Is nod32krn.exe really a worm?

miller tim · #1 August 14th, 2006, 11:34 PM

I was just checking the running processes for anything unusual and came across several sites saying that nod32krn.exe is really a worm. Here's one http://www.castlecops.com/s7845-nod32krn_exe.html

Other sites say that it is just a normal nod32 process. Which is it?

NOD32 user · #2 August 14th, 2006, 11:42 PM

Th

Quote:

Originally Posted by miller tim

I was just checking the running processes for anything unusual and came across several sites saying that nod32krn.exe is really a worm. Here's one http://www.castlecops.com/s7845-nod32krn_exe.html

Other sites say that it is just a normal nod32 process. Which is it?

What you have linked to is a reference for startup items.

Quote:

Originally Posted by CastleCops StartupList Deep Dive

!! THIS IS A STARTUP PROGRAM AND NOT A TASK MANAGER PROCESS ITEM !!

nod32krn.exe is the 'NOD32 Kernel Service' but it should not appear in your startup items since it is a system service set to start automatically.

Cheers

miller tim · #3 August 14th, 2006, 11:44 PM

So it should NOT be listed in task manager?

Brian N · #4 August 14th, 2006, 11:44 PM

If you find nod32krn.exe in the Windows\system32 folder it probably is a worm.
If not, then I'm quite sure it's legit since it's part of NOD32

Quote:

Originally Posted by miller tim

So it should NOT be listed in task manager?

^ Only the "real" nod32krn process should be in the task manager...

miller tim · #5 August 14th, 2006, 11:47 PM

I just searched my computer and the only instance of the file is in C:\Program Files\ESET

But it is listed in task manager as a running process.

Brian N · #6 August 14th, 2006, 11:48 PM

Quote:

Originally Posted by miller tim

I just searched my computer and the only instance of the file is in C:\Program Files\ESET

But it is listed in task manager as a running process.

That's how it should be

miller tim · #7 August 14th, 2006, 11:50 PM

Is it that way on your computer? LOL, I'm paranoid.

Brian N · #8 August 14th, 2006, 11:51 PM

It's been like that for over a year now hehe.
nod32krn.exe and nod32kui.exe

miller tim · #9 August 14th, 2006, 11:53 PM

OK. Whew!!! Thanks for clearing that up.

NOD32 user · #10 August 14th, 2006, 11:53 PM

Quote:

Originally Posted by Brian N

That's how it should be

Exactly

If you have any doubts whatsoever you can test your nod32krn.exe and nod32kui.exe at VirusTotal. Your results should look something like this and this.

Cheers

miller tim · #11 August 14th, 2006, 11:56 PM

I didn't scan it at VirusTotal but I did scan it at Jotti's. It came back clean.

Thanks again.

NOD32 user · #12 August 14th, 2006, 11:59 PM

Quote:

Originally Posted by miller tim

I didn't scan it at VirusTotal but I did scan it at Jotti's. It came back clean.

Thanks again.

No worries

mrtwolman · #13 August 15th, 2006, 05:55 AM

It is a kind of social engeneering in action. Rbot.AAO copies itself to the Windows system32 folder as nod32krn.exe and creates entries in the registry to run itself on system startup. Just for case, check HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
for presence of "Nod32 Free antivirus" key.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search