Viral file submitted for review

Discussion in 'ESET NOD32 v3 Beta Forum' started by pollux, Aug 1, 2004.

Thread Status:
Not open for further replies.
  1. pollux

    pollux Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    84
    Location:
    Grenoble, France
    Hello, all.

    I'd like to risk reopening one of the issues addressed in the thread https://www.wilderssecurity.com/showthread.php?p=229727#post229727. I'm currently using the trial version of NOD32 beta; I'm not a paying customer as yet.

    As noted in that thread, there exists a file containing a javascript exploit that NOD32 beta at present does not detect.

    My understanding is that an earlier version of the file in question was submitted to eset and determined not to contain anything worth detecting. In fact, eset is in accord with many, although not all, AV companies in this assessment (see the VirusTotal scan results for iebug.jpg referenced below).

    Since then, the file in question has been altered. In its new form, it is detected by many AV's, in fact all the AV's at VirusTotal with the exception of Panda (again, reference below). I have scanned the file at jotti's myself, and the majority of scanners there report it as malware.

    As I understand it, the appropriate procedure would be for me to submit this new file to eset for evaluation. I will be doing this momentarily.

    If for some reason this exploit will not be included in the NOD32 definitions in the future, I'd be interested to hear of the reasoning behind this decision, if that would be possible.

    Further information on the file in question, which is named iebug2.jpg, can be found in the following thread, http://www.dslreports.com/forum/remark,10890980~mode=flat, at the DSLReports Security forum; the VirusTotal scan results are in the following post of that thread: http://www.dslreports.com/speak/print/default;10932150.

    Thank you in advance, and please let me know if I've gone about making this request in an inappropriate way.

    pollux
     
  2. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Hello pollux,

    As a potential NOD32 customer, I'd say that your request is perfectly appropriate.

    With respect to the other thread, the discussion around iebug.jpg although nominally related to the initiating topic of that thread, was really a distinct topic. As that discussion proceeded, emotion did start to overtake productive discussion. For that reason, a moderator made the decision to lock the thread. However, participants were explicitly encouraged to start new thread(s) dedicated to the off-topics if desired, which you have now done.

    All I'd ask is for all to keep the discussion civil, focused on the topic at hand, and remember that while immediate gratification is oftentimes requested, and sometimes desireable, it is not always possible.

    Blue
     
  3. pollux

    pollux Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    84
    Location:
    Grenoble, France
    Thanks for the feedback, Blue.

    I've now emailed the file, and I'm looking forward to the response from eset in whatever form it may take.

    Regards,
    pollux
     
  4. I believe that Mele had already emailed the file in question to Anton and had followed up with him about his answer. Don't believe he responded back to her as of yet. Be very curious to see why NOD doesn't deem it necessary to detect when almost all the other av's have added it to their definitionso_O??
     
  5. On another note, I think this thread should be moved out of the Beta forum and into the regular NOD32 version 2 forum..........
     
  6. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    I agree with bluezanetti, there is nothing wrong with your issue. You have every right to know how a product you are considering purchasing and how the maker feels about viruses/malware such as this. I also have no doubt that Eset will add the NOW dangerous script to the definition files. For whatever reason this iebug.jpg issue creeps into threads everywhere, even the dslreports thread you mentioned started out as thread wondering why McAfee didn't detect the eicar test string in a compressed file.My view on this is that when the file was originally submitted the script was harmless and it is taking advantage of a poorly conceived web browser( Internet Explorer). Notice no other browsers are affected by this, this is because IE is tied into the OS, a very poor and unsecure design by anyone's justification. This was(is) due to MS's desire to have a more functional and usable browser as well as their legal justification against the monopolistic marketing practices lawsuit they faced some years back when they took over the browser war which Netscape was winning at the time. IE was redesigned and tied into the OS giving the power to execute script and ActiveX controls at the kernel level, which from a security standpoint is rather questionable, this is the root of the problem with this exploit. A web browser should not have the ability to do this, this functionality is just not needed to browse the internet and load web pages, as is demonstrated by IE being vulnerable to this exploit and Firefox, Opera, Netscape and Mozilla not being affected.

    Best of luck in your AV trials and I hope you decide to go with NOD but remember in the end, you must use what works for YOU and your system.

    Additionaly never be afraid to bring up issues in this forum. You almost always get answers, somtimes people take things the wrong way but for the most part it is a very helpful and valuable resource.
     
  7. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    So we at least keep things in perspective....the iebug.jpg that is now being discussed here and also @ the DSLReports Security forum that pollux linked to....are indeed one in the same. Let us also understand that it is not a dangerous file....but a proof of concepts demo type file that is masquerading as a jpg file. Inside that file is a script that points out a vulneralbility in how IE handles an apparent .jpg file. It also can be used to show users that saving files as opposed to clicking on them....is the more secure way to go.

