Win32/Sumom.A worm

Discussion in 'NOD32 version 2 Forum' started by davef, Apr 4, 2005.

Thread Status:
Not open for further replies.
  1. davef

    davef Registered Member

    Joined:
    Feb 26, 2005
    Posts:
    55
    Location:
    West Sussex UK
    Did my customary daily scan and NOD32 picked up two instances of this virus my daughters my documents. They were a "pif" file? (LOL that ur pic!.pif - Win32/Sumom.A worm) NOD32 deleted them OK but how come it found it on a scan but not when being downloaded by my daughter?
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,747
    Location:
    Texas
    Is your browser set to higher efficiency in Imon setup?
     
  3. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    You've been strict about running your daily scans?

    The reason I ask, is that Sumom.A was only added as of:

    Definitions update: v.1.1020 (20050307)

    That's less than a month ago - so it is reasonable to think that they might have been downloaded PRIOR to that date (if this threat wasn't heuristically detected)...

    Or...

    You may have changed (deepened) your scanning methods since the threat was downloaded - this might result in a threat not previously found being brought to your attention now.

    Is either of these scenarios likely in your estimation?

    hth

    Greg
     
  4. davef

    davef Registered Member

    Joined:
    Feb 26, 2005
    Posts:
    55
    Location:
    West Sussex UK
    Everything is at Higher effiency
     
  5. davef

    davef Registered Member

    Joined:
    Feb 26, 2005
    Posts:
    55
    Location:
    West Sussex UK
    Not likely, the files were downloaded this afternoon, daily scan when I get on the PC about 8:00pm
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,747
    Location:
    Texas
    I would check my settings as to what actions are taken when a virus is detected. Set http scanning to automatically deny download of file.

    I'm sure this will be expanded on here. :D
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Given that Sumom is a worm and NOD32 detected it via Advanced heuristics without needing to update, there must be something wrong with the configuration of your NOD32. The only possibilities are:
    1. you were running NOD32 1.0 while the signature db was out of date at the time you got infected with Sumom
    2. you received it via email through SSL or IMAP while AMON was turned off
    3. if you had NOD32 2.0 installed, AMON and IMON must have been turned off simultaneously
     
  8. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    do you think that perhaps your daughter is altering the NOD32 settings to surf?

    Perhaps password protecting the settings... then seeing if you get further infections.
     
  9. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    so, for instance IF the daughter uses some sort of P2P software AND the AMON settings were inadequate THEN that could have been the cause?
     
  10. davef

    davef Registered Member

    Joined:
    Feb 26, 2005
    Posts:
    55
    Location:
    West Sussex UK
    Thanks for for all your replies. After some interrogation of my beloved Daughter it seems that she had a file sent via MSN from "mate" something come up and she allowed it :mad: ( I presume it was NOD32) . I've since stopped her downloading anything from the internet and gave her a lesson on what to look for if it happens again. ( Yeah I know shutting the stable door after the horse has bolted and all that!) Thanks again for all you help.

    Dave
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hi Dave,
    the new beta is configured by default to move infected (even heuristically detected) files to quarantine to prevent them from being executed by error. Also, you can set IMON to terminate connection automatically when a threat is detected.
     
Thread Status:
Not open for further replies.