NOD32 & a new USB trojan

Discussion in 'ESET NOD32 Antivirus' started by datadata, Nov 15, 2011.

Thread Status:
Not open for further replies.
  1. datadata

    datadata Registered Member

    Oct 14, 2007
    Hi all

    I used a USB that a month ago was used by a shop, I was keeping it on shelf for all that time, yesterday once I opened it I found the folder that had my pictures (no problem here) and 3 files with exe extension and they have a folder icon to fool people who has extensions hidden as it seem to me, I saw a message of warning but I noticed it was from my firewall Comodo (not my antivirus) saying it is a bad file, it is the first time I saw comodo doing reaction in this manner, always the same firewall box of allow and dont allow (you know...).

    I have windows 7 (up to date) , Comodo 5.8.213334.2131, RUbotted beta,
    nod32 antivirus

    NOD32 info in details:
    Virus signature database: 6629 (20111114)
    Update module: 1037 (20110921)
    Antivirus and antispyware scanner module: 1329 (20111031)
    Advanced heuristics module: 1118 (20110419)
    Archive support module: 1136 (2011081:cool:
    Cleaner module: 1051 (20110420)
    Anti-Stealth support module: 1026 (2011062:cool:
    ESET SysInspector module: 1220 (20110517)
    Self-defense support module: 1018 (20100812)
    Real-time file system protection module: 1006 (20110921)

    (these data is as of now not yesterday)

    I have two questions...

    I deleted those files, as I think Comodo said it couldn't do that, but I saw other files: backup.exe & update.exe on Drive D (I have C, D, portable F (connected)), at this point I panicked.

    (1)How did these files get copied to drive D while I have all windows autoruns disabled? and I didn't execute the USB files o_O?

    (2)and the basic question why didn't nod32 catch them since they are old, the USB has been offline for a month so these files are at least 1 month old? I also used and almost all results said it is a Trojan and nod32 had "-" as result (meaning nothing found), also Panada no results but every other antivirus listed it as trojan.

    The name of the Trojan as per kaspersky is:

    HEUR.Trojan.Win32.Generic , I think and I couldn't find any other traces.

    Please help on these two issues o_O

    Extra question: I scanned using Kaspersky removal too all settings on high & using symantec online, and superantispyware, and sting, do I need to do something else ?
  2. Cudni

    Cudni Global Moderator

    May 24, 2009
    it could be malware but equally false positive. with files gone we'll never know
  3. datadata

    datadata Registered Member

    Oct 14, 2007
    Thanks for input Cudni

    One file already submitted to ESET although I doubt that this is what was missing ESET to decide it was a malware, it is possible but unlikely, I tend to believe that they have decided that it is a false positive.

    I respect companies that only trust their own judgment but you have to be extremely sure when all other companies says otherwise.

    Whether ESET tag it or not as a malware won't change my mind in this particular case; a couple of stealth files on a USB drive with .exe extension and an icon resembling a folder and copying themselves to my other drives without invitation, with all due respect and I am sure I know nothing compared to you, I don't need someone to tell me that these are malware or not, I will delete them whatever they are.

    I always taught this to my other friends to always look for files of such characteristic when opening a USB drive and always show hidden and protected files and their extensions and to disable autorun for CDs and USBs, they always have been a victim of viruses from USB drives and I think this is the first time something slipped to my PC that way but I was more puzzled for not seeing an ini file and by how it got around the disabled autorun.

    You could have answered me at least how a possibly non-malware was able to copy itself to my PC from a USB drive bypassing the autorun and without being executed by me :p , I would be thankful!
Thread Status:
Not open for further replies.