Where to report a threat not detected by NOD

Discussion in 'NOD32 version 2 Forum' started by justsomeguy, Jul 30, 2006.

Thread Status:
Not open for further replies.
  1. justsomeguy

    justsomeguy Registered Member

    Joined:
    Oct 18, 2003
    Posts:
    11
    The file name is smss.exe. I know this is a normal windows process but there is also a version that is a trojan. The normal file lives in the system32 directory and has a size of 50k. This file on my is in the windows/system directory and is only 35k so I know it isn't legit.. My firewall caught it trying to make an outgoing connection to the internet, of course I blocked it. If I scan the file with NOD it reports nothing. After doing some research I have found that it if identified as Flood.F Trojan. Who at eset should I ask to take a look at this?

    Thank You
    Matt
     
  2. justsomeguy

    justsomeguy Registered Member

    Joined:
    Oct 18, 2003
    Posts:
    11
    Sorry I over looked the sticky about submiting threats. I have sent them an email now.
     
  3. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    thank you for submitting this file justsomeguy and if you can pls keep us up with the process of adding the definition. :)
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi justsomeguy, welcome to Wilders.

    Please also submit the file to www.virustotal.com

    Cheers :D
     
  5. justsomeguy

    justsomeguy Registered Member

    Joined:
    Oct 18, 2003
    Posts:
    11
    Done, I've reported it to both places.
     
  6. justsomeguy

    justsomeguy Registered Member

    Joined:
    Oct 18, 2003
    Posts:
    11
    Here is the result of the submission to virustotal:

    VirustotalServer response

    --------------------------------------------------------------------------------

    Results of a file scan
    This is a report processed by VirusTotal on 07/31/2006 at 07:36:55 (CET) after scanning the file "smss.rar" file.
    Antivirus Version Update Result
    AntiVir 6.35.1.0 07.30.2006 no virus found
    Authentium 4.93.8 07.29.2006 W32/Methodbod.gen
    Avast 4.7.844.0 07.29.2006 no virus found
    AVG 386 07.28.2006 no virus found
    BitDefender 7.2 07.31.2006 no virus found
    CAT-QuickHeal 8.00 07.29.2006 no virus found
    ClamAV devel-20060426 07.31.2006 no virus found
    DrWeb 4.33 07.30.2006 no virus found
    eTrust-InoculateIT 23.72.82 07.30.2006 no virus found
    eTrust-Vet 12.6.2314 07.28.2006 no virus found
    Ewido 4.0 07.30.2006 no virus found
    F ortinet 2.77.0.0 07.30.2006 no virus found
    F-Prot 3.16f 07.28.2006 W32/Methodbod.gen
    F-Prot4 4.2.1.29 07.28.2006 W32/Methodbod.gen
    Ikarus 0.2.65.0 07.28.2006 no virus found
    Kaspersky 4.0.2.24 07.31.2006 Trojan.Win32.Agent.xo
    McAfee 4817 07.28.2006 no virus found
    Microsoft 1.1508 07.27.2006 no virus found
    NOD32v2 1.1684 07.29.2006 no virus found
    Norman 5.90.23 07.28.2006 no virus found
    Panda 9.0.0.4 07.30.2006 Suspicious file
    Sophos 4.08.0 07.30.2006 no virus found
    Symantec 8.0 07.31.2006 no virus found
    TheHacker 5.9.8.183 07.30.2006 no virus found
    UNA 1.83 07.28.2006 no virus found
    VBA32 3.11.0 07.31.2006 no virus found
    VirusBuster 4.3.7:9 07.30.2006 no virus found



    VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Do not reply to this message. It has been generated by an automatic address that will not handle any reply. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Yep, I spotted it last week. Anyway, most of these Medbot variants are detected generically without needing to update, this one will require adjusmtent of the generic detection.
     
  8. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Spotted last week and you let it undetected ?? :( :rolleyes: :blink:
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I spotted also tons of others detected by NOD32 only, or by 1 or 2 more AVs besides NOD32 :D It really requires update of the generic signature in order to be protected against further new variants. I don't think you would be satisifed if we detected just this one and missed the future variants.
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    It's called priorities. Deal with a school of sharks’ first; a sardine can wait until later…

    There is a saying that goes like this: Why be up to your neck in mud wrestling with the croc’s when you can drain the swamp :blink: ;) :D

    Blackspear.
     
