We may have a new outbreak...

Discussion in 'NOD32 version 2 Forum' started by Blackspear, Jan 19, 2006.

Thread Status:
Not open for further replies.
  1. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    2 such emails in the last 10 minutes:

    email Attachments001.BHX - Win32/VB.NEI worm - deleted
    Attachments001.BHX > MIME > Atta[001],zip .SCR - Win32/VB.NEI worm

    Cheers :D
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Oh Don, just loves me, he so wants to share his photo album with me :rolleyes: ;) :D

    From: don [don at xyz.com]
    Sent: Thursday, 19 January 2006 10:39 PM
    To: my email at @ xyz.com
    Subject: Fwd: Photo

    photo

    photo2

    photo3

    __________ NOD32 EMON 1.1371 (2006011:cool: Warning __________

    Warning, NOD32 antivirus system found the following in the message: ... Video_part.mim - Win32/VB.NEI worm - deleted Video_part.mim > MIME > New Video,zip .sCr - Win32/VB.NEI worm

    http://www.eset.com

    Lots of them coming through, just gotta love Nod32 :D

    Cheers :D
     
  4. gue_st

    gue_st Guest

    Is this thread going anywhere?
    What is the point in posting this in NOD32 forum, if it is detected? (except if image of NOD would need some vamp-up, which isn't the case, is it?)

    Maybe this kind of thing would be more useful in 'Other AV' forum, then maybe somebody affected could buy NOD32?
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Oh come now, I very rarely receive infected emails except during outbreaks, and thought this was such a case, in fact the virus radar shows it as number 3 on the list at this moment, and I continue to receive a number of emails infected only with this particular detection.

    Cheers :D
     
  6. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Isn't that a bit like saying 'C'mon Blackspear, quit having fun and enjoying yourself !!'

    Go for it Blackspear, I was just having a laugh to myself at your fun :)
     
  7. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Could U send file to Jotti in capure screen from Jotti's.

    izi
     
  8. Jaska

    Jaska Registered Member

    Joined:
    May 7, 2004
    Posts:
    98

    And as I am armed to teeth and 100% prepared I very rarely get anything infected. I wonder what people are doing when they get infections? I must admit that I do download and try things from "hus-hus" sites but very rarely there is something nasty with them.
     
  9. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    HEHE!

    Nice of Don, isn't it?

    :D
     
  10. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    This is a report processed by VirusTotal on 01/19/2006 at 19:12:15 (CET) after scanning the file "Attachments001.BHX" file.

    Antivirus Version Update Result
    AntiVir 6.33.0.77 01.19.2006 Worm/KillAV.GR
    Avast 4.6.695.0 01.18.2006 no virus found
    AVG 718 01.19.2006 Worm/VB.6.AN
    Avira 6.33.0.77 01.19.2006 no virus found
    BitDefender 7.2 01.19.2006 Win32.Worm.VB.TB
    CAT-QuickHeal 8.00 01.18.2006 W32.Vb.Mi
    ClamAV devel-20051123 01.18.2006 no virus found
    DrWeb 4.33 01.19.2006 Win32.HLLM.Generic.391
    eTrust-InoculateIT 23.71.54 01.19.2006 Win32/Blackmal.F!Worm
    eTrust-Vet 12.4.2050 01.19.2006 Win32/Blackmal.F
    Ewido 3.5 01.19.2006 no virus found
    Fortinet 2.54.0.0 01.19.2006 W32/Grew.A!wm
    F-Prot 3.16c 01.19.2006 W32/Kapser.A@mm
    Ikarus 0.2.59.0 01.18.2006 Email-Worm.Win32.VB.BI
    Kaspersky 4.0.2.24 01.19.2006 Email-Worm.Win32.Nyxem.e
    McAfee 4678 01.19.2006 W32/MyWife.d@MM
    NOD32v2 1.1371 01.18.2006 Win32/VB.NEI
    Norman 5.70.10 01.19.2006 Small.KI@mm
    Panda 9.0.0.4 01.19.2006 W32/Tearec.A.worm
    Sophos 4.01.0 01.19.2006 W32/Nyxem-D
    Symantec 8.0 01.19.2006 no virus found
    TheHacker 5.9.2.076 01.18.2006 W32/Mywife.mime
    UNA 1.83 01.19.2006 no virus found
    VBA32 3.10.5 01.19.2006 Email-Worm.Win32.VB.bi

     
  11. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Congratulations for the big Symantec. :D :)))) :p Perhaps in 3 or 4 years will ad a signature for it also. :p (I'm too evil, sorry.) :D
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    This thread is about NOD32, so please stay on topic. Apart from that: no bashing please.

    regards,

    paul
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Yeah, I'm on his fan-mail now, receieved a few more from him this morning :D
     
