Mydoom,Zindos,Doomjuice infection?

Discussion in 'NOD32 version 2 Forum' started by flyrfan111, Oct 16, 2004.

Thread Status:
Not open for further replies.
  1. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    I woke this morning to be greeted by windows autoupdate informing me that I had an update for KB836528 to be installed. This update is only offered if windows update detects an infection. My question is why didn't NOD detect this and how did I get infected? here is the link to the KB article and here are my log entries from this morning;

    http://support.microsoft.com/default.aspx?kbid=836528

    Event Type: Information
    Event Source: Windows Update Agent
    Event Category: Installation
    Event ID: 17
    Date: 10/16/2004
    Time: 4:52:35 AM
    User: N/A
    Computer: XXXX-XXXXXXXXXXXXX
    Description:
    Installation Ready: The following updates are downloaded and ready for installation. To install the updates, an administrator should log on to this computer and Windows will prompt with further instructions:
    - Mydoom, Zindos, and Doomjuice Worm Removal Tool (KB83652:cool:

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    And my NOD info;

    NOD32 Antivirus System information
    Virus signature database version: 1.896 (20041015)
    Dated: Friday, October 15, 2004
    Virus signature database build: 4918

    Information on other scanner support parts
    Advanced heuristics module version: 1.010 (20040902)
    Advanced heuristics module build: 1061
    Internet filter version: 1.002 (2004070:cool:
    Internet filter build: 1013
    Archive support module version: 1.021 (20040917)
    Archive support module build version: 1101

    Information on installed components
    NOD32 for Windows NT/2000/XP/2003 - EMON
    Version: 2.0.0
    NOD32 For Windows NT/2000/XP/2003 - Base
    Version: 2.12.2
    NOD32 For Windows NT/2000/XP/2003 - Internet support
    Version: 2.12.2
    NOD32 for Windows NT/2000/XP/2003 - Standard component
    Version: 2.12.2

    Operating system information
    Platform: Windows XP
    Version: 5.1.2600 Service Pack 2
    Version of common control components: 5.82.2900
    RAM: 512 MB
    Processor: x86 Family 6 Model 5 Stepping 2 (448 MHz)
    What gives? How did I get infected? is this a false positive from WindowsUpdate? the article says it looks for registry entries. I am confused by all of this. And no NOD never alerted or even found supicious files or anything. Any advice?
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,798
    Location:
    Texas
    If it were me, I would scan with anti-trojan program too. Just for a second opinion. A lot of them know mydoom.

    There are many variations of mydoom as you know.

    There are online scans you can do also.
     
    Last edited: Oct 16, 2004
  3. manOFpeace

    manOFpeace Registered Member

    Joined:
    Feb 1, 2003
    Posts:
    716
    Location:
    Ireland
    flyrfan111, I took the tool anyway, easily carried. Not infected. :)
     
  4. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Yes I took the tool also when I installed SP2, my question is, Windows update is only supposed to automatically download it if you are infected, I have a fully patched system, an updated NOD installation and a firewall(Sygate Pro), how did I get infected in the first place? NOD should have picked it up, Sygate has it in it's IDS signatures, so it should have picked it up also. How did I get it in the 1st place? Is this a FP from windows update? Unfortunately the tool doesn't tell you what it is hitting on so sending the file(s) to Eset is not possible. The KB article claims that it looks for registry entries, but doesn't specify what in particular it scans for.
     
  5. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Did you receive any of this information?

    "6. It displays a Windows message box that describes the outcome of the detection or removal. You may receive any one of the following messages: • No infection detected – Mydoom variants A, B, E, F, G, J, L, or O, Doomjuice variants A and B, and Zindos.A were not detected on this computer.
    • Successfully removed Mydoom. variant-letter – The variant of Mydoom worm was removed, and you do not have to do anything else. The variant-letter could be A, B, E, F, G, J, L, or O.
    • Successfully removed Zindos.A – Zindos.A was removed, and you do not have to do anything else.
    • Successfully removed Doomjuice.A - Doomjuice.A was removed, and you do not have to do anything else.
    • Successfully removed Doomjuice.B - Doomjuice.B was removed, and you do not have to do anything else.
    • This tool must be run by an administrator – To run the tool, you must log off and log back on using an account with administrator credentials.
    • Fatal error, please review log file – Review the log file for errors, and then contact Microsoft Product Support Services (PSS) if you must.
    • Mydoom. variant-letter was detected, but could not be removed – Try to reexecute the tool, and check the log file for errors.
    • Mydoom.B was detected, but could not be removed – Try to reexecute the tool, and check the log file for errors.
    • Doomjuice.A was detected, but could not be removed – Try to reexecute the tool, and check the log file for errors.
    • Doomjuice.B was detected, but could not be removed – Try to reexecute the tool, and check the log file for errors.
    • Incorrect Windows version (Win32s) – This tool is not supported in Windows 3.1 with Win32s. "

    Or can you view the log file?


    "The Mydoom Worm Removal Tool creates a log file that is named Doomcln.log in the %WINDIR%\debug folder in Windows Server 2003, Windows XP, and Windows 2000. The log file is created in the %WINDIR% folder in Windows 98, Windows 98 Second Edition, and Windows Millennium Edition."
     
  6. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Yes and it gets even more strange. According to the log from doomcln which I will post below No infection was found. Autoupdate is only supposed to download it if you are infected correct? What set autoupdate to download it then? I installed the tool from the options when I installed SP2. I guess it was an false positive from wondows updating automatically. That's all I can figure. I can't see how any of them could have gotten through an updated system, updated AV and a current firewall with updated IDS sigs.

    Microsoft MyDoom removal tool (build 1.227) started on Sat Oct 16 11:15:09 2004
    Checking 41 processes.
    Checking startup registry keys for current user.
    Checking keys for 7 other users
    Deleted registry key 80000002:Software\Microsoft\Windows\CurrentVersion\Shell
    Checking known MyDoom filenames.
    **** No MyDoom infection found ****
    Microsoft MyDoom removal tool stopped on Sat Oct 16 11:15:11 2004

    Thanks for all the replies, sorry for wasting everyone's time. Especially thanks to Stan999, if I knew where the log was I wouldn't have had to start this thread. Just another MS goof I suppose.
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    Wasn't your computer infected with one of those worms in the past? Per what MS states on their website, the tool is downloaded also in case worm leftovers are detected in the registry. Another possibility is that the updater offered you the tool in error despite having no symptoms of infection.
     
  8. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    No Marcos, I haven't had one of those. You are probably remembering the False Positive I had with Panda, Trj/Qhost.gen I think it was. They were detecting that Spybot modified my hosts file. That wasn't a virus or a worm though.
     
Thread Status:
Not open for further replies.