Vundo Trojans - NOD32 No Can Do ?

Just saw this post on SUPERAntispyware forum ...
http://forums.superantispyware.com/viewtopic.php?t=578

Hopefully NOD32 will detect these variants with upcoming sig.
updates.

 

Ocky , this post itself states NOTHING . The OP can lie just to make advertisement to SAS . Moreover , ESET cannot detect the Zlobs if they don't know them and he does nothing to help NOD32 detect it .

 

That post you read doesn't say much, looks more like an add or testimonial..

 

And even Nick with SAS would say, that a trojan that SAS detected that Eset didnt, well, just doesnt sound right. SAS is a great product, but I am pretty sure Nod would have first crack at it for detection. Of course, anyone can post what they want to sway a persons perspective. And as a beta tester for SAS, I found this post, well, lets say, hard to chew.

 

Or it might just be a malware which NOD doesnt detect and SAS did, so the user was innocently complimenting the product?... we all know AVs arent 100% effective and there is a possibility that SAS detects some malware which NOD misses... not a big deal though.

As for the legitimaticy of the post, nobody here knows for sure, but it doesn't really matter... its only one user's experience and thoughts... thousands of other users out there as well, so it doesn't really matter.

 

The bottom line with ANY and ALL anti-spyware, anti-virus, anti-trojan, etc. applications is that NO PRODUCT (including ours) can catch EVERYTHING on a given day, it just simply is not possible. It is likely in the post that the user referred to that NOD simply didn't have their hands on the samples or didn't produce definitions (at the time) to catch that particular variant of the infection - it happens all the time. There are days we catch things others miss, and days others catch things we miss - it's just the reality of the anti-spyware/trojan/malware/virus, etc. game.

Hence why multiple layers of protection are a must in the world today.

 

Virtumonde authors actually focus on the biggest AV players which is evident when you look at the history of samples people submit to online scanners.

 

I have come across the "Vundo" virus in my travels as well, on my girlfriends sisters PC. It can be pretty nasty. She was using McAfee and it was able to detect it, but would not get rid of it. It kept saying it was cleaned, but in reality it wasn't. I'm pretty sure that most AV programs have no answer for many of the Vundo variants, or at least didn't at that time (not sure now). I had to manually delete it which involved shutting down some processes that you don't normally want to shut down, then manually deleting the file, then turning the PC off by the button (as restarting will re-active it).

Vundos are often acquired through torrent files from what I've read. Often disguised as cracks for AV or other security programs. I guess the thinking is that the people looking for such files aren't protected, and would be most susceptible.

 

I have to disagree with your opinion because if you had tested SAS versus Vundo infections as i have on a regular basis you will know that SAS has a very high sucess rate versus Vundo& freinds

Also it is not unlikely that SAS detects stuff that NOD miss's at any given time it is a certainty and vice versa the other way.I did'nt have to look far for another example of this as less that 2 hours ago c/o a certain activeX malware install at a keygen site(.name) SAS cleaned up the infection 100% including this bot that made it up onto MIRT malware listserve as it is not widely detected by the databases there
http://www.castlecops.com/t183438-MD5_703e022a181468a14d36cbe9d8174912_winhoo32_dll.html

 

yeah i am not sure where all of the cynicism comes from. SAS is widely proclaimed throughout this forum as a great product, but the moment some user testifies to that, all of a sudden 'the fix is on'

if anyone bothers to take a look at castlecops listserve, they may be shocked at how much stuff Nod does miss (btw i am a Nod32 user...so no axes to grind). i read and i believe it was on this boards Eset forum that Eset can be both selective in what they build signatures for and sometimes slow in deliverables. personally i have no complaint, but Nod does miss stuff....they all do from time to time....not a big deal. glad SAS cleaned up whatever that guy had...another good product does it's job.


Mike

 

This statement (Courtesy Nick (SAS) is worth repeating again especially in light of the few cynicals (Hello DA) and critics who post their complaint to good solid setups and seem to view it as ridiculous and too heavy to apply such a Layered approach to Windows PC systems for the added benefits it DOES offer.

 

I think it is a case of layering being worthwhile. If one looks at AVC tests NOD shows 96.71% overall. That leaves about 3% it did not catch. So what? It is one of the very best, but still not 100%. If it would have reached 100% there could still be a new variant of something it would not detect.

I have no reason to doubt the original poster, and just because he claims NOD missed one that SAS found seems little grounds for the criticism.

I must admit that there seems to be some sort of emotional love/hate regarding NOD and/or KAV that I do not observe among other AVs. There is also often an emotional reply. I can't relate to that, as it is just software to me, and it doesn't have any emotional hold over me.
Maybe the poster was one who did not like NOD, but his experience is not outside the realm of probability.

I would not trust any AV to protect me 100% all the time, and so I use other applications. SAS happens to be one, and I like it.

