V U L N E R A B I L I T Y

Hi all, especially NOD32 developers !

Yesterday I downloaded a .rar archive with several files in it, I scanned it with NOD32 (default settings) - 0 viruses, no alerts, then I unpacked the archive into a folder and scanned the folder and then scanned all files in it - 0 viruses or threats.

I double clicked on the file cube-desktop-1.3.2-.v.1.0.exe and the effect of launching the file was unnoticeable BUT that in few seconds I got the standard red Windows XP security center allert in tray "You have got security problem". I clicked on the Security Center tray allert, and Internet Explorer started to an unknown URL address which got blocked with the ESET security message inside the browser.

I closed the browser, but the same Security Center alert appeared again, I did not click it, and in some 20 seconds the browser started again to an unknown URL address which got blocked with the ESET security message inside the browser.

The REAL-TIME monitor was always on.

I rebooted the system - the problem stayed. It took me an hour to fully scan the system, but my NOD32 did not detect any threats ! And the problem stayed !


I ran msconfig, and unchecked the malicious processes:
http://i371.photobucket.com/albums/oo156/allthemiscellaneousstuff/sshot-3d.jpg


4C2, which starts and automatically launches C.exe

Now all looks fine, the problem's gone, but I've failed to find and delete the two malicious files with NOD32 or windows search !

I own 1 year NOD32 license and I do the NOD32 automatic updates every day.

I like NOD32 and hope proper update will be released as soon as possible - I still have to get rid of the infected files.

Yes, not less interesting is that this morning the suspicious files got submitted to the ESET server, but my NOD 32 AV 3.0.6 does not even see them dangerous ! How come ?
http://i371.photobucket.com/albums/oo156/allthemiscellaneousstuff/sshot-2.jpg


Ok, I am linking to the infected file below, for the ESET devs ONLY !!!!
Attention ! The link below is a VIRUS, for analysis only !

INFECTED FILE here. Link removed, TOS violation.

Edit:

Thank you for clarifying, Marcos! I wonder why the does not work here? When posting, I did have the img code on.

 

The rogue AV programs as well as their downloaders are difficult to detect for any antivirus programs due to their ability to quickly react on detection by AV programs. We will add detection for it, but be aware when running unknown programs, especially cracks which seems to be your case.

 

The Vundu/Smitfraud (ZLob) trojans are being aggressively released and updated by the malware writers. They are releasing several new variants a day to stay ahead of the antivirus vendors.

For distributing these trojans, not only are they targeting typical methods such as infecting website, media codecs, e-mail, etc. But other sources have been very common. Those "free screensavers", also "skins" for your operating system (such as you found ). Also...when you torrent or use other P2P sources for "software"....the malware distributers have been using these methods to distribute their malware very heavily. That cracked software package, or operating system, or music file, or movie..that you download....well..it has a special surprise injected into it. The past several months...I've noticed a rise in machines infected by playing a song that they downloaded from some P2P/torrent source....that songfile has a nice little WMP exploit bundled with it.

 

Well, you are right, but I think now, ESET (and other AV tenders) have to study and enhance their antivirus with a new kind of heuristic to detect such threats/rogues. EAV consumers are becoming more and more vulnerable to what is becoming most current infection !

Regards

 

Thanks all who have and who will reply, your info is important to me !

I must not launch any unknown files and I must be careful with the downloads. Having even such powerful security software as NOD32 does not warrant forgetting to stay alert before threats, - I understand.

Now my system looks clean, but I did not find the file 4C2 (or whatever its real name is). From what I see in msconfig/startup, this 4C2 is somewhere in Documents and settings, and "somewhere" is the key word, there's a good gigabyte of space with a few hidden folders and subfolders.

So, if I can't spot anything suspicious, should I just quit the idea of finding the infected file ?

Sharing experience, ideas, info is welcomed !

 

Hi,

You might want to try running something that detects rootkits.

