Interesting scan results

Discussion in 'NOD32 version 2 Forum' started by lynchknot, Nov 1, 2004.

Thread Status:
Not open for further replies.
  1. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    this post was edited {image and url to site that contained trojan] removed as per the tos which states that no links to sites that contain malware can be posted
    bigc
    This file will activate NOD32 popup: http://



    I downloaded the file and ran it through http://virusscan.jotti.dhs.org/ - as a zip file:
    I then unzipped the file and ran each file:

    One thing I find strange is the fact that NOD32 indicated that, on my desktop, IDeath.exe is the infected file but when run at joti by itself (exe), it finds nothing but running as a zip file it finds the trojan. Another concern was the fact there was a long delay. The download manager appeared before the warning. I could initiate the download prior to the popup warning.
     
    Last edited: Nov 2, 2004
  2. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Last edited: Nov 1, 2004
  3. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    That is possible. post the screen shot again and we will let an admin look at it later. if I did delete the image when I shouldnt have I appoligize. But I don't see much difference between the addy you had posted and the addy in the screen shot as they were the same

    bigc
     
  4. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    The SS had the url so someone might copy it
     
    Last edited: Nov 2, 2004
  5. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    dumber things have happened, I don't think a wilders regular would do that but there are some pretty young newbies out there.

    bigc

    I do appologize for the trouble.
     
  6. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    No trouble :D I was hoping for verification, to benifit the community.
     
    Last edited: Nov 2, 2004
  7. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I do want to thank you for your understanding and coopreation

    bigc
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    1st Image – This screen shot shows IMON in action.
     

    Attached Files:

  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    2nd Image – This screen shot shows a Right Click scan with Nod32 and it being detected.
     

    Attached Files:

  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia

    Attached Files:

  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    4th Image – This screen shot shows AMON springing into action when I try to unzip the file.
     

    Attached Files:

  12. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia

    Attached Files:

  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I don't run a download manager, however the minute that I clicked on the link, IMON sprung into action...

    Cheers :D
     
  14. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Now unzip it and scan the exe at jotti.


    context scan of exe. but found trojan in the other exe (ideath) If you notice my first post it is gunB0t.exe that they show the trojan and the IDeath.exe shows clean. Is the jotti site flawed? It appears so.
    Now do you see what I am saying?
    Imon on my pc was slow to open. Firefox downloader opened before IMON. However, the first time, firefox downloaded an incomplete file. Zip could not be opened. I tried several times and Firefox would not download it properly unless I waited for IMON then clicked to ignore it.

    http://img9.exs.cx/img9/7451/z110.jpg
     
    Last edited: Nov 2, 2004
  15. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    6th Image confirms your findings, scanning the IDeath.exe file by itself (after AMON going beserk) at http://virusscan.jotti.dhs.org/ shows that no anti-virus program picks up the file. As to why I do not know.
     

    Attached Files:

  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia

    Attached Files:

  17. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    IMON doesn't let me d/l it.

    Time Module Object Name Virus Action User Info
    11/1/2004 22:25:41 PM IMON archive ~~link snip~~ Win32/Spy.SCKeyLog.O trojan connection terminated
     
    Last edited by a moderator: Nov 2, 2004
  18. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    hehe, for kicks scan the one that is supposed to be clean. opps you already did. :D Thank you Blackspear for confirming. Perhaps I will notify jotti site.

    Flyrfan, please be careful. This is a potentially dangerous file. I don't know your experience so I apologize if you know what you are doing

    this is what can occur if you run the exe

     
  19. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    It's nothing to do with Jotti, as you can right click on the individual file and have the same results...

    I'll send off an email to Eset to see what the difference is...

    Cheers :D
     
  20. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    scans clean
     
  21. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    results are not the same. Jottti does not see a trojan, with NOD32, unless it's in a zip file. NOD32 on demand will see IDeath.exe as the infected file. Jotti, using other scanners, sees the other file as the infected one.
     
  22. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Agreed, however, nor does any other Anti-Virus.

    Cheers :D
     
  23. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Your screenshot does indeed show infected file (by exe scan - 7th image) but not with NOD.
    same results as mine
    flyrfan, it's scanning clean because the file is corrupt. It did not download complete.
     
  24. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I can only assume that either jotti's site is compronmised or the .exe was damaged on upload somehow

    if you use virustotl then you get this



    Server response

    --------------------------------------------------------------------------------

    Results of a file scan
    This is the report of the scanning done over "IDeath.exe" file that VirusTotal processed on 11/02/2004 at 09:40:10.
    Antivirus Version Update Result
    BitDefender 7.0 11.01.2004 Win32.Repor.A
    ClamWin devel-20041018 11.02.2004 -
    eTrust-Iris 7.1.194.0 11.01.2004 -
    F-Prot 3.15b 11.02.2004 security risk named W32/SCkeylogger.D@pws
    Kaspersky 4.0.2.24 11.02.2004 TrojanSpy.Win32.SCKeylog.o
    NOD32v2 1.914 11.01.2004 Win32/Spy.SCKeyLog.O
    Norman 5.70.10 10.29.2004 W32/SCKeylog.E
    Panda 7.02.00 11.01.2004 Trj/Rovaf.A
    Sybari 7.5.1314 11.02.2004 Keylog-SClog
    Symantec 8.0 11.01.2004 -

    and with the other file

    Results of a file scan
    This is the report of the scanning done over "gunB0t.exe" file that VirusTotal processed on 11/02/2004 at 09:43:13.
    Antivirus Version Update Result
    BitDefender 7.0 11.01.2004 Backdoor.Singu.V
    ClamWin devel-20041018 11.02.2004 Trojan.Singu-1
    eTrust-Iris 7.1.194.0 11.01.2004 -
    F-Prot 3.15b 11.02.2004 security risk named W32/Singu.AA@bd
    Kaspersky 4.0.2.24 11.02.2004 Backdoor.Win32.Singu.v
    NOD32v2 1.914 11.01.2004 -
    Norman 5.70.10 10.29.2004 -
    Panda 7.02.00 11.01.2004 -
    Sybari 7.5.1314 11.02.2004 Backdoor.Win32.Singu.v
    Symantec 8.0 11.01.2004 -


    A completely different sert of results
     
  25. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    The only quick answer I can think of is that ESET have somehow only issued detections for the zip & not the .exe file by mistake

    as I understand it the exe inside a zip file will have a slightly diffferent signature to an exe file on it's own due to the compression & if by mistake only the compressed version is noticed due to file size then that would be the answer
     
Thread Status:
Not open for further replies.