    The script was created by the Host of the Security Forum @ DSLReports. I can assure you he would not make something available that had a possibility to do harm. In fact....he stated in a post in the thread that pollux alluded to....

    said by WCB...."(Don't worry the script is harmless)"
     
  8. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Last edited: Aug 1, 2004
  9. iwod

    iwod Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    708
    Istill don't understand after reading Anton's Note.

    How much larger would the Defin file if it was to include everything it could?

    The reason Anton gave was to keep the Database clean. While this is great but what about those harmless virus file in my computer which i could do without?

    So in this case making a Database larger isn't really a bad thing. May be Eset can make an Extended Db. And will only be included when user choose they want to use it?
     
  10. pollux

    pollux Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    84
    Location:
    Grenoble, France
    Greetings,

    The new NOD32 definitions, 1.830, released today, now detect the file in question, iebug2.jpg, as Exploit/ActiveXComponent.01 trojan.

    I opened this thread in order to permit us to resolve the issue that had been raised around the exploit for which, as understand it, the file provides proof of concept. It is my feeling that, now that the detection has been added, this particular issue can be considered resolved.

    Thank you, eset, for the prompt response. I am sure that members of the security community who have been tracking the issue will take note of it. To that end, I will be posting about the added detection in the thread at DSLReports cited in my first post.

    Regards,
    pollux
     
  11. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Where is the second version of this file so I can test it? You posted an IMON screen over at dslr.

    I don't use IMON. I detest IMON in all its forms. I want to know how AMON handles this exploit. AMON is the the rtm not IMON. Those using the release NOD32 don't have the IMON junk anyhow.
     
  12. pollux

    pollux Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    84
    Location:
    Grenoble, France
    Mele20,

    1) The file is at the link posted by WildCatBoy at DSLReports (also shown in the address bar of my screenshot there). I'm not going to post the link here since, although it is a proof of concept and not harmful per se, the file is detected by NOD32 as a trojan.

    2) I downloaded a copy of the file to disk before mailing it to eset. After the definitions were updated today, I did a right-click, context-menu scan of the file, and it was detected by the NOD32 scanner. I did not click on the file to test with AMON (and I've since deleted the copy), but I think it is correct to suppose that anything detected by the NOD32 scanner would also be detected in real-time by AMON.

    pollux
     
  13. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    As far as I can see WCB never posted a link to the changed file. I have the original file and AMON and NOD32 right click adv. heur. scan sees nothing. It is the second file that NOD32 now alerts on not the first one. The second is live. The first was a demo and that's the file I have. NOD32 has always refused to detect demos. So, it is only the changed file that is now live that NOD32 detects and I don't have that version of the file. The link you just posted to the file is to the second file not to the first. Look at the url. The first file is to ie.bug. The link to the live file after WCB made it live so that KAV and NOD32 would make a detection for it is ie.bug2. See the difference?

    Anyhow, I asked WCB to tell me where I can find the second live file. Or maybe Randy will send me his copy that NAV put in quarantine.

    edited to make it clearer that the link pollux posted at dslr to the second live file is dead. So, I am trying to find a copy of the second file to test with AMON and right click scanning of the downloaded object.
     
  14. pollux

    pollux Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    84
    Location:
    Grenoble, France
    It occurred to me that although I had deleted iebug2.jpg from my disk (both the file and the quarantined copy), I had yet another copy of the file cached since I'd attached it to the email to eset. So, for the sake of crossing the t's and dotting the i's (and vice versa), I've provided a screenshot of AMON detecting iebug2.jpg on my computer.

    Hopefully this will help to clear up any lingering doubts regarding NOD32's detection of the file with the 1.830 definitions.

    pollux
     

    Attached Files:

    • AMON.jpg
      AMON.jpg
      File size:
      66.1 KB
      Views:
      227
  15. nonmirecordo

    nonmirecordo Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    145
    Location:
    Cambridgeshire, UK
    Is there any need for subjective comments like these? IMON is patently not junk - if it was Eset, have wasted a lot of time and money developing it.

    If you don't like it, fine, don't use it. Please let others decide for themselves.
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Agreed, why use 1/2 the program?

    Cheers :D
     
  17. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    In my opinion IMON with the HTTP scanner is a great addition! It has already stopped several potential infections on my sons machine. It is not causing any slow down or other problems.

    If you don't want to use it that is fine. However, for others it can provide a significant benefit and additional protection.

