Stration.D sails through undetected :-(

Discussion in 'NOD32 version 2 Forum' started by Chippy, Sep 26, 2006.

Thread Status:
Not open for further replies.
  1. Chippy

    Chippy Registered Member

    Joined:
    Dec 14, 2004
    Posts:
    19
    Not too impressed with this.

    I got a strange looking email yesterday and although I was suspicious about it, I thought it would be OK to *carefully* inspect it. Stupid, in hindsight.

    It arrived in my mailbox completely undetected by Nod32 (2.5 with 1.1774 20060925 signature database).

    The attachment was a .zip file called message.zip. I detached it to the desktop and scanned the file manually. Clean, says Nod32. So I open the zip file. In there is a single item, message.dat. You can't execute a .dat file, right? So I thought I would drag the file to my desktop and have a look inside it with a hex editor I use. Bad idea!

    It turns out the file was actually called message.dat.pif and dragging it to the desktop ran it instantly and infected my machine. I spent most of yesterday running various on-line virus scanners to get my machine clean again. (I didn't trust Nod to clean the machine since it had so spectacularly missed it in the first place.)

    I know in hindsight my actions were pretty stupid. But hindsight is 20:20 vision. More important, why didn't Nod offer my ANY assistance at all here?

    Stration.d is a known worm and is detected by all the major AV packages. Nod claim protection against Stration.d - although its not listed in the current virus database.

    I pay money for Nod32 (rather than just use a free alternative) because I was under the impression it gives me better (the best?) protection.

    Am I mistaken? Is Nod32 actually not very good?

    Not very happy,

    Chippy
     
  2. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Last edited by a moderator: Sep 26, 2006
  3. ASpace

    ASpace Guest

    It is very strnage because NOD32 has detections for this in
    1.1773 (20060925)
    1.1768 (20060922)
    1.1767 (20060921)
    1.1766 (20060921)
    1.1724 (20060824)

    Moreover , other variants should be detected via the heuristics

    Although this message really smells of infection , how do you know it is a real threat . It is important to check your settings to verify if they are ok . Perform full scan from Control Center -> NOD32 -> Run NOD32 -> Scan&Clean

    Please , send the ZIP file of the suspected message to the Lab-> samples@eset.com

    :thumb:
     
  4. Chippy

    Chippy Registered Member

    Joined:
    Dec 14, 2004
    Posts:
    19
    Thanks for your replies. Yes, my setup is exactly as Blackspears tutorial. Its been setup like that since I first installed it.

    How do I know it was a virus?

    Good point, but it was detected as such by Kaspersky and then by Bit Defender.

    Very unfortunately, I cannot send a copy because Bit Defender went and deleted it without prompting.

    Chippy
     
  5. ASpace

    ASpace Guest

    Good news this crap has been cleaned for you but in order this variant to be detected , ESET should have a sample of it , analyze it and push an update if neccessary.
    If you find some way , pls submit it to ESET Labs samples@eset.com

    Thanks for letting us know !
     
    Last edited by a moderator: Sep 28, 2006
  6. Chippy

    Chippy Registered Member

    Joined:
    Dec 14, 2004
    Posts:
    19
    Yeah I understand you need a sample. I was very surprised that the online scan from Bit Defender just went and deleted the file without asking. I had already deleted the email as I thought I would just keep the file.

    So we are out of luck :-(

    Chip
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    :blink:
    You must be using an outdated version, NOD32 is among the first to detect it, if it slips through heuristics.

    AntiVir 7.2.0.18 09.26.2006 no virus found
    Authentium 4.93.8 09.25.2006 no virus found
    Avast 4.7.892.0 09.26.2006 no virus found
    AVG 386 09.25.2006 no virus found
    BitDefender 7.2 09.26.2006 no virus found
    CAT-QuickHeal 8.00 09.25.2006 no virus found
    ClamAV devel-20060426 09.26.2006 no virus found
    DrWeb 4.33 09.26.2006 no virus found
    eTrust-InoculateIT 23.73.5 09.26.2006 no virus found
    eTrust-Vet 30.3.3100 09.25.2006 Win32/Stration.BP
    Ewido 4.0 09.26.2006 no virus found
    Fortinet 2.82.0.0 09.26.2006 no virus found
    F-Prot 3.16f 09.25.2006 no virus found
    F-Prot4 4.2.1.29 09.25.2006 no virus found
    Ikarus n - no virus found
    Kaspersky 4.0.2.24 09.26.2006 no virus found
    McAfee 4859 09.25.2006 no virus found
    Microsoft 1.1603 09.26.2006 no virus found
    NOD32v2 1.1776 09.26.2006 Win32/Stration.EV
    Norman 5.90.23 09.25.2006 no virus found
    Panda 9.0.0.4 09.25.2006 no virus found
    Symantec 8.0 09.26.2006 no virus found
    TheHacker 6.0.1.081 09.26.2006 no virus found
    UNA 1.83 09.25.2006 no virus found
    VBA32 3.11.1 09.25.2006 no virus found
    VirusBuster 4.3.7:9 09.25.2006 no virus found

    Try the following:
    - download the latest version of NOD32 from our website (the full version already comes with the update 1.1776 so there's no need to update it after installation)
    - immediately after the next restart, start Windows in safe mode and run a full system scan
    - finally reboot the computer
     
    Last edited: Sep 26, 2006
  8. Mascot

    Mascot Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    64
    Doesn't look like an old version to me?
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    It does to me; however, this person would have been one of the first lucky recipients in the world to receive this worm.

