simple question about virus

[Shawn]

Just curious, sometimes I download some odd files on p2p networks that
turn out don't work. I always scanned them with Norton Antirivus 2k3
with updated virus definition beforehand, but I still wonder: do
antivirus programs only detect major, well-known viruses? Say, if my
file was someone's trojan horse that is very obscure and rare, would
this trojan horse be detected by a software like Norton Antivirus?
Thanks.

Shawn

 

[David H. Lipman]

Shawn:

Signatures are cumulative and include obscure and rare viruses and Trojans not found in the
wild.

Dave

| Just curious, sometimes I download some odd files on p2p networks that
| turn out don't work. I always scanned them with Norton Antirivus 2k3
| with updated virus definition beforehand, but I still wonder: do
| antivirus programs only detect major, well-known viruses? Say, if my
| file was someone's trojan horse that is very obscure and rare, would
| this trojan horse be detected by a software like Norton Antivirus?
| Thanks.
|
| Shawn
|

 

[Stephen A]

| Shawn:
|
| Signatures are cumulative and include obscure and rare viruses and Trojans
not found in the
| wild.

I read his question differently...

AV companies will be able to detect malicious programs if:

a) They've seen a sample
b) The detection is generic and looks for known patterns
c) Heuristic scanning detects it (known to false positive somewhat)

Most AV companies use all 3 methods in different ratios to detect malicious
programs. However, you can't detect against the unknown, like you mate's
'just-written' trojan (I assume he'll no longer be a mate then?). To let
you knwo how simple it is... FORMAT.COM will become a trojan if renamed
to... say... SCANDISK.COM. Whether this example will work or not, the fact
is that you can't detect the code in FORMAT.COM as a trojan with AV software
because it is legimitate, whatever it's name is.

Starting to get the idea?

S

 

[kurt wismer]

Just curious, sometimes I download some odd files on p2p networks that
turn out don't work. I always scanned them with Norton Antirivus 2k3
with updated virus definition beforehand, but I still wonder: do
antivirus programs only detect major, well-known viruses? Say, if my
file was someone's trojan horse that is very obscure and rare, would
this trojan horse be detected by a software like Norton Antivirus?

*rare* isn't what you really have to worry about... *new* is what you
have to worry about... and you shouldn't be running strange programs you
download from p2p networks just because your av says "i don't see any
virus i recognize in there"... your av is not perfect (none are) and you
*will* get burned sooner or later...

 

[Wrangler]

Just curious, sometimes I download some odd files on p2p networks that
turn out don't work. I always scanned them with Norton Antirivus 2k3
with updated virus definition beforehand, but I still wonder: do
antivirus programs only detect major, well-known viruses? Say, if my
file was someone's trojan horse that is very obscure and rare, would
this trojan horse be detected by a software like Norton Antivirus?
Thanks.

If you check some of the leading vendors, you will see the inclusion of
technologies such as Generic detection for finding new threats early, or
grouping numerous viruses into one detection instead of .a, .b, .c, .d, .e,
..f etc

Each vendor has their own way of doing things that they in turn promote.

The following are a couple of McAfee examples of generic detection;

You can get a bigger list by going to the virus information library at
http://vil.nai.com and searching for "ends with" from the dropdown box and
".gen".

http://vil.nai.com/vil/content/v_100282.htm - SpyBot.worm.gen - All members
of this worm family have a capability to record keystrokes into a text
file.

http://vil.nai.com/vil/content/v_10566.htm - Backdoor detection. This
generic picked up a new Sub7 variant back in Match, and you never needed to
update your DAT's.

http://vil.nai.com/vil/content/v_10137.htm - ASPTrojan - This is a generic
detection for common compilations of AOL Password Stealer Trojans.

http://vil.nai.com/vil/content/v_99455.htm - Klez.H... Introduced in April
2002, detectable since January 02

http://vil.nai.com/vil/content/v_99273.htm - Exploit-MIME.gen - Generic
detection of MIME exploits used for some time to infect machines. Its not
detecting the virus itself, rather the mechanism which has been used. This
has been responsible for blocking numerous (and I mean "NUMEROUS!!!") new
viruses and worms at the gateway or desktop because they used the MIME
exploit MS01-020 in IE/Outlook:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-
020.asp

http://vil.nai.com/vil/content/v_10453.htm - OverBuf.Gen - This is generic
detection of script or Typelib (.HTA) files containing scripts that use the
Windows Scripting Host ActiveX implementations which use harmful technique
and/or code.

http://vil.nai.com/vil/content/v_99066.htm - JS/IEStart.gen - This script
trojan simply alters the default start up page of IE - an activity not
unusual for dialer Trojans

\/\/

 

[Shawn]

Thanks for all responses so far. I am mostly worried about backdoors. In
the past I used to have sensitive information on the computer that I
download from, but I have since moved the information to another computer
on the LAN. I've been wondering, how likely is it that a rare malicious
code I unknowingly downloaded could stay on my machine forever without
being detected by AV softwares, and scanning my files to send information
back to someone without me knowing? If this is possible, would a re-format
using original software get rid of the code?

Shawn

 

[Twinkletoes]

| Say for instance that a *new* worm was able to run on a system,
| and it left a backdoor. If an intruder was then able to get enough
| privilege to place remote access server software on that system,
| the system is compromised and you can no longer trust *anything*
| it tells you (or doesn't tell you). The normal procedure is to remove
| the affected drive(s) from the system for analysis (if you intend any
| future legal recourse), and to rebuild the system.

So you run a firewall, and only a handful of viruses attempt to disable
common firewall software.

Steve

 

[David H. Lipman]

Actually many of newest viruses are performing this. I expect that more and more will apply
this concept. It seems that new viruses learn from the benefits and deficits of their
predecessors and apply what works.

Dave


| So you run a firewall, and only a handful of viruses attempt to disable
| common firewall software.
|
| Steve
|
|

 

[Shawn]

All right thanks, that was what I wanted to know.
Shawn