    You seem to have a lot of problems with your WinXP platform which is not the norm and may be influencing your evaluations of the different AVs?
    http://www.dslreports.com/forum/remark,10923396~mode=flat
     
  18. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    When I first got NOD32, there was no undue emphasis on IMON. A lot of us never used it or used it briefly with version 1 of NOD32 and then stopped using it. Now almost two years later, IMON has become the center piece of NOD32 and you are correct. There is not much point in using only one-half of a av program particularly when the half of it you don't use is now where all the emphasis is and the rtm is basically neglected now.

    I agree fully with what you have said. That is why I will not be renewing my license on either of my machines. NOD32 has changed drastically since I got it and I don't like the direction it has taken. I also do not like that I cannot get free phone support which I can get 24 hours a day 365 days a year with the av I will probably purchase to replace NOD32.
     
  19. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Yes, I have problems which are due to the fact that I have an nVidia video card on the XP box. The BSODs appear to be because of the infamous infinite loop problem on XP that is particularly bad with nVidia cards. ATI cards are less susceptible. Had I known that I probably would have gotten the ATI card although the price was much steeper and it doesn't have digital vibrance which is why I wanted the nVidia card. My problem is not that bad compared to what I have been reading about others with the problem. The latest drivers for the nVidia card have made the problem worse. I will probably go back to the previous drivers.

    As to whether or not this nVidia problem is influencing my decision regarding an av, I don't think it has much to do with it. I will probably purchase the AV that I mentioned in the thread you linked to as having given me two BSODs because the BSODs are caused by nv4_display.dll not by the AV.

    I also have just found that I cannot complete a scan using NOD32 public beta on this XP box. It is hanging on the same file in my downloaded programs folder everytime. The file is just an ordinary file that the release version has never had a problem with nor did the beta I had before the public beta. Plus, I experience noticable slowdowns when I try to use the HTTP scanner on this box. I saw no slowdowns with KAV 4.5 set to maximum scanning of everything (KAV warned me not to set it that way because of severe slowdowns). Well, I didn't see any. But I sure do with this HTTP IMON scanner. So, I don't think NOD32 beta agrees with my XP box. I have no idea why I have trouble with it but don't see the slowdowns that other do with KAV. NOD32 beta runs much better on my W98SE box but again, I am only using one-half of the application which doesn't make much sense.
     
  20. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Hi Mele20,

    Well, the best of luck with your other AV.

    All platforms and users are unique and that is why there isn't
    one single AV that is best for everyone.

    Take care,
     
  21. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Another interesting Exploit (BMP) detected by NOD.
     

    Attached Files:

  22. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    FYI, I also have Win XP and a nVidia graphics adapter on my computer. I have yet to have any problems with IMON or NOD32 at all (maybe I'm using old drivers or something, I don't know). Works great here (even this new beta). I'm sorry to hear that you have so much problems...

    About KAV (which you seem to be mentioning quite often in these NOD32 threads by the way), I trialed it on my other comp (AMD Athlon XP 2800+ PC with 768 MBs of RAM), and I noticed several slowdowns on the 4.5 version... Even when doing something so simple as listening to an MP3 on a very resource-friendly player like Foobar2000. (I could hear several small "glitches" in the music which disappeared once I uninstalled KAV.) And trying to browse large directories with many files became a pain with the RTM enabled. Since then I have also now tried the new KAV (version 5), and I must say things have gotten a lot better (seems to be much more resource-friendly).

    Anyway, in the end, my experience has been that NOD32 and F-Prot have been the anti virus programs which has given me the least amount of hassles (AntiVir PE seems to be running quite nicely also).

    sir_carew: Cool! Is it this exploit which was discussed some time ago here: https://www.wilderssecurity.com/showthread.php?t=32702&highlight=exploit
     
    Last edited: Aug 4, 2004
  23. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I wasn't implying that the nVidia problem has anything to do with the NOD32 problems. Stan999 has asked before over at dslr about my BSODs. I was just telling him that they are caused by the nVidia driver and it is a common problem on XP only. I'm glad you don't have it.

    It all boils down to what works best on each individual's computer. We all run different programs and what works on yours may not on mine and vice versa. My main problem is my beef with Eset emphasizing a SECOND rtm. I don't want two. I want one. I don't want an email scanner either and prefer AV which don't offer one or make it easy to not install it. So NOD32 is no longer the kind of AV that I want. Almost any other AV out there is better for me because none of them want you to run TWO rtms with all the possible problems that ensue from unnecessarily running two rtms with one of them messing with Winsock. I am a very conservative user and NOD32 has gone off on the deep end here IMO with some wild notions. Maybe a few years into the future IMON HTTP scanner will work right and then AMON should be done away with. In fact why have AMON now? IMON is doing all the work. AMON appears superfluous now. Just have IMON and the on demand scanner.
     
  24. iwod

    iwod Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    708
    Anybody kind enough to answer me why more definition is not good?
     
  25. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
Thread Status:
Not open for further replies.