PDA

View Full Version : Is nod32krn.exe really a worm?

miller tim
August 14th, 2006, 11:34 PM
I was just checking the running processes for anything unusual and came across several sites saying that nod32krn.exe is really a worm. Here's one http://www.castlecops.com/s7845-nod32krn_exe.html

Other sites say that it is just a normal nod32 process. Which is it?
NOD32 user
August 14th, 2006, 11:42 PM
Th-{ Quote: "I was just checking the running processes for anything unusual and came across several sites saying that nod32krn.exe is really a worm. Here's one http://www.castlecops.com/s7845-nod32krn_exe.html

Other sites say that it is just a normal nod32 process. Which is it?" }-What you have linked to is a reference for startup items.-{ Quote: "!! THIS IS A STARTUP PROGRAM AND NOT A TASK MANAGER PROCESS ITEM !!" }-nod32krn.exe is the 'NOD32 Kernel Service' but it should not appear in your startup items since it is a system service set to start automatically.

Cheers :)
miller tim
August 14th, 2006, 11:44 PM
So it should NOT be listed in task manager?
Brian N
August 14th, 2006, 11:44 PM
If you find nod32krn.exe in the Windows\system32 folder it probably is a worm.
If not, then I'm quite sure it's legit since it's part of NOD32 :)

-{ Quote: "So it should NOT be listed in task manager?" }-
^ Only the "real" nod32krn process should be in the task manager...
miller tim
August 14th, 2006, 11:47 PM
I just searched my computer and the only instance of the file is in C:\Program Files\ESET

But it is listed in task manager as a running process.
Brian N
August 14th, 2006, 11:48 PM
-{ Quote: "I just searched my computer and the only instance of the file is in C:\Program Files\ESET

But it is listed in task manager as a running process." }-
That's how it should be :)
miller tim
August 14th, 2006, 11:50 PM
Is it that way on your computer? LOL, I'm paranoid.
Brian N
August 14th, 2006, 11:51 PM
It's been like that for over a year now hehe.
nod32krn.exe and nod32kui.exe
miller tim
August 14th, 2006, 11:53 PM
OK. Whew!!! Thanks for clearing that up.
NOD32 user
August 14th, 2006, 11:53 PM
-{ Quote: "That's how it should be :)" }-Exactly :)

If you have any doubts whatsoever you can test your nod32krn.exe and nod32kui.exe at VirusTotal. Your results should look something like this (http://www.virustotal.com/vt/en/resultadof?e4d589b16a824d98b2a895ded88fabcf) and this (http://www.virustotal.com/vt/en/resultadof?e06806735d5af0a8d9c391f3d7a797a7).

Cheers :)
miller tim
August 14th, 2006, 11:56 PM
I didn't scan it at VirusTotal but I did scan it at Jotti's. It came back clean. :)

Thanks again.
NOD32 user
August 14th, 2006, 11:59 PM
-{ Quote: "I didn't scan it at VirusTotal but I did scan it at Jotti's. It came back clean. :)

Thanks again." }-No worries :)
mrtwolman
August 15th, 2006, 05:55 AM
It is a kind of social engeneering in action. Rbot.AAO copies itself to the Windows system32 folder as nod32krn.exe and creates entries in the registry to run itself on system startup. Just for case, check HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
for presence of "Nod32 Free antivirus" key.