Is nod32krn.exe really a worm?

Discussion in 'NOD32 version 2 Forum' started by miller tim, Aug 14, 2006.

Thread Status:
Not open for further replies.
  1. miller tim

    miller tim Registered Member

    Joined:
    Aug 14, 2006
    Posts:
    6
    I was just checking the running processes for anything unusual and came across several sites saying that nod32krn.exe is really a worm. Here's one http://www.castlecops.com/s7845-nod32krn_exe.html

    Other sites say that it is just a normal nod32 process. Which is it?
     
  2. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Th
    What you have linked to is a reference for startup items.
    nod32krn.exe is the 'NOD32 Kernel Service' but it should not appear in your startup items since it is a system service set to start automatically.

    Cheers :)
     
  3. miller tim

    miller tim Registered Member

    Joined:
    Aug 14, 2006
    Posts:
    6
    So it should NOT be listed in task manager?
     
  4. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    If you find nod32krn.exe in the Windows\system32 folder it probably is a worm.
    If not, then I'm quite sure it's legit since it's part of NOD32 :)

    ^ Only the "real" nod32krn process should be in the task manager...
     
  5. miller tim

    miller tim Registered Member

    Joined:
    Aug 14, 2006
    Posts:
    6
    I just searched my computer and the only instance of the file is in C:\Program Files\ESET

    But it is listed in task manager as a running process.
     
  6. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    That's how it should be :)
     
  7. miller tim

    miller tim Registered Member

    Joined:
    Aug 14, 2006
    Posts:
    6
    Is it that way on your computer? LOL, I'm paranoid.
     
  8. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    It's been like that for over a year now hehe.
    nod32krn.exe and nod32kui.exe
     
  9. miller tim

    miller tim Registered Member

    Joined:
    Aug 14, 2006
    Posts:
    6
    OK. Whew!!! Thanks for clearing that up.
     
  10. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Exactly :)

    If you have any doubts whatsoever you can test your nod32krn.exe and nod32kui.exe at VirusTotal. Your results should look something like this and this.

    Cheers :)
     
  11. miller tim

    miller tim Registered Member

    Joined:
    Aug 14, 2006
    Posts:
    6
    I didn't scan it at VirusTotal but I did scan it at Jotti's. It came back clean. :)

    Thanks again.
     
  12. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    No worries :)
     
  13. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    It is a kind of social engeneering in action. Rbot.AAO copies itself to the Windows system32 folder as nod32krn.exe and creates entries in the registry to run itself on system startup. Just for case, check HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    for presence of "Nod32 Free antivirus" key.
     
Thread Status:
Not open for further replies.