Hi!

After updating to 1.880 I wanted to check if NOD32 is detecting properly Exploit.IE.Crashsos exploit: http://sylvana.net/test/AP4.jpg

Unfortunately image appeared in Internet Explorer (heavily distorted) and NOD32 virus alert appeared. I choose to disconnect. After that image was replaced with "No such page" screen. Few seconds after that iexplore.exe crashed :(

My system: Windows XP Pro SP2, NOD32 2.12.2 - 1.880

Any idea?

{QUOTE-> Hi!

After updating to 1.880 I wanted to check if NOD32 is detecting properly Exploit.IE.Crashsos exploit: http://sylvana.net/test/AP4.jpg

Unfortunately image appeared in Internet Explorer (heavily distorted) and NOD32 virus alert appeared. I choose to disconnect. After that image was replaced with "No such page" screen. Few seconds after that iexplore.exe crashed :(

My system: Windows XP Pro SP2, NOD32 2.12.2 - 1.880

Any idea? <-QUOTE}
Is everything back to normal after a reboot?

Have you tried that page again?

I get the following 2 screenshots:

Cheers ;D

And when I click "Terminate" I get this screenshot...

Hi markpl:

If you do not have issues with other web pages showing up incorrectly (for now - at least until the newer components are released), it may be better to change IMON to Automatically deny download of infected file and to change Mozilla/4.0 iexplore.exe to Higher efficiency in the IMON Setup/HTTP tab - Compatibility setup.



{QUOTE-> Hi!

After updating to 1.880 I wanted to check if NOD32 is detecting properly Exploit.IE.Crashsos exploit: http://sylvana.net/test/AP4.jpg

Unfortunately image appeared in Internet Explorer (heavily distorted) and NOD32 virus alert appeared. I choose to disconnect. After that image was replaced with "No such page" screen. Few seconds after that iexplore.exe crashed :(

My system: Windows XP Pro SP2, NOD32 2.12.2 - 1.880

Any idea? <-QUOTE}

{QUOTE-> And when I click "Terminate" I get this screenshot... <-QUOTE}

Strange - I don't get this screen.

The system itself isn't crashing - only iexplore.exe. After that I restarted machine just to be sure everything is ok.

Now I give second try to that URL (only iexplore.exe running - no other active apps) and this time image wasn't loaded. Virus alert appeared. I choose to terminate connection and it crashed iexplore.exe :(

So this is reproducible on my machine. I have all windows updates installed. I'm also using SpyBot. No other resident applications.

{QUOTE-> Hi markpl:

If you do not have issues with other web pages showing up incorrectly (for now - at least until the newer components are released), it may be better to change IMON to Automatically deny download of infected file and to change Mozilla/4.0 iexplore.exe to Higher efficiency in the IMON Setup/HTTP tab - Compatibility setup. <-QUOTE}

Hah!

That is what I like in using NOD32 - excellent support community :)

It worked! After switching to higher efficiency iexplore.exe isn't crashing :)

Anyway someone from ESET should read this thread because many users use default settings.

As Rumpstah has said above, are you sure all your settings are at "Higher Efficiency"?

As you will see in Post number 8 in my Extra Settings for Nod32 thread at the top of this forum, there is the following statement regarding this:


It is recommended to change the compatibility level to "Higher Efficiency" unless you experience problems with certain applications.


NOTE: With “Higher Compatibility” mode it is possible that Trojans may slip through IMON.


There is a newer version of Nod32 coming soon which will have "Higher Efficiency" as default, having fixed a few issues with certain website...

Hope this helps...

Cheers ;D

{QUOTE-> Strange - I don't get this screen.

The system itself isn't crashing - only iexplore.exe. After that I restarted machine just to be sure everything is ok.

Now I give second try to that URL (only iexplore.exe running - no other active apps) and this time image wasn't loaded. Virus alert appeared. I choose to terminate connection and it crashed iexplore.exe :(

So this is reproducible on my machine. I have all windows updates installed. I'm also using SpyBot. No other resident applications. <-QUOTE}

Check out the thread http://www.wilderssecurity.com/showthread.php?t=49004 for discussion on this and the much more important GDI+ JPEG vulnerability (AP4.jpg was released misleadingly as a possible variant of this new exploit).

