nod doesn't catch NTOS trojan

Hi
yesterday i downloaded a program "capture one " from a mirror
it's a 50mb of program
i click on the install , and after some time the setup told me "it's for 64 and not for 32bit"

well this makes me suspicious
i run threatfire and re-install the program
threatfire detect & block the files , i send this files to virus total and they are a exe and video.dll and audio.dll they are the ntos trojan


well i have the last version of nod32 2.7 last built


why it doesn't catch them??

thanks

ps can nod32 run on safemode or does it have a command line to clean the files on the boot ,like avast?

 

It depends on two things. a) you might have a new varient that's not detected yet and b) your settings might not allow detection (although i doubt it)

 

Hi, submit that files in password protected archive (password will be "infected") to samples[at]eset[dot]sk for analysis.

You can delete these files by Avenger. Run exe file and write this:

Code:

Files to delete:
full paths of files in succesive lines

* If files are located in the same folder, use "Folders to delete:"

Click on "Execute", OK, computer will be restarted.

I don't recommend use Avenger and similar utilities for beginners! Better is using Avenger after application some utility, UPM eg.

You can use MoveOnBoot, too.

 

Hi mantra. I suggest you post a hijackthis log at a malware removal forum.

thanatos

 

the link of upm is dead

 

Hi thanatos, today's malware start be better and better. My testing says that some samples can hide before HijackThis (and it wasn't rootkit).

Why, it is support forum.

 

it's a shame that nod32 did not detect it
but i can know if it does encryp my hds ? i have many hds

 

not the link is working

but is UPM a software or a forum

by the way the alternative about avenger is moveonboot ?

 

Last, when I cleaned infected pc with this sample, it was written in few Registry values. But you can't delete whole value, you can only repair it.

Software sure, yes MoveOnBoot can be alternative.

 

Renaming hjt helps.

Maybe it's a new variant of NTOS. Go to the following links to know more about the trojan.

http://www.prevx.com/blog/31/Ransomware-Holding-Corporate-America-Ransom.html
http://www.gamerswithjobs.com/node/37494?page=1

thanatos

 

thanks
but is there a link with the cure
at last a program that can for sure catch it
and it encrypt my hard disks, how can i know if it did it

 

You can try this removal tool by Prevx.

Maybe the execution of NTOS was blocked by ThreatFire. However, I still insist you go to a malware removal forum.

thanatos

 

ok i can open here in the malware forum , or in another forum
thanks but is true
https://www.wilderssecurity.com/showpost.php?p=1203972&postcount=7

 

The trojan will encrypt your files, drives once it is executed. However, maybe ThreatFire blocked ntos.exe from running. Just to be sure your infected or not, post an hjt log at a malware removal forum. Choose one forum from here.

thanatos

 

ntos trojan help me to know what can it do

Hi
in a topic https://www.wilderssecurity.com/showthread.php?p=1204001#post1204001

i wrote about how nod32 did miss the ntos trojan

well i'm pretty sure i rid of it (i guess)

but i'm curious, inquisitive about the action that ntos did on my pc
is there a source to know that ntos does

thanks

 

Mantra,

You have an active thread on the topic here, please keep the discussion localized in this thread. The members already responding here clearly have the knowledge to answer the question posed, or you could perform a generalized Internet based search and obtain the same information.

As for the current status of your machine, if you're guessing as you indicate, it's probably time to avail yourself of some of the excellent advice already offered and validate the state of your system via assistance rendered at a malware removal forum.

Blue

 

sorry bluezanetti
other operatos advises me to open in another forum
i think that i did not understand as well the advises

 

thanks
i will do it
but which software can i run to be sure i haven't in my pc any more
and can i know if it did start to encrypt my files?

 

i did a search and i found here this page about the trojan
http://www.netpartners.com/securitylabs/blog/blog.php?BlogID=136


and there is a decryptor , but i can't find how download it

 

Mantra,

As always, understand in detail what is in front of you prior to performing any task. In part, that is why thanatos_theos has been insistent that you visit one of the malware removal forums presented in the list provided - once again, it is here.

With respect to the specific malware that you appear to have been subject to, visit the links provided above. They are:

• unRansom..Me! Prevx blog entry by Jacques Erasmus. This blog entry also has a technical analysis provided by Marco Giuliani (the pdf file containing that analysis is here - note this is a direct download link), read that as well since it provides some details which should allow you to assess whether you've been infected. As a caution, I do not know whether this information is dated, hence the guidance to consult with those involved in active malware removal. Their knowledge on this topic should be current.
• Direct download link to the Prevx provided unransomme.exe. However, read and understand the blog entry before using this tool

The last thing is to set in motion a chain of events to address a situation that is incompletely characterized.

Blue

 

thanks really to all
i really appreciate your help
this forum rocks!

well about

i want to apologize , i did not understand well , english is not my language
by the way thanks again!

 

Mantra,

No problem. If something is not clear, just ask, although I do understand that if language itself is the issue - and that occurs in any diverse forum frequently - sometimes the need to ask is not obvious, which is why a bit of patience is also recommended for all.

Also, my comments are not just for you, but for the reader at large. We've all run into situations (at times by our own hands) for which the cure was clearly worse than the problem that we were trying to address. We all need to be on guard against this particular issue, and it often is due to having incomplete understanding of the situation.

Blue

 

The first bytes of the encrypted files contain the string "GLAMOUR" followed by the encrypted data. The trojan then creates a read_me.txt file and drops it on all folders containing encrypted files.

More info here.

thanatos