Latest NOD32 + 4NT = reboot of machine

Discussion in 'NOD32 version 2 Forum' started by itteam, Jul 12, 2007.

Thread Status:
Not open for further replies.
  1. itteam

    itteam Registered Member

    Joined:
    Jul 12, 2007
    Posts:
    6
    Hi all

    Me and my fellow sysadmins have just spent a few hours chasing what we thought was a zero day virus around our corporate network. We now believe it to be a bug in the latest version of NOD32.

    Whenever anyone of our machines that has the current version of NOD32 installed attempts to access any directory that contains JPSoftware's 4NT executables, the machine will either hard reset immediately or get a BSOD. We're not sure which exact file is causing the issue - we've now just excluded AMON from scanning that directory entirely. The version of 4NT is pretty old (v3 or v4) but it also seems to occur on some machines running the latest v8.02.

    This only occurs on machines which updated their NOD32 today. If an older version of NOD32 is installed, the machine can browse the folder just fine.

    My NOD32 info is below. I've also RAR'd up the Windows minidump info that the crash causes and can mail that if required.

    For now we're excluding the directory under AMON and will look to upgrade all users if v8.02 proves to solve the issue (some people with 8.02 have no problems, others do).

    Thanks

    Andrew

    Code:
    NOD32 antivirus system information
    Virus signature database version:	2394 (20070711)
    Dated:	Wednesday, 11 July 2007
    Virus signature database build:	10304
    
    Information on other scanner support parts
    Advanced heuristics module version:	1.063 (20070710)
    Advanced heuristics module build:	1161
    Internet filter version:	1.002 (20040708)
    Internet filter build:	1013
    Archive support module version:	1.053 (20070524)
    Archive support module build version:	1189
    
    Information about installed components
    NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Base
    Version:	2.70.32
    NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Internet support
    Version:	2.70.32
    NOD32 for Windows NT/2000/XP/2003/Vista/x64 - Standard component
    Version:	2.70.32
    
    Operating system information
    Platform:	Microsoft Windows XP
    Version:	5.1.2600 Service Pack 2
    Version of common control components:	5.82.2900
    RAM:	2047 MB
    Processor:	Intel(R) Core(TM)2 CPU          6600  @ 2.40GHz (2400 MHz)
    
     
  2. TJP

    TJP Registered Member

    Joined:
    May 6, 2006
    Posts:
    120
    Hi itteam,

    I'm not an Eset representative, but I note you are using Nod32 version 2.70.32.

    Have you tried the latest Nod32 version? Version 2.70.39 can be downloaded from here

    It might be worth trying the latest version while you wait for one of the Eset support team to respond to your query.

    Cheers.
     
  3. GhostMan

    GhostMan Eset Staff Account

    Joined:
    Jun 8, 2007
    Posts:
    99
    Location:
    Bratislava
    HI

    maybe if we can replicate this problem in our enviroment, we will see what's going on. Please, could you provide us with some sample of mentioned executables? Send it to support@eset.com together with link to wilders.

    Cheers.
     
  4. itteam

    itteam Registered Member

    Joined:
    Jul 12, 2007
    Posts:
    6
    I've sent off all the 4NT directory and info we've collected. I'm also doing some further investigation on my laptop from home. It hasn't been connected to the network here for several weeks so should be completely clean.

    I'll post back with results.

    Andrew
     
  5. Najmi

    Najmi Registered Member

    Joined:
    Mar 24, 2007
    Posts:
    36
    Hi It

    try with the latest def version 2396 and let us know the results.
     
  6. itteam

    itteam Registered Member

    Joined:
    Jul 12, 2007
    Posts:
    6
    Ok, some further testing...

    I've updated my NOD32 to 2396. If I scan the RAR'd up directory on my machine it's fine. If I scan a directory over the network I get a hard reset.

    If I disable AMON, I can also still crash other machines by browsing to their 4NT directory over the network (eg if it's shared). In such a case, the only thing that happens is that the network share/machine dissappears from the network as the machine hard resets.

    Interestingly, I've booted my laptop with BackTrack (used to be Auditor) the linux security boot CD. I can use Konqueror to browse the same machines that I can cause resets on without causing a reset.

    No... wait.. now the machines don't reset when I browse them. Perhaps they've updated to the new definition now.

    I'll try enabling AMON and browsing the network share that's caused issues.

    Andrew
     
  7. itteam

    itteam Registered Member

    Joined:
    Jul 12, 2007
    Posts:
    6
    The only other thing I've just noticed, when I browse one of the machines with the 4NT directory that displayed the error, I see an event in my security software:

    Time, 13/07/2007 7:50:00 AM,
    Event, SMB_Malformed,
    Machine, KERRYH,
    Parameter(s),
    Count, 3

    Unfortunatley there are no further details in the logs. I have got full "evidence logging" enable though so perhaps there is something more there.

    Andrew
     
  8. itteam

    itteam Registered Member

    Joined:
    Jul 12, 2007
    Posts:
    6
    And now I just noticed this.. I'm starting to get worried again.. there's nothing major but all this activity together is suspect.

    Time,
    13/07/2007 7:57:10 AM,
    Event, MSRPC_Share_Enum_Sweep,
    Intruder, 192.168.1.115
    Parameter(s), count=5<>victim=192.168.1.25
    Count, 1


    13/07/2007 7:57:10 AM,
    Event, MSRPC_Share_Enum_Sweep,
    Intruder, 192.168.1.115
    Parameter(s), count=5<>victim=192.168.1.217


    192.168.1.115 is my machine
    The other two IPs are the two machines I have been browsing. They have also been exhibiting the reboot problem.

    A
     
  9. itteam

    itteam Registered Member

    Joined:
    Jul 12, 2007
    Posts:
    6
    More.. I've turned off AMON and am still able to browse the machines (two IPs above) without those machines nor my machine rebooting.

    When I browse to the fileserver that hosts the installer files for 4NT, I get another lot of RPC Share Enum Sweeps and SMB malformed packets. That file server is running an ond version of Redhat with Samba on it. Now admittedly, samba is a bit old but, well, anyway here are the log details:

    Code:
    Time, Event, Intruder, Parameter(s), Count
    13/07/2007 8:21:41 AM, MSRPC_Share_Dump, 192.168.1.115, server=\\Sapphire, 7
    
    13/07/2007 8:21:41 AM, MSRPC_Share_Enum_Sweep, 192.168.1.115, count=5<>victim=192.168.1.218, 1
    
    13/07/2007 8:21:41 AM, MSRPC_Share_Enum_Sweep, AE, count=5-6|8<>victim=192.168.1.17|192.168.1.25, 3
    
    13/07/2007 8:21:40 AM, SMB_Malformed, 192.168.1.218, , 3
    sapphire is the linux server
    192.168.1.17 is sapphire's IP


    ADD:

    Again, it's a bit suspect. Nothing with major alarm bells but just weird. I waited about 15 minutes without Windows Explorer open. I then browsed to sapphire's 4NT directory. After hitting refresh a few times, I got this in the logs:

    Time, Event, Intruder, Parameter(s), Count
    13/07/2007 8:36:16 AM, MSRPC_Share_Enum_Sweep, AE, count=5|7<>victim=192.168.1.218, 3
    13/07/2007 8:36:16 AM, MSRPC_Share_Dump, AE, server=\\Sapphire, 17

    A
     
Thread Status:
Not open for further replies.