Undetected Worm (False Negative)

Discussion in 'NOD32 version 2 Forum' started by tisazalay, Jun 16, 2007.

Thread Status:
Not open for further replies.
  1. tisazalay

    tisazalay Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    32
    I was hit by a worm that installed IEExplore32.exe (W32/Rbot-GRE) and NOD32 (2335) didn't detect it, nor will it clean, I sent the file for analisys but still can't get rid of it. It's reported by sophos (W32/Rbot-GRE) and removeit pro.

    Hope they fix it soon as this one is on the wild...

    tisazalay
     
  2. ASpace

    ASpace Guest

    Hello ! :thumb:

    To be 100% sure it is real threat submit the file to VirusTotal for analysis (write a new email to scan[at]virustotal.com with a subject SCAN and with enclosed the suspected file in its basic form) . Provide ESET with the results but don't post them here

    Send the suspected file(s) to email support[at]eset.com along with a link to this thread and more information . Good luck !
     
  3. tisazalay

    tisazalay Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    32
    I did an online scan there, this is the result:

    http://www.virustotal.com/vt/en/resultadof?4f0a22754fd3fd05debc5653c28b9224

    I can't send the file from hotmail, gmail or my ISP SMTP server cause it's been rejected.
    One note though, the virus updates from virustotal are somewhat old as the 13 of june sophos update is supposed to detect it as a worm. I'm using 2335 of NOD32.

    tisazalay
     
  4. The_Duality

    The_Duality Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    276
    Location:
    Liverpool, UK
    You need to encrypt the file in an archive (e.g. .zip), with the password "infected" - and attach that to the e-mail. The AV at the e-mail server will not then detect it. As HiTech_Boy said, include a link to this thread in the e-mail body. Im sure Eset will add it soon enough :)
     
  5. mayt

    mayt Eset Staff Account

    Joined:
    Mar 12, 2007
    Posts:
    84
    Location:
    Bratislava
    He won't be able to send an archive using a Gmail account (AFAIK).
    He has to either send it from different account or rename the "infiltration.zip" to the "infiltration" and of course mention that fact in the e-mail ;)
     
  6. tisazalay

    tisazalay Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    32
    OK, I sent the worm inside an encrypted file with the password being infected. And a link to this thread.

    I managed to clean the problem with the free Removeit SE.

    The worm is a multidropper that when ran is partially detected by nod32 (detects a dropper) but it allows another program with the name IEExplorer32.exe to be installed. The later can't be removed with del as it recreates itself pretty fast.

    tisazalay
     
  7. The_Duality

    The_Duality Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    276
    Location:
    Liverpool, UK
    Fantastic, ESET should add it to their database soon.

    Im glad you were able to sort out the problem! Im surprised that NODs heuristics did not catch it, but then again, try to name an AV solution that catches 100% of everything!

    Matt
     
  8. ASpace

    ASpace Guest

    Password-protecting the archive would do the trick in this case ;)
     
  9. tisazalay

    tisazalay Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    32
    I used hotmail (Live), and was able to send it password protected, although hotmail did complain about it being encrypted ;), but sent it.
    I guess they'll sort it out for monday or tuesday since updating the threat database seem to be just a bit slower on weekends.o_O

    tisazalay
     
  10. tisazalay

    tisazalay Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    32
    OK, problem solved, as of update 2336 ( 20070618 ), the file that prompted my concern is detected as Win32/TrojanDropper.Agent.NFD.

    Thanks.:thumb:

    tisazalay
     
  11. ASpace

    ASpace Guest

    Very good , ESET !

    Thanks for letting us know , Tisazalay ! :thumb:
     
  12. Assiste.com

    Assiste.com Registered Member

    Joined:
    Dec 21, 2003
    Posts:
    18
    Location:
    Here and now
Thread Status:
Not open for further replies.