Eset take their time adding new malware

I sent a sample trojan to many AV/AT vendors, in fact these:

<newvirus@kaspersky.com>; <submit@diamondcs.com.au>; <heuristik@antivir.de>; <virus_research@nai.com>; <submit@misec.net>; <virus_submission@bitdefender.com>; <research@lavasoft.de>; <virus_doctor@trendmicro.com>; <esafe.virus@eAladdin.com>; <virus@asw.cz>; <cat@vsnl.com>; <virus_submission@centralcommand.com>; <virus@commandcom.com>; <virus@cai.com>; <ipevirus@vet.com.au>; <Antivir@dials.ru>; <samples@nod32.com>; <viruslab@complex.is>; <samples@f-secure.com>; <submit@finjan.com>; <virus@grisoft.cz>; <hauri98@hauri.co.kr>; "Analysis" <Analysis@norman.no>; <virussamples@pandasoftware.com>; <virsample@pspl.com>; <support@sophos.com>; <avsubmit@symantec.com>; <submit@emsisoft.com>; <submit@ewido.net>

I sent this on 27th November 2004. I re-sent it on 18th December 2004. It's still not detected by nod32. My current nod32 signature database is 1.957. This is not exactly what i'd call quick. I hope this is not a reflection on their usual response time. As a new registered user of nod32 i find this an example of poor support. Why is it taking so long?

Here's a piccy of a scan over at Jotti's showing it is detected by other AV's.

muf

 

muf, can you send me the sample-file? my email address is redwolfe_98 at yahoo dot com.. you can zip the file, and password-protect it so that the attachment will not be filtered.. you can include the password for the zipped file in the message-body of the email..

here is the only writeup for "favadd" that i could find..

http://securityresponse.symantec.com/avcenter/venc/data/trojan.favadd.html

thanks..

 

Redwolfe_98,

Sorry, no can do.

I don't have a disposable e-mail address, and i'm not taking the chance on having mine added to your address book. You know if you ever get infected then i could be sent an infected e-mail if i'm in your address book. I'm paranoid like that.

Don't know if you have access to the malware forum at BBR but it's there to download if you do. http://www.broadbandreports.com/forum/malware You should see the thread towards the bottom of the page.


Sorry, this is the best i can offer. I don't give out my e-mail address to anyone other than websites i've registered to. Don't take offence. This is the answer i give everyone. Being paranoid helps keep me clean...

muf

 

Well they still haven't added this. It's now a month since i sent it. I mean AVG free detected this about 3 weeks ago. This is embarrassing, it really is. I mean they haven't even sent me an e-mail to acknowledge they are looking at it, or have any intension of adding it.

You know, as good as nod32 is? The support is shite.

muf

 

I have sent an Email to Eset asking for someone to respond to this thread.

Cheers.

Blackspear.

 

I've noticed the same thing. Sent out to all the same e-mail addresses. Two files. Some have chosen to recognize the malware trojan droppers (according to KAV, now ID'd as Trojan-Downloader.Win32.Envolo.a and Envolo.b trojan adware might be a better explanation)

And I think it happened once before. Sent out a spybot version to everybody (and it was of interest to many) but NOD's response was a week or two updates away (it was eventually recognized)

Anyway, I think it must be something of a "terrirotry issue." What belongs to the AVs, what blongs to the ATs and what belongs to spyware guys (my own HO aside that it belongs to AV and AT vendors).

NOD's a great scanner and AV, but it is only as good as the defs. I hope they focus on that as well. Just checked again with 1.959. No go.

I guess if we understood better why some go in immediately, why some are delayed, and why others won't, that would help. It is an expectation issue.

Edit: Thanks Blackspear. Dang, if I had only not bothered to re-read it....

 

It all makes sense once you read ESETs response on the other thread

 

Ok fair enough. They are selective with what they add to the database. The malware sample i sent them was also added to BOClean, TrojanHunter, TDS3 and A2. Do they know something that Eset don't? I mean i know that nod32 specialises in viruses, but doesn't it also pride itself in how well it detects trojans as well these days?

It's all very confusing.

muf

 

Let's wait and see what Eset have to say about this

Cheers

 

what don't they just make a extended DB like KAV?

 

NOD32 uses an extended database provided the Potentially dangerous applications option is enabled

 

Would it be possible to add this to the AMON and HTTP scanner options?

 

It is, but currently only in the beta I'm testing and which cannot be given out yet because there are some issues that need to be fixed first.

 

Hi Marcos,

Thanks for the feedback! Good to hear that option will be included at a future date.

 

Good news. At last nod32 now detects this nasty. I got an e-mail from eset saying that the file in question is not harmful without the relevant .exe file(which i don't have), but that they have added it all the same. Thanks everyone who contributed in this thread.

muf

 

Good to see Muf, and thanks for keeping us up to date.

Cheers

 

The idea of not detecting something because it can't fix it is ludicrous. Even if it can't remove it, alerting you to the fact that you're infected will allow you to dl a program that can fix the problem.

 

Eset would be correct.. I have used Trojans before, for security testing... However, that short.dll file is an extension for the Trojan itself. It would contain add-ons for the main Trojan exe. It is completely harmless by itself. The BioNet Trojan on it's later revisions had the same implementation. The sub7 Trojan also uses these dll add-ons.