Regards,
Jerery

 

Good point and one well heeded here by many.

Some like myself learned this from actual experience like once when a trojan dropper penetrated past AVG7 (fully updated at the time) straight into the c:\ folder where many of them like to get a head start to announce their invitation to their buddies that "i'm in now, hurry on in fellows". Only Kerio 2.15, the lowly old-fashioned firewall who is been out-versioned several times in it's short life-span ALERTED IMMEDIATELY! to and "outgoing attempt" from that bad boy.

Most of us only need to be showed once not to trust in a single protection factor, hence came the piling on technique many of us still employ today and will never relenquish again. Suite or no suite.

 

I just got through cleaning a computer that had everything under the sun on it, including the Vundo crapware. NOD32 did not detect the Vundo virus at all. Neither did Kaspersky (even though it detected 3 times the stuff that NOD did). The only way I knew the stuff was there was because of my Winpatrol program. Even then I had to Google the files and discovered they were Vundo. In the end, it took a combination of Vundofix, Superantiapyware and Unlocker to get rid of the little nasties. Real life scenarious such as this show just how important it is to have layered protection. Common sense helps too, as the owner was running an always-on high-speed connected with no router nor software firewall.

 

Unfortunately these Total detection percents in Av-Comparatives tests doesn't give the real comprehension of any av's current detection capabilities. Even the Av-Comparatives 02-2007 (plus 08-2006) test reports showed that only ONE single engined av was capable to miss LESS than 5 % of samples added AFTER the 08-2006 test and even NOD was far from that. Actually the most single engined av:s tested missed MORE than 10 % of samples added AFTER the 08-2006 test. In my mind these newly added samples were the biggest tested threats when the test was done. Somehow these kind of results are not acceptable in av-vendor's forums.



Best regards,
Firefighter!

 

This post makes me nervous, because I just changed to NOD, which I like so far.

I know nothing can detect it all, but if Kaspersky is finding 3x the number if infections...

 

I don't believe that KAV is finding 3x the number of infections than NOD32 but probably NOD32 is MISSING about 50 % more infections than KAV in real life according my former post study, which isn't a poor result yet comparing to many other av:s.

Best regards,
Firefighter!

 

Don't worry, NOD32 is a top-notch AV program with a very high detection ratio. Still, you should bear in mind that no AV detects all threats in the world, this is impossible. If you have a problem with a particular threat, contact Eset's support and we'll be happy to assist you.

 

This home-made test is not trustworthy, it's not a problem for me to prove the contrary depending on the test set you choose. We're not here to quarrel and try to persuade the others who's right, I'd rather suggest to have a look at some prestigious tests performed by A. Clementi or Virus Bulletin. Though any test does not show how a particular AV protects you in real life, a well-made test can provide an approximate overview of AV detection capabilities.

 

Unfortunately this wasn't MY home made test but if you read those Av-Comparatives REPORTS 08-2006 and 02-2007, you can find these same results as I found before in this thread.

You can correct my rankings for sure if they are wrong, but here they are against samples added AFTER the 08-2006 test.

_1. AVIRA
_2. Kaspersky
_3. AVG A-M
_4. Norton
_5. NOD32
_6. BDF Pro+ 10
_7. Norman VC
_8. Avast 4.7 Pro
_9. F-Prot 6
10. DrWeb 4.33
11. McAfee VS 5100 eng.

So, none of them got Advanced+ but AVIRA, Kaspersky and AVG A-M vere so good to get Advanced reward.
In my mind to clean an infected PC against OLDER than 6 months old of samples is only a theory. You have to be in troubles before this.

Still, I will rank the best av:s as follow excluding clones.

1. Kaspersky
2. AVIRA
3. BitDefender
3. NOD32 (even as a famous NOD basher)

Why not Norton? Maybe the Symantec uninstall policy can say the rest.

Best regards,
Firefighter!

 

However you want to state it, in this particular instance of which I am speaking, I was very shocked at the difference. I have been a NOD32 fan for some time, and I have to admit my bubble was burst. I was going up against some really tough malware, and NOD couldn't clean what it detected. I really don't care what the AV comparatives and other tests say. Tests in a controlled environment are one thing - real life is another. Test results don't clean an infected computer. I'm not trying to bash NOD, as it has served me well, and has saved my butt on more than one occasion. But the fact remains it wasn't up to task in this case.

Luxeon,

Don't be nervous. NOD is an outstanding AV. I am not trying to get people to switch from NOD to another AV. The thing to keep in mind is that my scenario with the astoundingly-infected computer is an instance of a user totally unfamiliar with security measures and having a wide open computer with no protection whatsoever. If you use some discretion in your surfing habits, most AV's will protect you well, and NOD is an outstanding AV. I simply believe that, at this point, Kaspersky is more effective. That doesn't mean others should switch - that was simply my personal choice in the matter.