From time to time we get comments in response to blog postings. Sometimes we get questions. One such question received today not only requires a reply, but I feel deserves a blog entry as it is the kind of question that when answered can help a lot of people understand more. The question, posted as a comment to the blog entry “What is Proactive Detection and Why Do You Need it?” (http://eset.com/threat-center/blog/?p=47) is as follows:
Currently, on the virusradar.com there is a threat which shows as critical and is listed as: probably unknown NewHeur_PE virus. It shows that the date it was first captured was 2004-03-17 19:29. If it was captured almost 3 years ago, why has a name not been assigned to it–especially if it has become a critical threat?
The “first captured” entry is pretty irrelevant for “NewHeur_PE detections”. Three years ago is simply the first time that we logged a “NewHeur_PE virus” on VirusRadar. NewHeur_PE is simply a name for an unknown, but bad program we have not seen before. It’s kind of like “John Doe” for anonymous viruses.
If you ever worked in a restaurant you are familiar with language like “Will you bring coffee to 23?” 23 isn’t the person’s name, 23 represents a table. You can bring coffee to table 23 several times throughout the day, but you are not serving the same person. You may not know the name of the person at the table and it probably does not matter, but getting them their coffee does! Maybe if we called the viruses “Table23” it would make more sense than NewHeur_PE, but it just doesn’t sound as techie.
NewHeur_PE means that we are detecting something based upon how it is written or what it will do. We don’t know what it is, but we do know it is going to do something bad if we don’t stop it. At different times we called Bagle worms, Mytobs, Zotobs, Blasters, and several other things “NewHeur_PE “. So, three years ago when we entered the first detection of “NewHeur_PE”, that was someone else at Table 23.
As for the critical threat rating, these are really only critical threats if your anti-virus product does not stop them – NOD32 stops them.
When we do get around to naming this threat that we already protect against, the “first captured” date will be updated with the name of the threat. Most of the detections (there is more than one threat making up this spike) are probably new strains of Stration worms. When we assign names to them then we can go back through the VirusRadar data and use hash values to determine when we first detected each specific threat.
Thanks for a great question Johnny!
Director of Technical Education
Author ESET Research, We Live Security