Trojan.MulDrop.2542

Discussion in 'NOD32 version 2 Forum' started by pykko, May 21, 2006.

Thread Status:
Not open for further replies.
  1. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Well, another threat missed by NOD32. I'm posting here just because there are no packers involved and additionally the file is not corrupted. It's a dropper and NOD missed it and I've runned it by mistake... Now what? Is ESET going to come at my home fixing the issue? :rolleyes: I have some ports Closed even though they should have been Stealthed with Windows Firewall (Win XP SP2).

    The top AVs like Symantec, BD, KAV detects it of course... ESET still add samples on a prior to base need ...and I've send them the sample 4 days ago.
    Here's a screenshot from virustotal.com
     

    Attached Files:

    Last edited by a moderator: May 22, 2006
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    If you think they are the top anti-viruses in the world, why do you still use NOD32?

    Send a sample, you know where to, and lets wait for Marcos to come online and advise further.

    Blackspear.
     
  3. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    the sample has been sent 4 days ago as I've stated. And there are the top AVs according to many tests and to the number of users having them installed on their PCs. NOD32 is also one of the best but it started to dissapoint me, that's all. :(
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I understand, however as has been stated many many times, viruses, trojans and other malware are added on a priority basis, and it has to be this way or you would have the analysts breaking their back over the odd single sample sent to them, instead of keeping focus on the spreading samples and adding the rest as they go...

    Cheers :D
     
  5. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    yeah...odd single sample..of course....and why others detect it? Their priority should be their users and they seem to be always too slow.
    Anyway, I"ll wait for an ESET mod to see what is his oppinion....
     
  6. ejr

    ejr Registered Member

    Joined:
    Nov 19, 2005
    Posts:
    538
    This is an example of some others that caught something that NOD didn't. That will be the case no matter which program you choose. I've seen similar posts about NOD catching something the others missed.

    The bottom line for me is that when I make my list of what I like about NOD versus what I like about the other guys, I'm never tempted to switch. The shear number of both viruses and spyware that NOD stops is truly impressive. But to do so using so little system resources is amazing. I can't say that I would never switch, but it's gonna take one heck of a product to lure me away.

    By the way, thanks for pointing out this area for NOD to improve upon. We'll all benefit from you turning in that signature.
     
  7. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I agree with you ejr. I also like NOD very much comparing with others, but their reaction time is not so fast always. :(
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    My blood pressure went up when I analysed this sample. Again, it's something that is not malicious itself and for me it's questionable whether it should be detected, to say the least. When you run it, first, you have to visit 2 sponsors, then it downloads a file detected by NOD32.
     

    Attached Files:

    Last edited: May 21, 2006
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thank you Marcos, your analysis is very much appreciated, keep you blood pressure down, and as always keep the detection database as Eset sees fit, we want it clean and mean, not full of crud.

    Cheers :D
     
  10. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    yes, Marcos! It's no use to have your blood pressure high. AS long as you give no answer to samples submitted like most AVs do, I think it's not too much to know if I'm protected or not. Sorry if that bottered you... and btw, here's the screenshot with the malware picked by NOD32 after clicking all the buttons there and downloading the file. ;)
     

    Attached Files:

  11. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    And here's the proof that NOD is very good...sorry for misjudging it. That file extracted is detected by very few AVs, even if the original one was detected by many of them.
     

    Attached Files:

  12. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    Pykko,
    I know it's good to make sure that ESET are kept on their toes but do you have to bait them so much?
     
  13. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    I don't understand why scan result in VirusTotal shows that NOD32 doesn't detect it since in previous post we can clearly see evidance that it DOES.
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Maybe a wrong extension
     
  15. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    ? It still doesn't show in the screenshot.. I'm lost :p
     
  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Pykko likes fiddling around samples so maybe he could rename the vcom extention to com and submit it to VT again.
     
  17. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Oh yeah I forgot, NOD adds a V to the extension.
     
  18. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    well, NOD did detect it on my computer and changed the extension to .vcom. That's all. No need to post another screenshot. ;)
    But btw, a good antivirus should detect a sample regardless of its extension. :)

    pc-support:
    I wouldn't have post it here if I hadn't run it by mistake. And I was curious to see what's all about this file since I got njo answer from ESET. I scanned my PC with Avira which found nothing but I wanted to be sure. And anyway it's obvious I won't post here screenshots about not detected samples. I will submitt them to ESET and it's their business to add it. No need to stress them. ;)
     
    Last edited: May 22, 2006
  19. berng

    berng Registered Member

    Joined:
    Sep 11, 2005
    Posts:
    246
    Location:
    NJ, USA
    I agree that extension should not matter UNLESS the user sets extensions in the exclude list.

    But I am getting a little tired of posts that state - "NOD32 didn't detect while some other did". They're so repetitious and useless.
     
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    This is like with boot sector img files - they are just benign images and are not detected as boot viruses unless you change their extenstion to img.
     
Thread Status:
Not open for further replies.