    What one day can make sometimes, and this is that day that you want NOD32 up to date and hungry for a feast.

    Cheers :D
     

    Attached Files:

  10. Mascot

    Mascot Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    64
    When I said it didn't look outdated, I took into account that the OP stated he got the file yesterday (25th) and at that time ran virus definitions from the 25th.

    So, presumably, he was as updated as he could be at the time, and just unlucky. No definition available yet and heuristics missed the strain.
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Correct, someone has to be the first, and there are no prizes for being such :blink: ;) :D

    Cheers :D
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I heard from a guy from another AV company that they had received more than 500 variants of the worm within a single day.
     
  13. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I received till today 3 variants in may mail box and all were detected heuristically by NOD32. :thumb: One was today. :D
     

    Attached Files:

  14. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Oh is it? :p There are numerous of older versions which are mew packed and some of them going completely undected by all av programs. However, these versions are not widely spreaded and it's difficult to keep track with versions here since you have many of them. Another thing is that this worm drops components, so it is possible that some undected component is a dropped part.
     
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I have a hunch that this will change shortly, at least for NOD32 users and hopefully for yours as well :)
     
  16. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    good news Marcos! Anyway, I see you're covering this threat by heuristics very well till now. :) (and by signatures also)
     
  17. Chippy

    Chippy Registered Member

    Joined:
    Dec 14, 2004
    Posts:
    19
    Sorry I have missed the latest posts here.

    @Mascot: Absolutely right, I was bang up-to-date with signature files at the time the virus hit.

    Since then, I have managed to get hold of a copy of the virus. (I managed to "undelete" the deleted file with a utility I have.

    Interestingly, with today's signature file (1.1781 20060928 ) Nod picks it up straight away. Shame it didn't do that in the first place!

    Anyway, I will send it to you guys for inspection when I finish typing here.

    Cheers

    Chippy

    EDIT: File sent for analysis.
     
  18. Chippy

    Chippy Registered Member

    Joined:
    Dec 14, 2004
    Posts:
    19
    Incidentally, now 1.1781 is detecting this virus OK, can I be sure that my system is clean? I have all the Nod settings up to the max and done an "In Depth Analysis" and it comes up clean.

    Does this mean I can be sure my system doesn't have any nasties lying around after the infection?

    In particular, I do online banking and I have been very reluctant to log onto any of my financial websites following this virus attack.

    Am I being paranoid?

    Cheers

    Chippy
     
  19. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Chippy you're ok now if you have all the amximum settings ;)
    Strange they've added it only today. o_O Anyway, if you happen to come across other viruses not detected send them from the first day as they may add it faster.
     
  20. ASpace

    ASpace Guest

    I think that what they have added today is an update for the generic detection for this threat since it was previously detected in 1.1773 , 1.1768 , 1.1767 , 1.1766 , 1.1724 .

    Anyway , good to see we are protected against this worm :)
     
  21. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Well, I don't exactly what as Chippy reffering to with "detecting this virus OK"
    Detecting it with definition instead of heuristics or it was not detected at all since now and ESET added it. o_O
     
  22. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    don't suppose you can elaborate further on this could you...? :D
     
  23. Chippy

    Chippy Registered Member

    Joined:
    Dec 14, 2004
    Posts:
    19
    Just to clarify, I haven't changed any Nod32 settings. I have had it set up as per Blackspears recommendations for many months (years?).

    With virus signature 1.1774 20060925, this virus is not detected at all, even by an "in depth analysis" scan. So clearly neither the heuristics, nor the signature file would detect it.

    With virus signature 1. 1781, Nod detects it immediately. Either by right-clicking on the file and manually testing it, or by running a full scan. (I didn't dare risk testing it by actually opening the zip file!) Whether some improvement to the heuristics has been made, or whether the later signature file has explicit information about this virus, I do not know.

    I don't know whether anything prior to 1.1781 would pick it up because I only yesterday managed to retrieve a copy of the virus to test.

    Chippy
     
    Last edited: Sep 29, 2006
  24. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Thanks for clarifying the issue. Anyway, which is the name of the virus exactl?
    You can search it in NOD32 database to see when was it added.

    See here: www.nod32sse.com ;)
     
  25. Chippy

    Chippy Registered Member

    Joined:
    Dec 14, 2004
    Posts:
    19
    Kaspersky and others identified it as Win32/Stration.D... er, hence the title of the thread ;-)

    Nod now identifies it as Win32/Stration.EM worm.

    Interestingly enough, you can see "Win32/Stration" listed in the link you provided above, under the 1.1781 update - dated 28th September. i.e. 2 days *after* I got infected.

    I find that interesting since HighTechboy said that Nod has detection from Stration in since 1.1724, back in August.

    Chip
     
Thread Status:
Not open for further replies.