Whats the diff between bugbear.b and bugbear.b.damaged

Discussion in 'NOD32 version 1 Forum' started by testg, Jun 6, 2003.

Thread Status:
Not open for further replies.
  1. testg

    testg Guest

    Since if it's damaged then it won't help much, I know it helps for heuritics but still is there enough difference between that and the original bugybear.b :)
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    detection for damaged, non-working samples of
    W32/Bugbear.B. These non-working samples are detected as Bugbear.b.damaged.

    regards.

    paul
     
  3. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    in general damaged means something like - incomplette virus body, unable to replicate, producing BSODs ... etc...
     
  4. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    This seems strange to me:
    Yet I remember when NAV detected W32.Magistr.corrupt and KAV detected I-Worm.Magistr.corrupted, ESET was calling that "snake oil" and proudly announcing they only included "live viruses" for detection. I really don't care, but it seems a little inconsistent based on previous behavior, but people change attitudes I guess.

    FYI, McAfee included detection for W32/Bugbear.b.dam:
    and Symantec has added W32.Bugbear.B.Dam to its virus list: my wife got one of these in email Saturday. KAV also has detection of I-Worm.Tanatos.dam and CA-eTrust also has "WIN32/BUGBEAR.B.CORRUPTED" in its Newly Detected Viruses list. Personally I'm unsure why the vendors are choosing to include a dead virus but it's OK by me. :D :eek:
     
  5. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Well I guess ESET change their policy. People don’t understand. So you got bad publicity.

    There was a lot of dust about NOD32 not detecting corrupted Magistr sample (as Randy mentioned). It was a dead virus (non-working) but people didn't care. In their eyes, NOD32 fail to detected sample of Magistr.



    Technodrome
     
  6. Paolo Monti

    Paolo Monti Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    280
    Location:
    Rome, Italy
    You're right. As usual :)
    Mainly, Eset included the detection of damaged samples of Bugbear.B because I asked to do that. According to MessageLabs statistics, Italy was one of the most striked country. That's absolutely true. We received many - really many - supports calls about Bugbear.B infections. Many users received a damaged sample of Bugbear.B that at the beginning NOD32 was not able to recognize. Sure, those samples were corrupted and they could not spread any infection. But the major part of users doesn't know that: they simply looked at those e-mails, decided that they were quite suspicious... and called the helpdesk. For us was really unfeasible bearing such an overload of supports calls.

    ciao,
    Paolo.
     
  7. Paul Hill

    Paul Hill Guest

    It's good that most AV programs detect the damaged Bugbears.

    They may not be able to spread infection, but we've seen some of them that caused problems.

    The corrupted Magistr mentioned earlier did nothing. It was a false alarm.
     
  8. Paolo Monti

    Paolo Monti Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    280
    Location:
    Rome, Italy
    Yes, that's absolutely true. Just to say: at least in one case we had a "damaged" Bugbear.B able to spread on a PC. The extent of the "damage" may vary a lot. We've seen quite damaged files (even less than 5 KB) and other samples that were almost identical to the original Bugbear.B.

    ciao,
    Paolo.
     
  9. Tuulilapsi

    Tuulilapsi Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    53
    I wouldn't say so. After all, it was detected as "corrupted", and it was exactly that - a corrupted, broken, non-functional virus. :p Oh well.
     
Thread Status:
Not open for further replies.