unknown NewHeur_PE virus

Discussion in 'NOD32 version 2 Forum' started by siljaline, May 28, 2006.

Thread Status:
Not open for further replies.
  1. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Hi,
    I'm getting four flags in Outlook Express [*.dbx] files as
    unknown NewHeur_PE virus. I've searched the board and believe that this is a false-positive? Can someone confirm this or should I take further action?
    I have NOD set up well, love it but would appreciate some tips as to how to not get these flags, assuming they are F/P's.

    Thanks.

    Silj
     
  2. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    First you need to know which files are actually flagged, since .DBX are so called container files which holding other files in the Outlook Format. So basically some attachment in an email would be detected - just take a look which one this is.
     
  3. ASpace

    ASpace Guest

    Hi Siljaline . Leave NOD32 submit these to ESET
     

    Attached Files:

    • 1.JPG
      1.JPG
      File size:
      71 KB
      Views:
      1,089
  4. ASpace

    ASpace Guest

    And this to finish
     

    Attached Files:

    • 2.JPG
      2.JPG
      File size:
      33.5 KB
      Views:
      1,082
  5. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    I've snipped and pasted the flags to a separate text file, here is one example.
    As the above indicates (I think) NOD is flagging a post that I polled from an NG. Did not open the post as it was posted in MIME format.

    Silj
     
  6. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    It looks really suspicious I doubt it is false positive. Send that file to ESET for further analysis
     
  7. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Of course this is malware. Ever seen a "normal" executable (except a real screensaver...) with .SCR extension?! You do not even need a virus scanner to know that this is malware.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Remove documents from the exclusion list? Never do that, or confidential documents might be sent to Eset.
     
  9. ASpace

    ASpace Guest

    Тя трябва да знае това :D (моля,без превод) :D
     
  10. ASpace

    ASpace Guest


    Confidential or not , they are suspicous or 100% malware , this is my opinion :)
     
  11. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Thank you all for the flood of tips and suggestions, it is appreciated as I have been concerned with this for a week or so.

    Do I really need ThreatSense enabled as it "phones home" to NOD, not that I have a problem with that I do have a dislike with apps polling in the background.

    Regards,
    Silj
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Make sure that you actually have the latest update 1.1562 installed as it might already be detected by a signature.
     
  13. ASpace

    ASpace Guest

    Hmmm, up to you . Threat Sense helps ESET everyday and this way you help ESET and help us so we have the latest definitions for malware a bad had created . Never forget that NOD32's advanced heuristics are the best protection against unknown threats
    http://www.eset.com/products/compare_heuristic_detection.php
    http://www.eset.com/threat-center/index.php

    :thumb:
     
  14. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Latest updates are enabled - thanks. I'll take a look for that dubious *.scr file and post back.

    Silj
     
  15. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    History proves that in news groups mostly IRCBots/SDBots are posted. So my personal guess would be it's an SDBot-type, Hackarmy. :D
     
  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    It's apparently something malicious, probably a mass-spammed trojan downloader, I assume. Just find and delete those files in your Outlook Express, but this is not necessary as they are benign unless opened and run (at which point they would be detected and blocked by AMON)
     
  17. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  18. ASpace

    ASpace Guest


    Appreciated
     
  19. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Not a problem :thumb: I have no qualms plugging a great product like NOD.

    Silj
     
  20. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Just a few things, *scr files not found, why am I not surprised.
    Hidden Files done.
    In summary, what would be the collective recommendation here, please.
    I can and will manually delete the *.dbx files if necessary.

    Silj
     
  21. ASpace

    ASpace Guest


    I personally recommend you make sure your AMON is on and your NOD32 Anti-Threat system fully updated

    NOD32 antivirus system information
    Virus signature database version: 1.1562 (20060527)
    Dated: 27 May 2006
    Virus signature database build: 7348

    Information on other scanner support parts
    Advanced heuristics module version: 1.030 (20060524)
    Advanced heuristics module build: 1114
    Internet filter version: 1.002 (2004070:cool:
    Internet filter build: 1013
    Archive support module version: 1.044 (20060424)
    Archive support module build version: 1155

    Information about installed components
    NOD32 for Windows NT/2000/XP/2003/x64 - Base
    Version: 2.51.26
    NOD32 for Windows NT/2000/XP/2003/x64 - Internet support
    Version: 2.51.26
    NOD32 for Windows NT/2000/XP/2003/x64 - Standard component
    Version: 2.51.26

    Operating system information
    Platform: Windows XP
    Version: 5.1.2600 Service Pack 2
    Version of common control components: 5.82.2900
    RAM: 480 MB
    Processor: Transmeta Efficeon(tm) Processor TM8000 (995 MHz)


    When this malware tries to be active , AMON will kill it
     

    Attached Files:

    • 1.JPG
      1.JPG
      File size:
      66.1 KB
      Views:
      1,040
  22. ASpace

    ASpace Guest

    found post - LWM
     

    Attached Files:

    • two.JPG
      two.JPG
      File size:
      66.9 KB
      Views:
      1,029
    Last edited by a moderator: May 28, 2006
  23. ASpace

    ASpace Guest

    :D :D :D :D :D
     

    Attached Files:

  24. ASpace

    ASpace Guest

    Where have my three posts with screenshots gone?
     
  25. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Well, the first two got corrupted on a posting error. You deleted the third one yourself, so when I fixed the first two, I restored that one. Make sure those are correct in case something was lost while fixing this.
     
Thread Status:
Not open for further replies.