Is nod32krn.exe really a worm?

Discussion in 'NOD32 version 2 Forum' started by miller tim, Aug 14, 2006.

Thread Status:
Not open for further replies.
  1. miller tim
    Offline

    miller tim Registered Member

    I was just checking the running processes for anything unusual and came across several sites saying that nod32krn.exe is really a worm. Here's one http://www.castlecops.com/s7845-nod32krn_exe.html

    Other sites say that it is just a normal nod32 process. Which is it?
  2. NOD32 user
    Offline

    NOD32 user Registered Member

    Th
    What you have linked to is a reference for startup items.
    nod32krn.exe is the 'NOD32 Kernel Service' but it should not appear in your startup items since it is a system service set to start automatically.

    Cheers :)
  3. miller tim
    Offline

    miller tim Registered Member

    So it should NOT be listed in task manager?
  4. Brian N
    Offline

    Brian N Registered Member

    If you find nod32krn.exe in the Windows\system32 folder it probably is a worm.
    If not, then I'm quite sure it's legit since it's part of NOD32 :)

    ^ Only the "real" nod32krn process should be in the task manager...
  5. miller tim
    Offline

    miller tim Registered Member

    I just searched my computer and the only instance of the file is in C:\Program Files\ESET

    But it is listed in task manager as a running process.
  6. Brian N
    Offline

    Brian N Registered Member

    That's how it should be :)
  7. miller tim
    Offline

    miller tim Registered Member

    Is it that way on your computer? LOL, I'm paranoid.
  8. Brian N
    Offline

    Brian N Registered Member

    It's been like that for over a year now hehe.
    nod32krn.exe and nod32kui.exe
  9. miller tim
    Offline

    miller tim Registered Member

    OK. Whew!!! Thanks for clearing that up.
  10. NOD32 user
    Offline

    NOD32 user Registered Member

    Exactly :)

    If you have any doubts whatsoever you can test your nod32krn.exe and nod32kui.exe at VirusTotal. Your results should look something like this and this.

    Cheers :)
  11. miller tim
    Offline

    miller tim Registered Member

    I didn't scan it at VirusTotal but I did scan it at Jotti's. It came back clean. :)

    Thanks again.
  12. NOD32 user
    Offline

    NOD32 user Registered Member

    No worries :)
  13. mrtwolman
    Offline

    mrtwolman Eset Staff Account

    It is a kind of social engeneering in action. Rbot.AAO copies itself to the Windows system32 folder as nod32krn.exe and creates entries in the registry to run itself on system startup. Just for case, check HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    for presence of "Nod32 Free antivirus" key.
Thread Status:
Not open for further replies.