win 7 security 2012 virus

Discussion in 'ESET NOD32 Antivirus' started by snooke1e, Jun 16, 2011.

Thread Status:
Not open for further replies.
  1. snooke1e

    snooke1e Registered Member

    Joined:
    Jun 16, 2011
    Posts:
    1
    anyone been hit with this virus and can nod stop it
     
  2. MattJN

    MattJN Former ESET Support Rep

    Joined:
    Feb 19, 2010
    Posts:
    149
    Re: win 7 secuirty 2012 virus

    Hello,

    The way that these rogue malware threats typically infect your computer is by getting the permission of the user. It then installs an actual program on your computer just like any other software that was installed by the user. As far as Windows is concerned the rogue malware threat is just a program not a virus.

    These types of infections usually start with a pop up window from some malicious code on a web site. If the user clicks on the window at all, including the red X, they are actually giving the malicious software permission to install on the system. So when this initial pop up comes up, what the user should do is either open the task manager and end the process or use the ALT+F4 function to close the window. Never click on the actual window.

    Unfortunately the nature of these infections is that they put out many new variants a day and personalize different ones to for each Anti-Virus vendor. Even though it may appear as the same malware it is actually different. Our virus lab is working constantly to get new detections out as well as improve our heuristic engine to battle this threat. You can submit a technical support case to facilitate submitting samples to our lab for analysis.

    You can take steps of your own as well to ensure the total security of your network and help mitigate the frequency of these types of infiltrations. If not already implemented in your environment you will want to look at taking a more, "Defense in depth" and/or "Layered approach" to your network security. The ideas and guidelines of these industry proven computing security tactics will help to ensure a more secure environment in which these threats almost never get to the user. This could include revoking admin privileges of your users, a content filter at the edge of your network, as well as other administrative policies preventing the infection from occurring.

    Thanks,

    Matt
     
  3. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Re: win 7 secuirty 2012 virus

    While I agree with all that MattJN said, there are options for manual removal. Read all disclaimers before proceeding.
     
  4. enotsIT

    enotsIT Registered Member

    Joined:
    Dec 30, 2010
    Posts:
    15
    Location:
    Eugene, OR USA
    Re: win 7 secuirty 2012 virus

    MattJN, I totally agree, but I have had to deal with 4 of these infections in the last week with a client who has NOD32 v4.2.71 on all their workstations. The one today was a brand new fully patched Windows 7 machine that was just deployed two days ago.

    Needless to say they are questioning me about their AV software. I hope this is short lived because one of my selling points over the last few years is how much better NOD32 has been at catching malware category compared to the other AV software packages that I have supported.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: win 7 secuirty 2012 virus

    In my opinion based on observation of new samples that we receive from various sources, ESET actually does pretty good when it comes to detection of rogue AVs and if there's an undetected variant detection is usually added quickly in the next update.
    If you come across an undetected sample next time I'd suggest uploading it to VirusTotal and I'd bet it won't be detected by > 3-4 other AVs. You can also upload detected samples; in this case there's a pretty good chance they will be detected solely by ESET or a few more AVs as well. Of course, there are also other techniques for preventing malware from running and VT on-demand scan results would not tell you how particular AVs perform in this area, be it ESET or other AVs.
     
  6. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Re: win 7 secuirty 2012 virus

    Not wishing to detract from the valuable points raised by Matt and Marcos, but shouldn't NOD32 be saying "hang on, something that originated on a web page is trying to create registry entries, create programs in the AppData folder with funny names, create entries in the startup reg key" etc., and at least ask the user for a sanity-check? As humans we all recognise that these symptoms are potentially unwanted, so can't NOD do the same?

    I know this is verging on HIPS, which the final release of NOD5 will hopefully include, but "behaviour analysis" would remove much of the need of playing cat and mouse with signature updates. I wouldn't care which version of malware tried to infect my system, the mere fact that something was trying should be enough to flag it up.

    Just my 2p.



    Jim
     
  7. The PIT

    The PIT Registered Member

    Joined:
    Sep 4, 2008
    Posts:
    185
    Re: win 7 secuirty 2012 virus

    Actually you don't have to give permission. I had the greatest laugh getting infected by on a linux computer. The malware announced proudly that the registry was infected by billions of virus's as was the hard drive.

    Linux with a registry I think not.

    Closed firefox deleted the cache problem gone. I don't run firefox with noscript in linux. I hadn't agreed to anything at all the script ran popped up the window.

    In windoze it would have written itself to places it shouldn't have and still be there on reboot.

    No user input required just an unpatched pc.
     
  8. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    Re: win 7 secuirty 2012 virus


    Wow you are quite a poet, well said :thumb:

    Thanks. ;)
     
  9. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    Re: win 7 secuirty 2012 virus

    these are ordinary ways as for detecting threats, code analysis/heuristics gives more precision to detection
     
  10. volvic

    volvic Registered Member

    Joined:
    Aug 17, 2009
    Posts:
    220
    Re: win 7 secuirty 2012 virus

    Also run MBAM or PrevX at the same time as NOD. Nod is still amongst the best out there, but beginning to fall behind badly.
     
  11. get_it

    get_it Registered Member

    Joined:
    Aug 28, 2007
    Posts:
    99
    Re: win 7 secuirty 2012 virus

    As stated in another thread...

    Samples, Samples, Samples!!!

    Send in the damn samples of infected files, give ESET a chance to analyse and provide signatures.