AP4.jpg is very small, <61KB, and I suspect on a broadband connection IMON cannot get in quickly enough to stop buggy IE falling over. Certainly IMON cannot stop the file being downloaded here - by the time terminating the connection is selected, the file has been downloaded. Interestingly, while IMON detects the infiltration, scanning the downloaded file with NOD32 reveals nothing at all - anyone know why this is so?

{QUOTE-> AP4.jpg is very small, <61KB, and I suspect on a broadband connection IMON cannot get in quickly enough to stop buggy IE falling over. Certainly IMON cannot stop the file being downloaded here - by the time terminating the connection is selected, the file has been downloaded. Interestingly, while IMON detects the infiltration, scanning the downloaded file with NOD32 reveals nothing at all - anyone know why this is so? <-QUOTE}

Ah, I see from other posts my speculation is unfounded and I forgot the differences between higher compatibility and higher efficiency. But my question remains- how come scanning with NOD32 (everything switched on) does not detect any infiltration in the downloaded file AP4.jpg?

{QUOTE-> Interestingly, while IMON detects the infiltration, scanning the downloaded file with NOD32 reveals nothing at all - anyone know why this is so? <-QUOTE}

Scanning it here with NOD32 works ok.

D:\test\virus\AP4.jpg - Exploit.IE.Crashsos trojan

{QUOTE-> Scanning it here with NOD32 works ok.

D:\test\virus\AP4.jpg - Exploit.IE.Crashsos trojan <-QUOTE}

Well, that is even more puzzling to me.

date: 28.9.2004 time: 22:49:05
Scanned disks, directories and files: C:\Documents and Settings\[user name]\My Documents\AP4.jpg
number of scanned files: 1
number of viruses found: 0
time of completion: 22:49:05 total scanning time: 0 sec (00:00:00)

Using Firefox to view the page doesn't set off IMON at all.

{QUOTE-> Using Firefox to view the page doesn't set off IMON at all. <-QUOTE}
Even with "Higher Efficiency" set?

Cheers ;D

Hi Howard:

How is your Context Menu Profile set up to scan? All files should be selected since .jpg extensions are not in the default list. Each profile has to be setup independently. The On Demand Scan has different profiles.

I hope this helps.


{QUOTE-> Well, that is even more puzzling to me.

date: 28.9.2004 time: 22:49:05
Scanned disks, directories and files: C:\Documents and Settings\[user name]\My Documents\AP4.jpg
number of scanned files: 1
number of viruses found: 0
time of completion: 22:49:05 total scanning time: 0 sec (00:00:00) <-QUOTE}

Hi flyrfan111:

Depending on your version of Firefox, Mozilla/4.0 or Mozilla/5.0, firefox.exe could be set to Higher Efficiency in IMON setup to produce the screen "splat", in addition to Automatically deny download of infected file.

{QUOTE-> Using Firefox to view the page doesn't set off IMON at all. <-QUOTE}

{QUOTE-> Well, that is even more puzzling to me.

date: 28.9.2004 time: 22:49:05
Scanned disks, directories and files: C:\Documents and Settings\[user name]\My Documents\AP4.jpg
number of scanned files: 1
number of viruses found: 0
time of completion: 22:49:05 total scanning time: 0 sec (00:00:00) <-QUOTE}

Have you set it to "scan all files"?

http://webpages.charter.net/gunn1943/ap4.JPG

{QUOTE-> Well, that is even more puzzling to me.

date: 28.9.2004 time: 22:49:05
Scanned disks, directories and files: C:\Documents and Settings\[user name]\My Documents\AP4.jpg
number of scanned files: 1
number of viruses found: 0
time of completion: 22:49:05 total scanning time: 0 sec (00:00:00) <-QUOTE}

Solved it! I didn't have Archives checked in objects to diagnose. When I checked Archives in objects to diagnose, NOD32 identified the infiltration in AP4.jpg

Hi,

here Mozilla FireFox 1.0PR + Higher efficienty setting, and everything works as shown in the above screenshot (I didn't have the second screenshot with the default higher compatibillity, so check it).