  11. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    yes, but a dozen of sardines can "kill" a shark sometimes. ;)
    ... and if you like to be much smart you can pay someone to drain the swamp and then to kill the croc. You could just watch. :D :D :p
     
  12. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    If this malware were on your system, calling out, would you still belittle its importance by calling it a "sardine"? Are customers who are affected by malware that Eset knew about but didn't deal with supposed to feel better, just because it wasn't a "priority"?

    I'm not throwing stones--really, I'm not--but this kind of attitude boggles my mind. I mean, you are literally telling a user that yes, they had malware on their system; that yes, NOD32 failed to detect it; that yes, Eset knew about it, but never mind all that--the malware on your system wasn't important enough.
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Reality is, fast and wide spreading malware have to be given priority, then the next fastest the next priority. Something that has been hunted down and found on the far reaches of Google on a single PC can not be a priority, this is just reality.

    In a perfect world where staff by the hundred could be employed and afforded to be employed this would not be an issue, then again, in a perfect world there would be no malware, and with this being the case, no antivirus software companies; but we are living in the real world, so priorities there are ;) :D

    Cheers :D
     
    Last edited: Jul 31, 2006
  14. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Well, in this real world if ESET can't add something, even low priority in one week they should better not support their AntiVirus anymore and start making something else....software that doesn't need updates.
    Or, they could seek for more employees. It wasn't me the one who put them to produce an AntiVirus. Perhaps my only fault was that I bought a license... :rolleyes:
     
  15. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Would you rather Eset at the forefront of technology stopping the fastest spreading malware in the fastest time, or have their technicians working on a piece found in the backblocks of Google? I know for sure that I'd rather them keep doing what they are doing and improve as they can afford to do so, add non priority as soon as they are able and maintain NOD32 at the top of the pile.

    If you are really that unhappy with NOD32 I hear AVG is free ;) :D

    Cheers :D
     
  16. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Really? :D o_O :blink:
    Maybe after my burial I'll give it a try. :D :ninja:
     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    ROFLMAO :blink: ;) :D
     
  18. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I spotted it on VT and am not aware of having it received from that guy.
     
  19. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Perhaps I am not very technical, but isn't it possible to just add a "standard" detection for a sample without trying to "fit it" into a generic detection? I'm not thinking about this sample only, but in general (cases that are a bit similar to this one)? And it's not meant as criticism, just a question out of curiosity.

    Sorry if it is a little bit off-topic.
     
  20. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Of course it is possible. ;) But ESET wants only generic detection. :rolleyes:
     
  21. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    IMHO that would be more correct to say "ESET wants generic detection" given the fact ESET to my knowledge has never publically stated they want "only" generic detection :blink:

    Edit
    Oh never mind....I now notice the sarcastic smilie you applied to your post :ninja: :rolleyes:
     
    Last edited: Jul 31, 2006
  22. ShunterAlhena

    ShunterAlhena Registered Member

    Joined:
    Aug 1, 2004
    Posts:
    134
    Location:
    Szigethalom, Hungary
    Just discovered some erratic system behavior, ran NOD32 with AH (nothing), looked at Autoruns, saw two suspicious entries and sent them to Eset, then through some Googling I finally got here.
    Anything new with this malware?
     
  23. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Did you also try submitting the suspicious files to VirusTotal
     
  24. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    ...and made 100+ posts o_O I guess there's plenty that take part at Wilders and don't realise all the different forums here though...
    Very good suggestion.
    Just realise that even if many other vendors choose to detect a particular file that does mean that for sure it is a threat, likewise even if none detect it doesn't mean it isn't...

    Cheers :)
     
  25. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,221
    I think shark or sardine doesn't really matter as we all know that no AV can guarantee 100% detection.

    The only way to have perhaps 99.999% success is to use NOD in conjunction with a sort of sanbox program.
     
Thread Status:
Not open for further replies.