Rootkits make it possible for you not to find files, because there are 2 ways in which the filesystem files are rendered.

Not sure (don't recall) what nod32's support for detecting rootkits is.

There are some well-established rootkit detectors out there...don't just go downloading any old one. Do your research.

 

Ok, my antivirus definitions signature is 3444. I've scanned the C:\Documents and settings folder again, this time it took me 6 minutes to sccesfully detect and clean 4 infected objects. I felt much better now, for even an idea itself of having a passive virus on my HDD had been constantly keeping me worried.

http://i371.photobucket.com/albums/oo156/allthemiscellaneousstuff/sshot-2-4.jpg

``````````

However, if I open my msconfig and check certain startup objects (e.g. video206.cfg.exe, 4C2, etc.), just to check, the problem pops up again on system reboot. Until I uncheck the infected files again !

http://i371.photobucket.com/albums/oo156/allthemiscellaneousstuff/sshot-4-2.jpg

``````

http://i371.photobucket.com/albums/oo156/allthemiscellaneousstuff/sshot-3-6.jpg

If I scan my entire disk C, I get 1 or more infected objects, NOD detects and cleans or erases them, they are located in temp folders and they are created every time a molicious file from C:/Doc & settings is started (I control the startup behavior through msconfig, manually).

```````


There is a couple of good wikipedia articles cncerning rogue infections, for beginners like me, this one and this one .

To add support for real-time detection of rogue infections is will be perfect, hopefully soon Eset will release AV module update. At least as an optional feature, something like "Enhanced threat detection". Even when I am the only user of a notebook I'll buy, it will be still dangerous to browse the web.


``````````

By the way, there's a Russian Language translation error (to see it click on the picture below):

http://i371.photobucket.com/albums/oo156/allthemiscellaneousstuff/sshot-2-4.jpg

the message appears "Сканирование завершено за 6 минут а 27 секунд."

and it should be spelled as "Сканирование завершено за 6 минут и 27 секунд." Wrong conjunction !

On the new threat, I realize it is non-the-less my problem the computer I use has got infected, but I simply look forwad to AV NOD32 becoming better, be it signatures or an AV module.

I gave a link to the likely infected file in this post above, and I beleive I have 1 more infected exe, which is not detected by NOD and which I've found on my PC and then archived it in case ESET would like it. Again, the virus works this way: it is an .exe file, maybe an installer, it writes itself to reg and copies to a location inside c: Docs & Set-ngs, on startup the malicious file starts and creates another file in a TEMP folder, which causes the security center pop-up "You got 1 security problem" - clicking on the pop-up leads to a malicious site.

 

Would you please share in your experience some good ones that are having high success rate in detecting current-generation rootkits? I am a little out of date with these, when I was last around, it was RootkitRevealer.

 

You don't ask that, maybe you'll like www.comodo.com.

 

Edit:

although there many people including myself who prefer NOD32.

 

Success !

I have upgraded virus definitions to 3450 and scanned the whole system, it detected 5 infected files, all of them were located in C:\Doc & Set\Local Settings.

Scanned:

http://i371.photobucket.com/albums/oo156/allthemiscellaneousstuff/sshot-5-1.jpg
(please note the small grammar mistake again, for russian versions to come - "Сканирование завершено за x минут а (should be и !) x секунд")

Modified trojan:

http://i371.photobucket.com/albums/oo156/allthemiscellaneousstuff/sshot-6-2.jpg

Modified trojan:

http://i371.photobucket.com/albums/oo156/allthemiscellaneousstuff/sshot-7-2.jpg

Modified trojan:

http://i371.photobucket.com/albums/oo156/allthemiscellaneousstuff/sshot-8.jpg

All looks good now. The unchecked malicious files are still shown up in msconfig (reg entries), but who cares as long as the infected files are gone !

I did not keep the original virus, but hope NOD does detect it.

I'll be scanning my system regularly.

I feel much better now, thanks.