Mebroot removal/cleaning - infection Dutch news site nu.nl

Discussion in 'ESET NOD32 Antivirus' started by FanJ, Mar 19, 2012.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    On Wednesday 14 March 2012 the Dutch news site nu.nl was infected with a complicated infection discovered by SurfRight and Fox-IT.
    See Dutch news site nu[dot]nl infected [14 March 2012] and Fox-IT weblog

    (I have been in contact in private with some of the kind Eset folks about it.)

    The SmokeLoader Trojan was added as Win32/Kryptik.ACPZ in defs 6969.

    It wasn't clear to me whether the Mebroot bootkit can be detected and cleaned by the Eset standalone Mebroot cleaner.
    See http://kb.eset.com/esetkb/index?page=content&id=SOLN2372
    That standalone Mebroot cleaner tool is from 28 Sept 2010.
    See also https://www.wilderssecurity.com/showpost.php?p=2031233&postcount=19

    edited to add:
    Could Eset inform us please whether NOD32 and/or the standalone Mebroot cleaner tool can detect and clean this particular infection?
    I am aware that Eset might need a sample, maybe from Fox-IT or from SurfRight (see again here ).
     
    Last edited: Mar 19, 2012
  2. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
  3. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Dutch Users Served SINOWAL for Lunch

     
  4. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Thanks siljaline ;)

    It's still not clear to me whether Eset is now able to detect and clean every malware that came with this particular nu.nl infection, either by NOD32 itself or by the standalone Mebroot cleaner. For cleaning the MBR infection the standalone cleaner is most probably needed, but the question is: is the Mebroot standalone cleaner from 28 Sept 2010 actually capable to clean this variant? Or is another standalone cleaner from Eset needed?
     
    Last edited: Mar 24, 2012
  5. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Hi Fanj :)

    You're most welcome.

    ESET would have to respond directly to your query since I am unaware if this variant is detected by stand-alone removers or threat-sense signatures at this time.

    The tool is available here

    A search query of Win32/Mebroot yields: Win32/Mebroot Short answer, ESET signature files should automatically detect all aliases | variants that are known at this time.

    Regards,
     
    Last edited: Mar 24, 2012
Thread Status:
Not open for further replies.