Thanks to Blackspear ;)

regards,

gkweb.

{QUOTE-> Even with "Higher Efficiency" set?

Cheers ;D <-QUOTE}
Now that I cleared my caches for both IE and Firefox, with higher efficiency set on both I get the first warning you displayed, with higher compatibility set on IE and Firefox I get both warnings you displayed. Editted to add; IE doesn't crash with either setting.

{QUOTE-> Solved it! I didn't have Archives checked in objects to diagnose. When I checked Archives in objects to diagnose, NOD32 identified the infiltration in AP4.jpg <-QUOTE}

Damn, something weird is happening here. I was too hasty in my post - the infiltration was in completely different file (an archive!). NOD32 here simply does not identify an infiltration in AP4.jpg Using virus signature 1.880

Ahhh good to see guys, the new Rumpstah-Blackspear Tag Team worked ;)

Problem solved... NEXT!!! ;D

Cheers ;D

{QUOTE-> Damn, something weird is happening here. I was too hasty in my post - the infiltration was in completely different file (an archive!). NOD32 here simply does not identify an infiltration in AP4.jpg Using virus signature 1.880 <-QUOTE}

Do you have the NOD32 "On Demand Scanner" set it to "scan all files"?

{QUOTE-> Damn, something weird is happening here. I was too hasty in my post - the infiltration was in completely different file (an archive!). NOD32 here simply does not identify an infiltration in AP4.jpg Using virus signature 1.880 <-QUOTE}

I thought that also. It seems as if the exploit isn't the jpg itself but an archive downloaded in the background. But I am not a programmer so I could be wrong. That would explain why you have to have archives checked to pick up though. Unless the jpg itself is compressed that is.

{QUOTE-> I thought that also. It seems as if the exploit isn't the jpg itself but an archive downloaded in the background. But I am not a programmer so I could be wrong. That would explain why you have to have archives checked to pick up though. Unless the jpg itself is compressed that is. <-QUOTE}

The archive thing was me being dumb. I had a known virus in a zipped file in the same directory as AP4.jpg so all that happened when I switched on Archives in objects to diagnose is that NOD32 picked that virus up and I didn't look closely enough and wrongly thought it had detected the AP4.jpg infiltration. The fact is eScan detects the infiltration in AP4.jpg here, but NOD32 doesn't.

It has to be a settings problem for you then, I am picking it up, I can't post a screen shot with this slow dial up connection though but it is working both on access and if I disable IMON then download it and scan with NOD32. Not sure why yours won't pick it up.

{QUOTE-> Do you have the NOD32 "On Demand Scanner" set it to "scan all files"? <-QUOTE}

Apologies to other posters as I inadvertently ignored their questions. I have NOD32 set to scan all files, advanced heuristics/deep etc etc Only thing not checked as far as I can see is email and mapi

{QUOTE-> Apologies to other posters as I inadvertently ignored their questions. I have NOD32 set to scan all files, advanced heuristics/deep etc etc Only thing not checked as far as I can see is email and mapi <-QUOTE}
Do you have your "Context Menu Profile" set to scan all files and every other setting tweaked up, see the last post here (http://www.wilderssecurity.com/showthread.php?t=37509&page=2)

Cheers ;D

{QUOTE-> Do you have your "Context Menu Profile" set to scan all files and every other setting tweaked up, see the last post here (http://www.wilderssecurity.com/showthread.php?t=37509&page=2)
<-QUOTE}

Yes, I have my Context Menu Profile switched on to maximum settings as in your recommendations; so is NOD32 launched from the control centre. But whether I scan the file from the context menu or from the control centre it comes up clean

Just to highlight the puzzle. I have two files in a directory. One is a zipped jpg file infected with Win32/Exploit.MS04-028 trojan; the other file is AP4.jpg NOD32 - launched either from the control centre or the context menu - will correctly identify the infection in the zipped jpg, but does not identify AP4.jpg as infected. Beats me what is going on, as other people do not seem to be experiencing this non-detection by NOD32 (IMON did detect the infection in AP4.jpg when I downloaded it)

