ESET Threat Blog

From time to time all anti-virus companies run into the situation where a user tells them that their product is not detecting some virus. Typically the user also wants to know why it isn’t detected when another product catches it. These inquiries rarely provide enough information to result in a meaningful answer. There can be a number of reasons why a product doesn’t detect something, but as a user you must provide more information. It is very helpful if you can send copy of the file in question. Many users know to zip up the file before they send it, but there are also a number of users who a password protect the file (good thing), but fail to provide the password. In general it is a best practice to use the password “infected� when password protecting a sample to be sent to an antivirus company – we all know to try the password “infected�. The password, infected, should not have quote marks (“) and should be lower case. If an analyst can’t unzip the file by trying the passwords “infected� or “virus� (another common password), processing of the sample will probably be stopped until more information is gathered.

 

There are a few other pieces of information that are always good to include:

 

1)    Where did the sample come from? Include any background information, such as why you think it is a virus or a false positive.
2)    If you know where the file came, the name of the company, website, etc. please include that information too.
3)    Did you scan it with a different product, or with a service like VirusTotal? If so then send in the log with the sample. It can help speed up the investigation.
4)    The subject line of your message should be descriptive. Do you think this is brand new? Is it a false positive? Do you know the name another product detects it by? Something like “Suspect False Positive on myfile.exe from the Good Times Crew�, or “Undetected Virus Win32/Goofball (Norton)� are meaningful subject lines.

 

If you think you know what the malware does, do include that information in the email. If you have good reason to believe that this is something that is going to very rapidly affect lots of people go ahead and put the word “Urgent� in the subject line, but remember, if everything is urgent then nothing is. Use “Urgent� sparingly.

 

Sometimes you may have a sample that we don’t detect, and sometimes you may have found a false positive in a competitor’s product. It is almost impossible to tell without a sample to test. Providing all of the details will allow us to respond to everyone more quickly by eliminating a lot of back-and-forth emails.

OK, let’s all let out a big whoop and holler. Vista is launched and that means… no more Vista Launch hype! On the downside there will now be all kinds of Vista IS launched hype. I was just reading some this morning. A competitor of Microsoft’s (and ours) was quoted as saying that in their testing (not independent testing) “the new Windows Defender program failed to block 84% of viruses – including 15 of the most common pieces of malicious code.â€? To put it bluntly, well duh! Defender is anti-spyware, not anti-virus. It is not expected to detect much in the way of viruses. That’s why you need anti-virus software for Vista in addition to the anti-spyware it comes with. If you don’t believe it, ponder this… When I worked at Microsoft we were required to have anti-virus software on our PCs or we could not get on the network. Even our home PCs had to have the required AV software if we wanted to use them to connect to Microsoft. Do you think Microsoft has changed this policy for users of Vista? I seriously doubt it.

 

So how do you find a good anti-virus product for your new copy of Windows Vista? You look for know how and you look for performance. When it come to know how you want a product that has been supporting 64-bit Windows XP for a while. Why does this matter? You see, when Microsoft released the 64-bit Windows XP is when they first used Kernel Patch Protection (KPP). KPP is designed to make a whole bunch of malware not work right. It also makes a whole bunch of other products not work right. Early on ESET developed a 64-bit solution for Windows XP. KPP is a tricky technology to work around so you want a vendor who has rolled up their sleeves and dug in to the nitty-gritty to figure out how to effectively protect computers with KPP. Your other option is to use a product from a company that has spent months whining about how Microsoft has locked them out of the operating system. I put my money on the doers, not the whiners. As it turns out, those of us who burned the midnight oil figuring out how to protect your 64-Bit WinXP were already working out how to protect 64-bit Vista.

 

One other thing about Vista – it uses a ton of resources. It likes a very fast CPU and a lot of RAM. This means that the last thing you want to put on it is an anti-virus product that uses a lot of CPU cycles and requires a lot of RAM. If you do you will find your computer has little ability to do much other than run the OS and the AV software.

 

Lucky for you, ESET’s NOD32 has a long history of being light on resource use, and able to work with Kernel Patch Protection technology. If you haven’t used NOD32, feel free to download a fully functional 30-day evaluation copy at http://www.eset.com/.

 

I see good times on the vista J Sorry, I couldn’t help myself.

 

Randy Abrams

Director of Technical Education

 

OK, actually it is not a worm (always) and only the press calls it storm worm. Everyone else calls it by one of several other names. ESET calls it “Win32/Fuclip.A Trojan�, “Win32/Fuclip.D Trojan�, “Win32/Nuwar.S worm� or some times “Win32/Nuwar.T worm�. Symantec calls it “Trojan.Peacomm�. McAfee calls it “Downloader-BAI.gen Trojan�. Confusing? Well, it isn’t actually just one piece of malicious software, the author is constantly modifying it to try to beat the AV companies. Additionally, once a user gets infected the program then downloads other programs.

 

So what is not confusing about it? Here is the easy part. The only people who get infected by it are the people who run suspicious attachments. That’s right, if you don’t click on the attachment you do not get infected. If you are running Outlook 2000 or newer you do not get infected because Outlook will not let you get to the executable attachment. If you are running a recent version of Outlook Express and have not changed the default settings you cannot get to the attachment either. If you are using a mail client that lets you open attachments, don’t open any attachments unless you are expecting them, know the name of the attachment before you receive it, and know who is sending it to you.

 

As you can see from Virus Radar, NOD32 is detecting a lot of these files. As of this writing
http://www.virus-radar.com/stat_01_current/index_enu.html shows Win32/Nuwar.T worm topping the charts, with Win32/Nuwar.S worm in fifth place. A look at the week
http://www.virus-radar.com/stat_01_current/index_c168h_enu.html shows Fuclip.B in first place with Nuwar.T and Nuwar.S in fourth and sixth places respectively. For the month
http://www.virus-radar.com/stat_01_current/index_c31d_enu.html Fuclip.B is in first place, Nuwar.M is second, and a couple of other Nuwar variants are in eighth and ninth.

 

I expect we’ll see many more variants of this malware. If you are using NOD32 we are keeping your computer protected, but still… don’t open any attachments from people you don’t know, and don’t open any attachments that you are not expecting, even from people you do know. Ask the sender if they meant to send an attachment before you open it, even if it looks like it was sent by a friend.

 

Randy Abrams
Director of Technical Education