FP with Access accounting

Discussion in 'NOD32 version 2 Forum' started by Biscuit, Dec 23, 2008.

Thread Status:
Not open for further replies.
  1. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    aumonitor.exe

    FP as Win32/AutoRunAgent.ET worm

    This is a component of Access accounting software which checks online for updates.

    FWIW I have the process disabled by Winpatrol.
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Zip the file up with the password "infected" and send it to samples("at")eset.com with the subject "False Positive"
     
  3. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Which version of the virus signature database detects the Win32/AutoRunAgent.ET worm in the AUMONITOR.EXE file?

    Is that part of a software package from Access Accounting Ltd. in the UK or another company? If the former, can you provide more information, such as the product and version the file is from? That will be helpful if the developer needs to be contacted in case more information is needed to resolve the issue.

    Regards,

    Aryeh Goretsky
     
  4. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    Thanks for your reply.

    It is an auto-update function of the Payroll module of accounting software by Access Accounting as in your link.

    On the 24th Dec Nod32 also detected AccessUpdate.exe as the same worm.

    Time Module Object Name Threat Action User Information
    23/12/2008 19:46:57 pm AMON file C:\Program Files\Access Applications\Payroll\Access Update\AccessUpdate.exe Win32/AutoRun.Agent.ET worm domain\user Event occurred at an attempt to access the file by the application: C:\Windows\Explorer.EXE.

    As this is a Payroll component for business in the UK, it is essential that their payroll software remains up to date. I suggest that Eset request that Access Accouting contact all their users urgently to ensure that their payroll software is updating correctly. Failure to run a payroll correctly in the UK can cost a company thousands of pounds in fines.

    Nod32 has actually deleted my 2 access payroll files despite my attempts to stop it. Regular users I'm sure will certainly find their important files deleted.
     
  5. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    I'm not sure I can get these files out of my system at the moment. I would need to shut down security on my desktop & server - which doesn't really appeal.
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Simply right click the eye in the taskbar > disable antivirus and antispyware protection. Restore the files from quarantine, email them, enable anti virus.
     
  7. ASpace

    ASpace Guest

    According to his signature , he still uses v2
     
  8. ASpace

    ASpace Guest

    Nothing bad will happen if you do nothing but simply disable AMON , restore files from Quarantine and right click them to RAR/ZIP them with a password . It takes just 10 seconds .

    You then re-enable your protection and email the password-protected archive.
     
  9. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    I'm using v2, as would most business server users (especially SBS). i.e. users likely to be running Access Accounting software.

    As well as shutting down EMON & AMON in my local Nod32, I would also have to shut down Nod32 on my server as it would no doubt strip the FP as it goes out of Exchange. As I mentioned - that doesn't appeal, it just needs a quick call from Eset to Access to sort this out.

    I no longer run Access Payroll on my system - although the software is there in case I need to refer to any old data. I'm simply trying to give Eset a heads-up.
     
  10. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    Sorry, I forgot to answer that. According to my logs, the database version was v3713 for the first FP. The second FP was being detected constantly since 23-Dec.
     
  11. ASpace

    ASpace Guest

    When there is a need , there is a way !

    You don't have a web-based email ? Or you can't create an account in 30 seconds ? Or your Exchange will strip an encrypted password protected archive ? Or you also can't upload the password-protected archive to a web service like rapidshare and send ESET just the link to the files ?

    As I said when there is a need , there is a way . It seems there is no need here because if you really wanted it , you would have done something . And definitely there are many things which can be done . If I were you I wouldn't rely on someone else to do what I can do . But it's your own choice . A choice that I can't understand .

    Enjoy the holidays!
     
    Last edited by a moderator: Dec 27, 2008
  12. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    I was simply trying to give Eset a heads-up so that don't get sued. I don't use Access software any more & have no requirement for the auto update software. All Eset need to do is to call Access - it takes 10 secs to pick up the phone.
     
  13. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Please send a copy of the AUMONITOR.EXE in a .ZIP or .RAR file protected with a password of "infected" to samples@eset.sk. Be sure to include the words "FALSE POSITIVE" in the Subject: field and include a link to this message thread.

    Regards,

    Aryeh Goretsky
     
Thread Status:
Not open for further replies.