  14. Happy Bytes

    Happy Bytes Guest

    ...and just for the records, symantec detects this worm from the first minit on, even if virus total doesn't list it as infected! So don't judge based on amateurish online-scans! Bookmark this post for later reviews. It's always like this. Go to www.sarc.com ---> extend the virus threats. Search for the threat were they list "MyWife.d" as McAfee Alias - that's Symantec's Name. Take a look at the date when the description was written (that's usally later than the detection was added) and build up your own mind before you bash some AV program. Same applies for NOD32 if something isn't detected on such online scanner sites! You cannot judge the detection based on such online scanner results! And please someone send a link to this post to firefighter as well :D
     
  15. Happy Bytes

    Happy Bytes Guest

  16. Happy Bytes

    Happy Bytes Guest

    And one more: The malware author is from Uk, i'm just tracking him down. He's known there as "mysoulmustfly". A typically VB programmer who used several public forums to collect information how to program network spreading code and how to include exploiting code. The malware authors becoming more and more dumb with each day. I'm just waiting for the moment when the next guy includes his phone number and residency.
     
  17. Lancelot_PT

    Lancelot_PT Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    6
    Re: We may have a new outbreak... OT

    Don't tell me you're feeling dull :D

    Let me guess the future: AV R creating viruses so that you guys challenge each everyone of you :rolleyes:
     
  18. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Don't ever trust Hotmail scan results, this is just the latest of many that it has missed :rolleyes:

    Cheers :D
     

    Attached Files:

  19. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    That's an excellent advise Blackspear.
    I remember when some people discovered that Hotmail didn't updated McAfee too much. I think this may apply now for TrendMicro.
    Well... Patience...

     
  20. gue_st

    gue_st Guest

    I apologize for my post, but I was enlightened here that every thread must go somewhere. The one I started, I was told, wasn't going anywhere so I am now just studying, where each thread is going, and, as I cannot easily understand that, I have to ask questions.

    To remind, I have a piece of small software, intended to protect remotely controlled security systems. It filters all the network traffic and blocks any unauthorized traffic, checks the running processes with authorization list and terminates any unauthorized processes. In addition, authorization lists and their signatures are hidden from Windows API, so there are some rootkit technologies involved too. NOD32 is not running on the computers with this software installed. And, of course, there are some strict internal regulations for use of such software - it is not, and cannot be installed(due to protection) on normal computer. And also, submitted to anybody for analysis, too.

    The problem is, that NOD32 detects it as probable virus (and detects properly - there is no false positive - if this code would appear on any normal computer, it should be immediately deactivated, like NOD32 does).
    But it is also not possible to copy it on CD with NOD32 running, as NOD does not have an option to manually choose action for AMON, which would not involve *prohibit access. In that way NOD32 is interfering with my work, which it is not supposed to do.

    And yes, if NOD32 detects and indicates *probable virus and does not give an option to manually override clean action, it is stupid!
    And, if technical support repeatedly, like a parrot, asks to submit the file, it is stupid too, and it forces me to post something in NOD32 forum.
    Of course, those are small things that could be easily corrected if somebody would spend 5 minutes to understand the subject, not analyze if the thread is going anywhere or not, or, noticing the word *stupid, consider it bashing.
    It also seems impossible for Eset to understand that I might be talking about principle, not solution for my particular case.

    After all we are not talking here about Christmas presents, which you are supposed to like, or, if you don't, are expected to act as if you did.
     
  21. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Sorry guys for my post. I was just a little bit tired. No more bashing here. ;)

    Perhaps u're right. This online scanners are not always so accurate. :)
     
  22. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    No Problem, you're OK; but for the record, Happy Bytes is absolutely correct, Symantec was detecting this worm early on. Gavin Coe posted about it three days ago over at TrojanHunter Forum in the following thread: NASTY new email worm -- at which point I noted that a friend had sent me samples and I can verify that they were detected.

    I would also like to add, regarding online scanners: VirusTotal uses 8.0 engine of Symantec which is OLD engine {not much unpackers, no detection of expanded threats or spyware, etc.}; illukka and others have sent me quite a few samples that VirusTotal said were missed by Bymantec but were detected by my copy of the latest verion of the program.

    Now, as Paul admonishes me/us, this is NOD32 subject and forum, so I didn't want to comment other than to corroborate Happy Bytes' statement, as I have tested early on and verified detection; thanks! ;)
     
  23. davef

    davef Registered Member

    Joined:
    Feb 26, 2005
    Posts:
    55
    Location:
    West Sussex UK
    Does any one have any idea what this Win32/VB.NEI worm does? Some how it's got past NOD32 although it found it the next morning on it's daily scan and deleted it.

    Thanks

    Dave
     
  24. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    NOD32 would have found it before, after you'd have extracted the archive. This worm also spreads in BinHex archives (used on Mac systems), hence these were not initally scanned by NOD32 as archives.
     
  25. davef

    davef Registered Member

    Joined:
    Feb 26, 2005
    Posts:
    55
    Location:
    West Sussex UK
    Thanks for your quick reply Marcos. I did a in depth scan again afterwards and it came up clean so I presume my machine is clear of it?
     
Thread Status:
Not open for further replies.