    They have one of the fastest reactive times usually adding/providing detection/signatures within a few hours.
     
  12. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Re: win 7 secuirty 2012 virus

    Thing is though, we gather the samples *after* we've been hit (or our users have been hit).

    So, we send ten samples to ESET, and they detect them (very quickly, I agree). And then the eleventh variant comes along and hits us again. And yet.....all 11 have exhibited the same behavior - originate on a web page, add startup entries, create three-letter processed etc. etc.

    See where I'm coming from? If the entire AV industry relies on signatures then it's simply cat and mouse and the virus writers will always win. But if the AV software looks for behaviour, e.g. anything that tries to create a startup entry, then the virus writers can write whatever they like but they will never be able to write startup entries without them being detected.



    Jim
     
  13. dmaasland

    dmaasland Registered Member

    Joined:
    Nov 10, 2010
    Posts:
    468
    Re: win 7 secuirty 2012 virus

    But that's the problem with this type of malware, they're tested specifically against the various behavioural blockers to avoid detection.

    They are sold on the underground market with a guarantee it will be undetectable at the time of release. And that's where HIPS comes in :).
     
  14. RvLeshrac

    RvLeshrac Registered Member

    Joined:
    Jun 27, 2011
    Posts:
    2
    Re: win 7 secuirty 2012 virus

    Here's the real question: Why is it that all of:

    -Microsoft Security Essentials
    -MalwareBytes
    -SUPERAntiSpyware

    have detected nearly every one of these variants on day-1, but NOD32 has consistently failed to detect any of them?

    I'm losing *HUNDREDS OF THOUSANDS* of dollars in time and repair fees because I've been selling NOD32 to customers for the past four years, and every one of them, to a man, has come back demanding free virus and spyware removal.

    How am I supposed to be confident in the product if it has failed, time and time again, to protect my customers?

    *edit*

    As a matter of fact, I am currently cleaning six systems, infected over the course of a week, and the hash for each of these infections has been exactly the same. Don't try passing off "Not every variant can be detected blah blah blah," because I'm not expecting *every* variant to be detected. I'm expecting *ONE* variant to be.
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Re: win 7 secuirty 2012 virus

    Stop selling it to your customers...

    Nod32 has a terrible track record.
     
  16. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    Re: win 7 secuirty 2012 virus

    https://www.wilderssecurity.com/showpost.php?p=1889051&postcount=2

    See this post. https://www.wilderssecurity.com/showpost.php?p=1632032&postcount=19
     
    Last edited: Jun 27, 2011
  17. RvLeshrac

    RvLeshrac Registered Member

    Joined:
    Jun 27, 2011
    Posts:
    2
    Re: win 7 secuirty 2012 virus

    The issue I'm having is not that NOD32 fails to detect one or two things, but that it has failed to detect *every single piece of spyware* I have encountered over the past year. I have jumpdrives filled with spyware, none of which has been detected by NOD32 until weeks or months after it was collected, but was detected by the software I listed above, at worst, later-day or next-day.

    I'm always happy to provide samples to vendors, and do so, but why am *I* expected to do the work I'm paying the vendor for?
     
  18. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: win 7 secuirty 2012 virus

    I'm not sure if all of the mentioned products can be used safely in every single environment (see https://www.wilderssecurity.com/showthread.php?t=302458). ESET's products are used on various platforms, including critical production servers, and thus we cannot afford to use detection methods based on, for instance, typical application's icon, file size, version info, etc. These cannot be used to guarantee that such files would not produce false positives. This approach could be used on home computers but not in a production environment running critical systems. For this reason I doubt that admins would agree to install the above mentioned products on critical servers to protect them.

    It's a matter of fact that dozens of thousands of new malware variants emerge on a daily basis out of which most are detected proactively by ESET. However, no AV company will ever guarantee 100% detection of malware which is impossible, especially if malware authors target at concrete vendors and tweak their creations until they become undetected (one can even pay for this on the black market and the authors will guarantee the application will be undetected by specific vendors at the time of the release).

    This is what every security company does. As I have written above, there's no security solution that would detect 100% of all threats. Those who seem to detect more may be prone to producing false positives, however. In production environments, flagging crucial files incorrectly can have much worse consequences than if computers got infected with malware and this is what vendors selling in the business segment must take into account.

    Every AV solution will fail to detect certain malware from time to time. Installing an antivirus program doesn't mean that it will protect the user from threats completely, it will only minimize the risk of infection. I'd strongly suggest that users evaluate different security programs before they definitely pick one. Without this, they might later complain that AV XY missed a threat but if they picked AV YZ, it would have missed many more. As I wrote, there's no such security solution that protects against every single malware. Needless to sat that one also needs to consider the amount of false positives a product can generate. Otherwise 100% detection could be achieved easily by flagging every single file and no whitelist could ever cover all legit files.

    If the hash is same, the file must be same as well. Feel free to submit the file's hash (SHA1 or MD5) here so that I can find out more information about it and add detection, if it actually turns out to be functional malware.
    I'd like to mention that fighting with rogue software authors is priority nr. 1 nowadays and we're doing our best to be proactive in detection as much as possible. This is also a reason why we see a great amount of such malware received via ThreatSense.Net that is undetected by most of other vendors and a lot of malware is often detected solely by ESET.
     
    Last edited: Jul 1, 2011
Thread Status:
Not open for further replies.