NOD32 False positives here?

Discussion in 'NOD32 version 2 Forum' started by optigrab, Jul 10, 2004.

Thread Status:
Not open for further replies.
  1. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Right, you have a slightly different problem because your live version of netapi32 is flagged as a trojan and not just backups. I would have guessed that the file is in SP3 and you haven't installed SP4 then but you are running SP4 so I dunno.

    I'd leave it excluded from AMON. if It is still there, just marked for delete, make a copy of it now and put that in the same dir with a slightly different name. On next boot, rename it to the original if the other one is gone and reboot again. I don't know how to unflag a file for delete. Anyone?
     
  2. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    I no longer have any detection of netapi.dll since this update:

    NOD32 Antivirus System information
    Virus signature database version: 1.808 (20040711)
    Dated: Sunday, July 11, 2004
    Virus signature database build: 4668

    Information on other scanner support parts
    Advanced heuristics module version: 1.007 (20040309)
    Advanced heuristics module build: 1053
    Internet filter version: 1.001 (20031104)
    Internet filter build: 1012
    Archive support module version: 1.016 (20040702)
    Archive support module build version: 1091

    Information on installed components
    NOD32 For Windows NT/2000/XP/2003 - Base
    Version: 2.000.9
    NOD32 For Windows NT/2000/XP/2003 - Internet support
    Version: 2.000.8
    NOD32 for Windows NT/2000/XP/2003 - Standard component
    Version: 2.000.9

    Operating system information
    Platform: Windows 2000
    Version: 5.0.2195 Service Pack 4
    Version of common control components: 5.81.4916
    RAM: 512 MB
    Processor: x86 Family 6 Model 8 Stepping 6 (801 MHz)
     
  3. beng

    beng Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    38
    Location:
    Melbourne/Australia
    Confirmed. Crisis over!
    I was not looking forward to this morning!
    Update came through at 0351hrs +10 and ignores the netapi32.dll. Yay.

    Also, FWIW, SP4 replaced the netapi32.dll, but didn'treplace it with a patched version as w far as I am aware, the only way to patch it properly is to apply the patch, but watch out fro the items documented in http://support.microsoft.com/default.aspx?scid=kb;en-us;835732
    At least my clients should now appreciate the after hours support we provide, 3 emails on a Sunday, with the last one on Sun Night at 0200hrs <grin>. I think I'll do a BOFH and wait until they call in a panic....... :D

    Cheers Ben.
     
  4. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hi all here, :)

    we apologize for the false alarm when NOD32 version 1.807 has detected Exploit.CAN.2003-0533 at netapi32.dll . We have noticed that problem yesterday and this false positive has been fixed in version 1.808 . So who still gets this false positive (FP), please update to 1.808 and this problem should be over.

    Thanks also for reporting the issue - we have seen it and fixed. We din't have much time to write here, but we have fixed it first.

    Thanks for all :cool:

    Cheers,


    jan
     
  5. beng

    beng Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    38
    Location:
    Melbourne/Australia
    G'day Jan,
    These things just make us realise that you guys are human.<grin> It's easy to forget when nod has such a perfect record. i'd much rather a false + than a false -!

    Cheers Ben
     
    Last edited: Jul 12, 2004
  6. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Ditto that, Ben! My ineptitude in handling what I suspected was a false alarm was probably due to the fact that I almost never see them (thanks to NOD32)!
     
  7. digiglitter

    digiglitter Guest

    "trojan Exploit.CAN.2003-0533" help!

    trojan Exploit.CAN.2003-0533 found in operating memory. NOD32 cannot clean this infiltration. No action can be taken on a memory infiltration.

    NOD showed this message when I got to my computer Monday morning, - and since then I google'd the error msg, found out I needed a Windows security update #KB835732-x86 installed that, then the computer crashed. NOD32 starts but doesn't run all the way through. It will get about 25% of the way through and then crash. Also when I go to Task manager apparently my system is running at 100% all the time apparently even though I have nothing open. Not good! Curiously the computer was running OK, until I installed the windows update. I can't run anything like a Trojan remover through the normal process, they stop responding halfway through. Arrrrg. I have read a couple of things about booting into safe mode & running apps but I'm not confident enough that I'd even be removing the right thing just yet without more specific instructions.

    Any help or tips would be greatly appreciated!

    E
     
  8. Talcum

    Talcum Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    3
    Location:
    In Your Mind
    Re: NOD32 False positives here? NOT FALSE!!!

