Koobface not being detected by NOD32

Discussion in 'NOD32 version 2 Forum' started by garykyle, May 8, 2009.

Thread Status:
Not open for further replies.
  1. garykyle

    garykyle Registered Member

    Joined:
    Aug 16, 2006
    Posts:
    18
    We are running NOD32 2.70.32 on our network with the latest definitions. Yesterday, it raised a threat alert on one of the PCs, identifying koobface.fx.

    We cleaned it up and rescanned and all was fine. C:\Windows\ld08.exe was removed, as was a startup registry that launched it.

    However, first thing today it was inexplicably back - IMON noticed C:\Windows\ld08.exe trying to connect to the internet. The user clicked to Terminate the threat but he then noticed ld08.exe was still there on the drive.

    We then ran a full scan in NOD32, and it failed to notice that koobface.fx is still there.

    Questions:

    1) Why does NOD32 not detect this threat before it manages to install itself?
    2) Does 'Terminate' just block the connection without removing the threat?
    3) How did it come back after cleaning?
    4) How did NOD32 fail to detect it after terminating the IMON warning, when the files, registry entry were still there?
     
    Last edited: May 8, 2009
  2. garykyle

    garykyle Registered Member

    Joined:
    Aug 16, 2006
    Posts:
    18
    OK, been looking at this further - I can delete the files, registry keys and restart the computer. On restarting the computer without the network cable connected, the PC is clean.

    The moment the network cable is plugged in, ld08.exe and the registry entry appear. IMON then appears. On clicking Terminate, two more exes appear in C:\Windows\ called sd_12345678.exe where the number part appears to be random.

    So it seems that not only is NOD32 not blocking Koobface from installing itself, the Terminate option of IMON doesn't seem to work either as two other exes appear after supposedly terminating it.

    Here's the threat log. I've edited the paths to the exes to prevent anyone accidentally dowloading:

    ~Links removed. Submit any possible malware to ESET.~
     
    Last edited by a moderator: May 8, 2009
  3. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    You may wish to install a copy of ESET NOD32 Antivirus v4.0 on an uninfected computer and use it to create an ESET SysRescue disk. Once you have made that CD/DVD/USB flash drive, boot the reinfecting computer from it and see if it is able to remove all instances of the malware from the computer.

    Regards,

    Aryeh Goretsky
     
Thread Status:
Not open for further replies.