Infection - Can NOD32 stop it?

Discussion in 'ESET NOD32 Antivirus' started by jedi_m, Jul 26, 2009.

Thread Status:
Not open for further replies.
  1. jedi_m

    jedi_m Registered Member

    Joined:
    Jan 28, 2008
    Posts:
    93
    Location:
    Toronto, Canada
    I was looking for the last night boxing results and I found this webpage (see jpeg). I soon as I open it, I've got a message that my computer is at risk and I need to scan, etc. My NOD32 4.0.437.000 (20090726) with default settings, was quiet. I didn't want to take any chance and I terminate the Internet Explorer task thru Task Manager. I am not infected. Than I was curious and I've start my Virtual Machines one by one to try that webpage again.
    One machine XP Pro SP3 with Microsoft Security Essentials, gave me warnings and blocked the access to the webpage right away.
    The other one with Avira free, didn't do anything, was quiet like NOD32.
    I don't want to push it to far and see what could happen on my main machine where I have NOD32 installed and I was curious if somebody has Nod on a Virtual Machine and wants to test it.
    Here is the jpeg attachment with the url:
     

    Attached Files:

  2. InfinityAz

    InfinityAz Registered Member

    Joined:
    Jul 23, 2005
    Posts:
    828
    Location:
    Arizona
    Accessed the web page (in FF using GeSWall with NOD32, 4.0.437 with latest updates) and gave me a fake Windows Explorer image saying my computer was infected, etc. NOD32 never made a peep. I also scanned the link Dr. Web anti-virus link checker and it said Clean.
     
  3. skism

    skism Registered Member

    Joined:
    May 7, 2009
    Posts:
    10
    i scanned the website with no virus thanks and seems most don't recognise it..

    ~scan results removed per Site Policy....Bubba~
     
    Last edited by a moderator: Jul 26, 2009
  4. jedi_m

    jedi_m Registered Member

    Joined:
    Jan 28, 2008
    Posts:
    93
    Location:
    Toronto, Canada
    So, if NOD32 it's OK with this, I can go ahead further into this page and stay safe?
    What will happen if I would click "clean my PC" on that fake antivirus/antispyware page? At some point NOD should start to "scream". It will be too late? Anyways it should be interesting to do a full test of NOD32.
    If nobody wants to try it, than Monday after work I will install a trial NOD32 on one of my Virtual Macines and I'll see how it's working.
    Jedi_m
     
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Links dead for me.
     
  6. jedi_m

    jedi_m Registered Member

    Joined:
    Jan 28, 2008
    Posts:
    93
    Location:
    Toronto, Canada
    Hey funkydude, I just checked again and "the evil" is still there
    http://.... last row from highlited url.
    I can see that you are using Microsoft Security Essentials and on my test on Virtual PC, as soon as I click the link, MSE jumps with warnings, guns and wistles. Very fast, I was impressed.
     
  7. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Simply to have you Run or Save the install file for PersonalAV

    fakealert-personalav_scr1.jpg

    Nod doesn't get excited, It just slaps it around a few times if you have the hook deep enough in your cheek and attempt to install the fakeware :cool:

    PAV.JPG
     
  8. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Should hope so, one of the best against rogues.

    I still don't understand what link, the wesley one appears not to work, going to the root page will give a genuine page.
     
  9. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    If one places the above wesley URL("last row from highlited url") in the address bar of browser, it's true it will not show a page but a 500 error. If however one places the same link in Google for instance, it will then re-direct to one of the many ?-virus-scannerv?.com sites.
     
  10. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    thanks Bubba, mine worked.
     
  11. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Thanks for the subtle hint, guess I'm half asleep :)

    To clarify, no one detects the file itself, MSE does detect the page before you can download the file, though. Sent the file for analysis.

    mse.jpg


    I stupidly did that un-sandboxed (again I guess I'm half asleep) so it's a good thing it was detected.
     
  12. jedi_m

    jedi_m Registered Member

    Joined:
    Jan 28, 2008
    Posts:
    93
    Location:
    Toronto, Canada
    Thank you all and especially Bubba.
    It's nice to get feedback from everybody and when a moderator answers, the confidence level (in this case for NOD32) goes up.
     
    Last edited: Jul 26, 2009
  13. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Detected by 5 AV's now (previously 0) including MS and nod32, so you're perfectly safe. :thumb:
     
Thread Status:
Not open for further replies.