    I just had this pop up on a clients system yesterday. It came up as memory resident so it was tricky to get rid of. I confirmed the NETAPI32.DLL File was indeed infected with Exploit.CAN.2003-0533 by copying the suspicious file onto floppy and scanning it with my test system running NOD32. The file was indeed infected, and the NETAPI32.DLL Files on my test system were NOT.
    Both my test system and clients are running Win2K SP4.
    I found the resolution to be tricky since the virus became memory resident at boot BEFORE NOD32 could catch it. My best guess as to how the infection took place is that it was caused by a piece of Ad/Spy/Malware that was installed and was loading from a CLSID in the registry executing at boot.
    Once memory resident the NETAPI32.DLL files keep getting reinfected, and cannot be cleaned, only deleted.
    Now on to the reason you got it, and the resolution....

    This is all related to the LSASS exploit in Internet Explorer. IF you already applied KB835732 patch then the system was already infected this whole time and NOD32's latest update to databases discovered it. IT's the same security patch for the SASSER worm vulnerability. If you applied KB835732, then the keylogger component of the virus was NOT sending the logs out. If you DIDN'T already install KB835732, your guess is as good as mine.
    SO heres how to clean out your system. (Tested today on my clients computers and all is OK with them).
    1:) First thing is to Get the patch here: http://www.microsoft.com/downloads/...7E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en
    Save it in the root directory so you can access it from an administrators login in 'safe mode'.
    2:) If you have already installed KB835732 ( it will be listed in Add/Remove programs) you need to UNINSTALL it. Disconnect the computer from the internet before uninstalling, or you may get SASSER in the interim.
    3:) After uninstalling, reboot the computer to 'safe mode'. While in 'safe mode', run the install of the KB835732 patch from your saved location. You will be prompted to reboot once the patch is installed. Do so.
    4:) Boot to a normal desktop. The new version of the files installed/reinstalled during the KB835732 are clean. Keep the system disconnected from internet until complete with the process.
    5:) Rescan your computer for viruses. The virus should still be in the C:\WINNT\$NtServicePackUninstall$ and C:\WINNT\$NtUninstallKB835732$
    Folders. You can now either delete them (BE WARNED: You will NOT be able to properly uninstall Service PAck 4 OR the KB835732 update if you delete them), or copy a good copy of NETAPI32.DLL into each of the infected folders from an already patched system that does NOT have the virus when scanned with NOD32.
    6:)Plug back into the network and go back online. (NOTE: If you have multiple computers with this issue, Disconnect them ALL from the network, and reconnect only after you have confirmed each one is clean.)

    Once Deleted/Replaced with good, any subsequent rescans should come up OK.
    The tricky part is coming up with a copy of NETAPI32.DLL that is valid for each folder C:\WINNT\$NtServicePackUninstall$ and C:\WINNT\$NtUninstallKB835732$. Both versions of NETAPI32.DLL are different sizes than the new one installed.

    Again, I have definitely confirmed thiswas NOT a false positive. The infection did exist, and is now removed. The computers I repaired this way are back on site and operating without error or recurrence of the virus alert when scanned with NOD32.

    Good Luck,

    PEACE
     
  9. Talcum

    Talcum Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    3
    Location:
    In Your Mind
    Jan. I just got the virus yesterday and confirmed the file WAS INFECTED. I listed my cleaning procedure in this thread. I'm sure the virus was infecting the file by scanning it with NOD32 version 1.807, getting the positive, then scanning my personal system with NOD32 version 1.807 and NOT being infected.
    Maybe others are getting a false positive, but I'm sure the systems I worked on yesterday WERE infected with Exploit.CAN.2003-0533 at netapi32.dll.

    PEACE
     
  10. Talcum

    Talcum Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    3
    Location:
    In Your Mind
    Re: "trojan Exploit.CAN.2003-0533" help!

    The virus is already discussed at the post location below, and there are TWO resolutions.
    The first is that you may have a false positive. Update to latest NOD32 databases and rescan. If the virus is NOT there, then you had a false positive.
    BUT, if you still have the virus after the updated scan, I have listed a step by step resolution to this issue on the thread listed below. My post is very long and detailed in the resolution.

    Good Luck.

    PEACE


    https://www.wilderssecurity.com/showthread.php?t=40633&page=2
     
  11. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Re: "trojan Exploit.CAN.2003-0533" help!

    as also discussed here:
    https://www.wilderssecurity.com/showthread.php?t=40678

    as well.

    ESET has confirmed it a false positive. The latest update does not detect uninfected netapi32.dll as infected.

    One member is still convinced that he was indeed infected, but that is of yet unconfirmed. We'll see how that plays out.
     
  12. digiglitter

    digiglitter Guest

    Will give that process a burl talcum - here goes nuthin'!

    E
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.