.
If it finds a probable variant, it doesn't ask to send a sample to Eset.


Here it will not ask to submit to Eset:
IMON file [address removed] probably a variant of HTML/Exploit.CodeBaseExec trojan

And here it want's to submit a sample:
IMON file [address removed] a variant of Win32/TrojanDownloader.INService trojan

I thought probably would require somone to take a closer look?

 

No, this one is actually a corrupted sample. We detect it because it's very common and users would not be happy to see a lot of suspicious files slipping through their servers :-] This sample is not detected by heuristics - it's detected by a signature for corrupted Sober's files.

 

Hm, where is now "we only detect functional samples" line?

 

Nothing is 100%, even in math.

 

Well, they could call these: "corrupted files"

 

Well they do have a few damaged signatures - Probably not the same, altough one would think so

 

There're garbage not working samples that simply doesn't harm your PC because there're bug in the code.
In the other hand, there're damaged samples that doesn't work well but can have some harm to your PC.
For example, let imagine a worm. An X worm is "designed" to spread via P2P and delete all *.MP3 files, however, due to a bug, the worm only is able to spread via P2P. Such damaged samples should be added and Eset add them.