False Positive? BAT/DelTree trojan

Discussion in 'NOD32 version 2 Forum' started by smith2006, Nov 16, 2006.

Thread Status:
Not open for further replies.
  1. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    760
    I am currently using NOD32 V2.7.12 RC with Blackspear's extra settings.

    I came across this alert which was likely to be a false positive (it is definitely not a rogue site) & it didn't appear all the time when accessing this web page (I tried for about 6 or 7 times & got about 4 alerts)

    Any comment?

    * changed "http" to "hxxp"
     
  2. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    samples(at)eset.com
     
  3. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    smith, I've tried this webpage both with Firefox and IE and I got no warning from NOD32. o_O Do you have the latest definitions version: 1868 (20061115) ?
     
  4. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    760
    Thanks for the reply.

    Yes, I have the latest version of signatures.

    In fact someone else was also having this problem.

    The first time I accessed the web page, everything was fine. However I was not that lucky in my subsequent attempts.

    May be you want to try a few more times. :D
     
  5. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    760
    Thank you for that.

    I will try writing to Eset.

    Note: There is nothing in the Quarantine, only entries in the event log
     
    Last edited: Nov 16, 2006
  6. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    I don't get anything like that here...

    If you look in the NOD32 Quarantine (and you're confident you are able to do so safely) you should be able to see an entry for hxxp://forums.hardwarezone.com/showthread.php?t=1457112 that you can restore to an alternate location using 'restore to' from the right click menu.

    edit: just read your post - you may wish to check your IMON settings against these

    If you are happy to then let me know and I'll PM you an email address and take a look at it.

    Cheers :)
     
  7. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    760
    There is no entry in the Quarantine as I am using Blackspear's extra settings (the option "When a threat from the Internet is detected, Automatically deny download of file" was checked).

    This problem was posted by someone & I happily replied "no problem" to him after first time checking. Unfortunately I wasn't that lucky after the next few attempts. :(

    See here:
    http://forums.hardwarezone.com/showthread.php?t=1457218
     
  8. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Right you are - I don't get anything in quarantine either unless I select display warning and choose quarantine when prompted but I still get no alert on that page...

    Cheers :)
     
  9. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    760
    Thanks for your help & I appreciate it. :)
     
  10. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    You're welcome :)

    Just because I don't get an alert does not make it a FP since it could be in a linked object that is regionalised for example a contextual ad or banner or similar that does not get inserted into the page because of my region but gets triggered in yours... That's why I was hoping you would be able to forward it from your quarantine.

    Cheers :)
     
  11. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    760
    The strange thing is now I am no longer getting this alert (I tried 7 or 8 times just now). o_O

    Before I started my thread, I still had it frequently.
     
  12. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    smith I suggest you also to scan your PC with NOD32 to see if it's clean or not.
     
  13. CyberMew

    CyberMew Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    128
    http://img296.imageshack.us/img296/2674/stillhavezd6.jpg

    All max settings (with Blackspears settings) and computer is clean (unless NOD32 missed something), I know what I am doing so please do not say it's on my end.

    It will not detect it when you off IMON (unticked) OR set IE to compatibility mode.
     
  14. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    760
    Just an update, I have managed to quarantine the files (after disabling IMON) & sent them to Eset. :D

    Time Module Event User
    11/16/2006 22:04:00 PM Kernel The file 'C:\Program Files\ESET\infected\V5QAXZBA.NQF' has been sent to Eset's labs for analysis.

    11/16/2006 22:03:32 PM Kernel The file 'C:\Program Files\ESET\infected\V5QAXZBA.NQI' has been sent to Eset's labs for analysis.
     
  15. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    760
    Thanks for the suggestion. :)
     
  16. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    760
    It can still be detected with IMON disabled, see my earlier post.

    It is likely to be a false positive.

    Lets wait for a reply from Eset.
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    My IMON doesn't give a peep on that website. How did you manage to make IMON detect it?
     
  18. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    760
  19. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The question is whether they all are using the most current version 1689.
     
  20. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,741
    Location:
    New York City
    I'm running Version 2.70.12RC with sig 1869 (20061116). I clicked the link ie7 vs ie6 many times without any problems. I'm using Blackspear's full settings.
    I'm also using BoClean as a backup. No alarm was given.
     
  21. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    760
    Macros,

    I was running version of signatures: 1868 (the latest then, I have version of signatures: 1869 now) when this problem occurred (I know at least another user got this problem with the latest signatures then).

    By the way, has Eset received & analyzed file V5QAXZBA.NQF & V5QAXZBA.NQI? Anything abnormal?

    Cheers
    Smith
     
  22. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    760
  23. lamaslany

    lamaslany Registered Member

    Joined:
    Feb 24, 2006
    Posts:
    5
    It could be that the page contains a rotating ad and it is actually the ad that is infected. This would account for the sporadic occurances...
     
Thread Status:
Not open for further replies.