found something that NOD and others cannot kill

Discussion in 'NOD32 version 2 Forum' started by Mice007, Sep 18, 2006.

Thread Status:
Not open for further replies.
  1. Mice007

    Mice007 Registered Member

    Joined:
    Sep 18, 2006
    Posts:
    8
    Hi guys

    not sure about the right palce and topic but i'd like to help

    i got a computer for repair yesterday with a virus called Trojan-Clicker.Win32.Small.kj

    First i tried to clean with latest NOD but no luck... it said i must restart to remove the C:\WINDOWS\SYST32.DLL ...etc but after a reboot the file was there.

    I've tried Kaspersky and F-Secure too but same thing happened... so i decided to clean it manually. I've found some help on net about this virus but it described a whole different thing so i think this is an another (or a new) variant.

    finally i cleaned it using a virtual computer to check registry changes / running processes after infection and a second operating system to clean the hard drive.

    I have the required file to do the infection and i'd like to send it to NOD32 tech guys to check ... I prefer an upload to an FTP server or sending directly over ICQ/MSN....but not in e-mail. Let me know.

    Regards
     
  2. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    the submission means is either via threatsense - you can add any file to threatsense submission by adding the file to quarantine manually, then submitting it - or email to samples [AT] eset.com.

    to my knowledge, those are you only methods of submission.
     
  3. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Whats the problem with email?
    Put the Virus in a password protected rar/zip file, so there will be no problem for anybody.
     
  4. Mice007

    Mice007 Registered Member

    Joined:
    Sep 18, 2006
    Posts:
    8
    Yeah probably this will the solution if nothing else works... :)
     
  5. EvilDave UK

    EvilDave UK Registered Member

    Joined:
    Dec 20, 2005
    Posts:
    275
    Location:
    United Kingdom
    NOD32 let me down terrably last night. A message popped up saying Win32/TrojanDownloader.Busky.AM had been detected in "system32\win32.exe". However when I checked Task Manager as a precaution, ISHOST.exe and ISMINI.exe had bypassed NOD and opened. I tried closing the process, but nothing happened. I did a full scan, and tried manually scanning the files, but NOD didn't detect anything!

    Busky.AM is known as Spyware apparently and can be detected by Lavasoft's Ad-aware.

    The end result to resolve the problem was to reinstall Windows from fresh as the virus had multiplied and mutated that much that nothing would work, and NOD32 was acting as though everything was normal!!!
     
  6. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    perhaps NOD had no proper definition for it. Did you send them the sample?
     
  7. EvilDave UK

    EvilDave UK Registered Member

    Joined:
    Dec 20, 2005
    Posts:
    275
    Location:
    United Kingdom
    No, I pulled the plug on my network to prevent it from spreading throughout the network.
     
  8. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    you could have isolate it in a password-protected archive and send it for further analyse.
     
  9. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
  10. ASpace

    ASpace Guest


    This dll might have had a Run registry key making it start every time you boot . ESET has an excellent tool called UnDll - the DLL removal tool which you can use . You can aslo send the particular file to ESET labs ot tech support , scan in Safe Mode and many many other options

    support@eset.com or samples@eset.com
    :thumb:
     
  11. Mice007

    Mice007 Registered Member

    Joined:
    Sep 18, 2006
    Posts:
    8
    Hi

    Actually it was an EXE file hidden from the file system.... (even with enabled "show hidden files" i was not able to see it, only in process explorer as a child for explorer.exe) so the virus was able to hide itself after starting op system... i'm not sure about the DLL and the NOD32 alarm... it was not the virus actually so i think it was a dummy file to make a false alarm or something.

    I've removed the file using WinPE, then infected a virtual computer with this EXE file so i was able to trace the registry changes.

    NOD32 was not able to detect any infections in the EXE file.. i've just submitted it in a ZIP file.

    Regars
    Mice
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Did you actually submit it to samples @ eset.com?
     
Thread Status:
Not open for further replies.