is this even possible?

Discussion in 'NOD32 version 2 Forum' started by whitey1200, Oct 17, 2007.

Thread Status:
Not open for further replies.
  1. whitey1200

    whitey1200 Registered Member

    Joined:
    Oct 17, 2007
    Posts:
    9
    a client sent me this link today. it's to a yahoo message board. when i click on the link i get a "skowar.A" warning from NOD32, but it's obviously just a web URL. If you "quarantine" the virus and then try to restore, there's no file there. it seems like it has to be some kind of false positive.

    can anyone else confirm that this is happening w/ NOD32?

    hXXp://messages.yahoo.com/Cultures_%26_Community/Issues_and_Causes/Current_Events/World%255FNews/threadview?m=ts&bn=7088119-israelipalestinianconflict&tid=1315057&mid=1315154&tof=4&frt=2
     
    Last edited by a moderator: Oct 17, 2007
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I receive the same warning where IMON shuts down the link on trying to access it:

    17/10/2007 15:51:00 PM - IMON - Internet monitor Threat Alert triggered on BLACKSPEAR: hXXp://messages.yahoo.com/Cultures_&_Community/Issues_and_Causes/Current_Events/World%5FNews/threadview?m=ts&bn=7088119-israelipalestinianconflict&tid=1315057&mid=1315154&tof=4&frt=2 > GZ > file.htm is infected with Win32/Skowor.A worm.

    Will need to wait for Marcos or someone else to advise further.

    Cheers :D
     
  3. whitey1200

    whitey1200 Registered Member

    Joined:
    Oct 17, 2007
    Posts:
    9
    Thanks for the confirmation, Blackspear. I've never seen anything quite like this before.
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    You are welcome.


    I have, this is normal action for NOD32 with an infected site.

    Cheers :D
     
  5. whitey1200

    whitey1200 Registered Member

    Joined:
    Oct 17, 2007
    Posts:
    9
    Oh yes, I have seen the warning from actual infected sites before, too. I know it *is* normal for an infected site, but the site is *not* infected, as you can see from this link to the message board....

    http://messages.yahoo.com/Cultures_...gesview?bn=7088119-israelipalestinianconflict

    Also it a Yahoo message board. I'm fairly certain Yahoo doesn't allow Infected pages to exist on it's servers. It's only that particular thread that generates the warning, not the entire site.

    Furthermore, visiting the "infected" link with NOD32 disabled, then scanning with on-demand scanner shows no sign of infection. No warnings from kasperski, Symantec, AVG or McAffee, either. I've tested this as many ways as I can think of and from all results there is no actual virus.
     
    Last edited: Oct 17, 2007
  6. ASpace

    ASpace Guest

    Not true . Moreover , Yahoo uses Symantec to scan what they scan and just one vendor cannot guarantee 100% success.


    Hey , this doesn't guarantee that these vendors are ok and that NOD32 flags false positive . There are many cases where NOD32 is the only one to detect a threat and many other "big names" report nothing . No AV is perfect and that's why one may need a confirmation from a specialist . I have once before visited a trusted site on which IMON poped-up about a probable threat . None of "big names" reported a threat but it later appeared real malware which NOD32's heuristics detected .

    One more thing - I don't know if it is that important but the board message has been removed ;)
     

    Attached Files:

  7. whitey1200

    whitey1200 Registered Member

    Joined:
    Oct 17, 2007
    Posts:
    9
    Thanks for the reply, HiTech Boy.

    yes, it appears that that post has been deleted, but the thread still exists and still gives the same warning.

    hXXp://messages.yahoo.com/Cultures_...nconflict&tid=1315057&mid=1315086&tof=6&frt=2

    I know the lack of warning from other vendors doesn't guarantee anything, but as I noted, visiting the alleged infected site with NOD32 disabled, then scanning the system with NOD32 on demand scanner detects no infection. A manual search for the virus file also is negative. Also this is a well-known virus and I know for a fact that the other AVs I mentioned *do* detect it. The "file" that is reported as quarantined isn't even a file name, it's a URL, and attempting to "restore" it to a temp folder doesn't restore any file. Also the size of the file being reported as detected differs with each message in that thread. It's just not behaving like an actual threat.

