Hi all

Me and my fellow sysadmins have just spent a few hours chasing what we thought was a zero day virus around our corporate network. We now believe it to be a bug in the latest version of NOD32.

Whenever anyone of our machines that has the current version of NOD32 installed attempts to access any directory that contains JPSoftware's 4NT executables, the machine will either hard reset immediately or get a BSOD. We're not sure which exact file is causing the issue - we've now just excluded AMON from scanning that directory entirely. The version of 4NT is pretty old (v3 or v4) but it also seems to occur on some machines running the latest v8.02.

This only occurs on machines which updated their NOD32 today. If an older version of NOD32 is installed, the machine can browse the folder just fine.

My NOD32 info is below. I've also RAR'd up the Windows minidump info that the crash causes and can mail that if required.

For now we're excluding the directory under AMON and will look to upgrade all users if v8.02 proves to solve the issue (some people with 8.02 have no problems, others do).

Thanks

Andrew

NOD32 antivirus system information
Virus signature database version: 2394 (20070711)
Dated: Wednesday, 11 July 2007
Virus signature database build: 10304

Information on other scanner support parts
Advanced heuristics module version: 1.063 (20070710)
Advanced heuristics module build: 1161
Internet filter version: 1.002 (20040708)
Internet filter build: 1013
Archive support module version: 1.053 (20070524)
Archive support module build version: 1189

Information about installed components
NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Base
Version: 2.70.32
NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Internet support
Version: 2.70.32
NOD32 for Windows NT/2000/XP/2003/Vista/x64 - Standard component
Version: 2.70.32

Operating system information
Platform: Microsoft Windows XP
Version: 5.1.2600 Service Pack 2
Version of common control components: 5.82.2900
RAM: 2047 MB
Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (2400 MHz)

Hi itteam,

I'm not an Eset representative, but I note you are using Nod32 version 2.70.32.

Have you tried the latest Nod32 version? Version 2.70.39 can be downloaded from here (http://www.eset.com/download/registered_software.php)

It might be worth trying the latest version while you wait for one of the Eset support team to respond to your query.

Cheers.

HI

maybe if we can replicate this problem in our enviroment, we will see what's going on. Please, could you provide us with some sample of mentioned executables? Send it to support@eset.com together with link to wilders.

Cheers.

I've sent off all the 4NT directory and info we've collected. I'm also doing some further investigation on my laptop from home. It hasn't been connected to the network here for several weeks so should be completely clean.

I'll post back with results.

Andrew

Hi It

try with the latest def version 2396 and let us know the results.

Ok, some further testing...

I've updated my NOD32 to 2396. If I scan the RAR'd up directory on my machine it's fine. If I scan a directory over the network I get a hard reset.

If I disable AMON, I can also still crash other machines by browsing to their 4NT directory over the network (eg if it's shared). In such a case, the only thing that happens is that the network share/machine dissappears from the network as the machine hard resets.

Interestingly, I've booted my laptop with BackTrack (used to be Auditor) the linux security boot CD. I can use Konqueror to browse the same machines that I can cause resets on without causing a reset.

No... wait.. now the machines don't reset when I browse them. Perhaps they've updated to the new definition now.

I'll try enabling AMON and browsing the network share that's caused issues.

Andrew

The only other thing I've just noticed, when I browse one of the machines with the 4NT directory that displayed the error, I see an event in my security software:

Time, 13/07/2007 7:50:00 AM,
Event, SMB_Malformed,
Machine, KERRYH,
Parameter(s),
Count, 3

Unfortunatley there are no further details in the logs. I have got full "evidence logging" enable though so perhaps there is something more there.

Andrew

And now I just noticed this.. I'm starting to get worried again.. there's nothing major but all this activity together is suspect.

Time,
13/07/2007 7:57:10 AM,
Event, MSRPC_Share_Enum_Sweep,
Intruder, 192.168.1.115
Parameter(s), count=5<>victim=192.168.1.25
Count, 1


13/07/2007 7:57:10 AM,
Event, MSRPC_Share_Enum_Sweep,
Intruder, 192.168.1.115
Parameter(s), count=5<>victim=192.168.1.217


192.168.1.115 is my machine
The other two IPs are the two machines I have been browsing. They have also been exhibiting the reboot problem.

A

More.. I've turned off AMON and am still able to browse the machines (two IPs above) without those machines nor my machine rebooting.

When I browse to the fileserver that hosts the installer files for 4NT, I get another lot of RPC Share Enum Sweeps and SMB malformed packets. That file server is running an ond version of Redhat with Samba on it. Now admittedly, samba is a bit old but, well, anyway here are the log details:

Time, Event, Intruder, Parameter(s), Count
13/07/2007 8:21:41 AM, MSRPC_Share_Dump, 192.168.1.115, server=\\Sapphire, 7

13/07/2007 8:21:41 AM, MSRPC_Share_Enum_Sweep, 192.168.1.115, count=5<>victim=192.168.1.218, 1

13/07/2007 8:21:41 AM, MSRPC_Share_Enum_Sweep, AE, count=5-6|8<>victim=192.168.1.17|192.168.1.25, 3

13/07/2007 8:21:40 AM, SMB_Malformed, 192.168.1.218, , 3

sapphire is the linux server
192.168.1.17 is sapphire's IP


ADD:

Again, it's a bit suspect. Nothing with major alarm bells but just weird. I waited about 15 minutes without Windows Explorer open. I then browsed to sapphire's 4NT directory. After hitting refresh a few times, I got this in the logs:

Time, Event, Intruder, Parameter(s), Count
13/07/2007 8:36:16 AM, MSRPC_Share_Enum_Sweep, AE, count=5|7<>victim=192.168.1.218, 3
13/07/2007 8:36:16 AM, MSRPC_Share_Dump, AE, server=\\Sapphire, 17

A