Hello, I had a problem running Ad-aware the other day. Anyway this is from Nod32 log. Do I need to send to ESET? Does this mean Nod32 stopped a Trojan.
Double slash is where my name was. :o

Time Module Object Name Virus Action User Info
28/01/2004 10:46:02 AMON file C:\Program Files\\gibsontools\DCOMbob.exe Win32/Exploit.DComRpc.A trojan deleted
28/01/2004 08:53:19 AMON file C:\Program Files\ gibsontools\DCOMbob.exe Win32/Exploit.DComRpc.A trojan COMPYNO2\
28/01/2004 08:44:58 AMON file C:\Program Files\\gibsontools\dcombob.exe Win32/Exploit.DComRpc.A trojan COMPYNO2\
28/01/2004 01:21:54 AMON file C:\Program Files\\gibsontools\dcombob.exe Win32/Exploit.DComRpc.A trojan COMPYNO2\

The files show that you have installed DCOMbobulator from Steve Gibson. This is a tool to test for "RPC exploits" and disabling of the rpc service. NOD32 picks up the exploit code inside this program.

So this file is not a trojan. You can add the file to the exclusion list within AMON to avoid further detection of the file.

wizard

Hello wizard, glad its something simple. Thanks. ;)

hmmm,

Also running Nod32 here and DCOMbobulator(ver2.0). Just ran it again and not a peep out of Nod. Also right-click scan with advanced heuristics of the file says all clear. Now you have my full attention. Something wrong with my copy of Nod32, or something wrong with manOFpeace's copy of DCOMbobulator? Running 98SE here, if that matters. Thanks for any clarification.

Hello VIETNAM_VET, I went to file where tools stored and carried out the two scans you speak of and nothing showed. This was about one hour ago.
XP Home SP1 here. :)

Although I do have some of Steve Gibsons stuff I done a search for DCOMbobulator in Programme Files and then My Computer and nothing came up.

This is all the SG stuff I am aware of on my computer;

Well, if it were me, and I just had a trojan identified on my system in a program which is not even in existence on said system, I would be awfully curious as to just what exactly Nod32 is(or was) seeing....

Hi V_V, according to wizard above there is an explanation for it.

From Trojan people;
Greetings and apologies for the delay - that's GRC's DCOMBOBULATOR tool and is QUITE legit ... might want to send a copy of that file to NOD32's folks so they can fix their definitions. Definitely NOT a trojan ...

Nobody seems too concerned about it, I am trying to get an explanation but its not easy.

manOFpeace,

According to wizard's explanation, what was detected was your copy of DCOMBOBULATOR due to the exploit code inside of that program. You just told me that you do not have that program. Perhaps you meant that you don't have it now, but did have it at the time of the scan?

If that is the case, it begs the question again as to why it is not detected on my system as I definitely do have the program and ran it again to see if I received a warning of any kind. I do NOT get any alert!

That is the point of my first post. Nothing to submit for a fix of the definitions in my case as there was no false alert.

If there is a false alert, why am I not seeing it? How did you get a false alert on something you didn't have to start with?

I would be 99.99% sure DCOMBOBULATOR was not on my computer before this incident. As you mention it may have been removed but again I'm almost certain this was not on my computer. Looking into the file from memory I do not recall DCOMBOBULATOR in my files. I am not familiar with the name. When I got over this I cleared all restore
points so I can't go down that road. I done a reg. search just in case but not there either.

I don't know what the AV people would have done but every time I tried to open it, it closed everything down and left me with a bare desktop. This was a log file inside legit. log file. Only way to get it away
was to delete whole Ad-aware file. :)

OK manOFpeace,

I read the thread over at the Ad-aware forum as well. Since my system doesn't seem to have any issues, unless something new develops, I am just gonna keep one eye looking in the direction of the two threads and chug along as usual. Good luck.

It's a complete mystery to me. Why it attacked Ad-aware I do not know. I wonder if it would be possible Ad-aware cleaned it up and then was attacked by it? I have done complete scans and selective scans and all returns clean. :)

Weird!
Maybe it's just coincidence, but NOD32 picked this same thing up yesterday for the first time on my machine. I've had the DCOMBobulator on my machine for several months. Admittedly, this was the first time I had clicked runtime packers, archives and email files.

Here is what NOD found:

C:\Documents and Settings\Administrator\My Documents\Downloads\Utilities\DCOMbob.exe - Win32/Exploit.DComRpc.A trojan

Doug

Hello Fire Permit, date of detection on mine was 28.01.04. I would still lay my head on the block and say Decombob. was not on my computer
at time of detection. Above is an attachment showing the only stuff I ever knew I had from SG.
Would it be possible for it to find its way through other utilities I have?

Definition was added on the 27th.

NOD32 - v.1.610 (20040127)
Virus signature database updates:
IRC/SdBot.ND, Solaris/Exploit.Dcom.A, Win32/Afcore.Y, Win32/Afcore.Z, Win32/Beastdoor.205.B, Win32/Exploit.DCom.BF, Win32/Exploit.DComRpc.A, Win32/Hackarmy.M, Win32/Hackarmy.N, Win32/Loony.A, Win32/Nexus.B, Win32/Thredsys.51, Win32/TrojanClicker.VB.AO

Perhaps eset added the definition without realizing it's source and purpose. Or do you suppose the code can be used by hackers for other purposes?

I had the same thing the other day.
http://www.wilderssecurity.com/showthread.php?t=20598

Their virus def no doubt is based on a real exploit.

My only issue with the detection (as I noted in Mars/Venus' thread) is that all I have to do is mouse over Gibson's app's icon or even a shorcut and AMON goes bonkers. (edited since AMON is not picking up just on the file name but evidently the test "exploit" in the file.)