    Anyway, I have escalated this to ESET development at samples@eset.com

    In the meantime if anyone can duplicate or negate my test results I'd appreciate the input.

    Thanks
     
  8. TravisO

    TravisO Registered Member

    Joined:
    Feb 9, 2007
    Posts:
    15
    As of 5:26pm EST on 10/17/07 the url doesn't cause any problems in NOD32 3.0 RC1.
     
  9. whitey1200

    whitey1200 Registered Member

    Joined:
    Oct 17, 2007
    Posts:
    9

    Thanks Travis. That makes it appear even more likely that it's a false positive, as I'm still getting the warning with V. 2.70.39

    Hey I know a Travis from another tech forum... you aren't associated with an anti-malware product called "ImmuneEngine" by any chance, are you?

    Edit: Just tried 3.0 RC1 in a virtual machine and getting the same virus warning as with 2.7. "Skowor.A" virus.
     
    Last edited: Oct 17, 2007
  10. deanmartin

    deanmartin Registered Member

    Joined:
    Sep 6, 2007
    Posts:
    231
    Location:
    USA/KY
    Warning here too, with Nod32 2.7
     
  11. whitey1200

    whitey1200 Registered Member

    Joined:
    Oct 17, 2007
    Posts:
    9

    Thanks dean. I've attached the file that's giving the warning. It's just a plain HTML file (i changed extension to "txt".) with no malicious code, but it surely triggers a virus warning from NOD32.
     

    Attached Files:

  12. ctrlaltdelete

    ctrlaltdelete Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    318
    Location:
    NL
    Clicking the attachment triggers NOD32 v3 RC1 here.

    worm.png
     
  13. whitey1200

    whitey1200 Registered Member

    Joined:
    Oct 17, 2007
    Posts:
    9
    Yeah... see what I mean. I assure you it's NOT infected, however.

    OK, I zipped it w/ password protection and added "txt" extension.... password is "infected".

    I'd appreciate if any NOD32 guru on here could tell me why this is flagged as a virus.
     

    Attached Files:

    Last edited: Oct 18, 2007
  14. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Good question.

    The thing about this thread that caught my attention was that it appears to be a specific detecion and not a generic one.

    In the head of the document there are two lines of style code in the document head that trigger the detection. If I remove either
    Code:
    #cal1 { width: 100%;}
    or
    Code:
    #cal2 { width: 100%;}
    or the
    Code:
    <style></style>
    tags that surround them or other parts of the document head then the detection goes away...

    Cheers :)
     
  15. whitey1200

    whitey1200 Registered Member

    Joined:
    Oct 17, 2007
    Posts:
    9
    Thanks for the input, NOD32user. I appreciate you taking the time to look at this.

    The odd thing is only that one thread triggers the warning. Each post on that board contains those lines and none of the others trigger the alert. Also each post in the "infected" thread has a different message contents, so it couldn't be that either. The only thing that's common to the "infected" thread is the thread ID in the <a href=..." > links. (see attachment of post that doesn't trigger an alert). Since the part you removed is common to the "non-infected" posts, NOD32 must be doing some type of hash on the file and coming up with a positive match. If a guru here could explain how NOD32 does it's detection might shed a little light on this.
     

    Attached Files:

  16. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Hi whitey1200,

    I don't really consider myself a guru but you are right - only 1 thread I can see and the attached archive protected with the password 'infected' contains just the headers from one of the pages in question.

    Cheers :)
     

    Attached Files:

  17. whitey1200

    whitey1200 Registered Member

    Joined:
    Oct 17, 2007
    Posts:
    9
    Thanks NOD32 user! That narrows it down a bit. I'm trolling for this virus with kazaa on a virtual machine so I can take a look at it and compare (it's a powershell script that supposedly spreads through kazaa, so would also just be a text file), but a search of all the files it supposedly drops in the shared folder doesn't turn up anything. It figures that when you WANT a virus you can't get one. lol.


    Although this isn't really a problem curiosity has gotten the better of me and I'd really like to know why this is being detected. Thanks again for your input! :)
     
Thread Status:
Not open for further replies.