{QUOTE-> Just to highlight the puzzle. I have two files in a directory. One is a zipped jpg file infected with Win32/Exploit.MS04-028 trojan; the other file is AP4.jpg NOD32 - launched either from the control centre or the context menu - will correctly identify the infection in the zipped jpg, but does not identify AP4.jpg as infected. Beats me what is going on, as other people do not seem to be experiencing this non-detection by NOD32 (IMON did detect the infection in AP4.jpg when I downloaded it) <-QUOTE}

If you upload that specific AP4.jpg you have to http://www.virustotal.com/flash/index_en.html for scanning does NOD and KAV detect it?

{QUOTE-> If you upload that specific AP4.jpg you have to http://www.virustotal.com/flash/index_en.html for scanning does NOD and KAV detect it? <-QUOTE}

Interesting question :)

BitDefender 7.0/20040928 found nothing
ClamWin devel-20040822/20040928 found nothing
F-Prot 3.15a/20040928 found nothing
Kaspersky 4.0.2.24/20040929 found [Exploit.IE.Crashsos]
McAfee 4395/20040928 found nothing
NOD32v2 1.880/20040928 found nothing
Norman 5.70.10/20040928 found nothing
Panda 7.02.00/20040928 found nothing
Sybari 7.5.1314/20040928 found nothing
Symantec 8.0/20040929 found nothing
TrendMicro 7.100/20040926 found nothing

Results of a file scan
This is the report of the scanning done over "AP4.jpg" file that VirusTotal processed on 09/29/2004 at 02:07:27.
Antivirus Version Update Result
BitDefender 7.0 09.28.2004 -
ClamWin devel-20040822 09.28.2004 -
F-Prot 3.15a 09.28.2004 -
Kaspersky 4.0.2.24 09.29.2004 Exploit.IE.Crashsos
McAfee 4395 09.28.2004 -
NOD32v2 1.880 09.28.2004 Exploit.IE.Crashsos
Norman 5.70.10 09.28.2004 -
Panda 7.02.00 09.28.2004 -
Sybari 7.5.1314 09.28.2004 -
Symantec 8.0 09.29.2004 -
TrendMicro 7.100 09.26.2004 -

It would seem that only KAV and NOD detects this exploit. I tried it on a box with "P***A (I know this is a NOD forum) and it crashed the box, but on my box with NOD it didn't.
I think it maybe a setting on your NOD profile (just my .000002 cents)
Cheers :)

{QUOTE-> ...but does not identify AP4.jpg as infected.

...IMON did detect the infection in AP4.jpg when I downloaded it <-QUOTE}
I wonder if IMON did something to the file when it was downloaded, or if you have a slight different variant to that which is detected...

Cheers ;D

Just to add some results here.
When I changed to Higher efficiency for ie, I can't even d/l the file...IMON stops it cold.
In Higher compatibility mode it did give me the two screens, but I could d/l the file.
This is interesting.... I think I will leave it on Higher efficiency mode and see what happens in my surfing.
If the ESET folks read this they may have a solution.
Cheers :)

{QUOTE-> ...If the ESET folks read this they may have a solution.
Cheers :) <-QUOTE}
Newer version is about to be released v2.12.3 I'm using it now ;D

Cheers ;D

{QUOTE-> I wonder if IMON did something to the file when it was downloaded, or if you have a slight different variant to that which is detected...
<-QUOTE}

Your first wonder looks like the right one :)

I downloaded the file again, only this time I closed IMON instead of opting for terminate connection. The file is detected as infected now by NOD32 and it is a different size - 62,512 as opposed to 62,103

Well, I have had quite enough of that little exploit and wiped the pair of them off my drive

{QUOTE-> ...Well, I have had quite enough of that little exploit and wiped the pair of them off my drive <-QUOTE}
LMAO, nice to see you had a result...

Cheers ;D