found something that NOD and others cannot kill

Hi guys

not sure about the right palce and topic but i'd like to help

i got a computer for repair yesterday with a virus called Trojan-Clicker.Win32.Small.kj

First i tried to clean with latest NOD but no luck... it said i must restart to remove the C:\WINDOWS\SYST32.DLL ...etc but after a reboot the file was there.

I've tried Kaspersky and F-Secure too but same thing happened... so i decided to clean it manually. I've found some help on net about this virus but it described a whole different thing so i think this is an another (or a new) variant.

finally i cleaned it using a virtual computer to check registry changes / running processes after infection and a second operating system to clean the hard drive.

I have the required file to do the infection and i'd like to send it to NOD32 tech guys to check ... I prefer an upload to an FTP server or sending directly over ICQ/MSN....but not in e-mail. Let me know.

Regards

 

the submission means is either via threatsense - you can add any file to threatsense submission by adding the file to quarantine manually, then submitting it - or email to samples [AT] eset.com.

to my knowledge, those are you only methods of submission.

 

Whats the problem with email?
Put the Virus in a password protected rar/zip file, so there will be no problem for anybody.

 

Yeah probably this will the solution if nothing else works...

 

NOD32 let me down terrably last night. A message popped up saying Win32/TrojanDownloader.Busky.AM had been detected in "system32\win32.exe". However when I checked Task Manager as a precaution, ISHOST.exe and ISMINI.exe had bypassed NOD and opened. I tried closing the process, but nothing happened. I did a full scan, and tried manually scanning the files, but NOD didn't detect anything!

Busky.AM is known as Spyware apparently and can be detected by Lavasoft's Ad-aware.

The end result to resolve the problem was to reinstall Windows from fresh as the virus had multiplied and mutated that much that nothing would work, and NOD32 was acting as though everything was normal!!!

 

perhaps NOD had no proper definition for it. Did you send them the sample?

 

No, I pulled the plug on my network to prevent it from spreading throughout the network.

 

you could have isolate it in a password-protected archive and send it for further analyse.

 

Or submit it via www.virustotal.com

 

This dll might have had a Run registry key making it start every time you boot . ESET has an excellent tool called UnDll - the DLL removal tool which you can use . You can aslo send the particular file to ESET labs ot tech support , scan in Safe Mode and many many other options

support@eset.com or samples@eset.com

 

Hi

Actually it was an EXE file hidden from the file system.... (even with enabled "show hidden files" i was not able to see it, only in process explorer as a child for explorer.exe) so the virus was able to hide itself after starting op system... i'm not sure about the DLL and the NOD32 alarm... it was not the virus actually so i think it was a dummy file to make a false alarm or something.

I've removed the file using WinPE, then infected a virtual computer with this EXE file so i was able to trace the registry changes.

NOD32 was not able to detect any infections in the EXE file.. i've just submitted it in a ZIP file.

Regars
Mice

 

Did you actually submit it to samples @ eset.com?