netd32.exe & cmd32.exe worms not detected by NOD32

Discussion in 'NOD32 version 2 Forum' started by angelo_lopes, Mar 11, 2004.

Thread Status:
Not open for further replies.
  1. angelo_lopes

    angelo_lopes Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    145
    Location:
    Porto, Portugal
    Hi all

    Two days ago I installed Kerio Personal Firewall. Today, it detected netd32.exe
    trying to access from 0.0.0.0:port xxx to 66.98.167.168:port yyyy.
    (I forgot the port numbers and KPF wasn't yet configured to log)
    Searching HKLM/Software/Microsoft/Windows/Current Vrsion/Run
    and RunServices, I didn't find netd32.exe (!!!), but I found cmd32.exe,
    also reported over the web as an worm.
    I scanned both files with NOD32 (version 1661), viruses found 0.

    How come? :mad:
    TIA,
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    angelo,

    Hard to say without the files. Please submit them to Eset for further investation.

    regards.

    paul
     
  3. angelo_lopes

    angelo_lopes Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    145
    Location:
    Porto, Portugal
    thanks for your reply, Paul. I'll do what you say.
    cmd32.exe is not there, only the registry entry.
    netd32.exe is ready for sending. Can you please be
    so kind as to give me ESET's e-mail address for
    sending files for analysis?

    Meanwhile I've been making some further investigations
    and found both files always related to viruses and _never_
    beeing part of the OS.

    Best regards,
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    angelo,

    you can submit the file(s) to samples@eset.com .

    regards.

    pau
     
  5. angelo_lopes

    angelo_lopes Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    145
    Location:
    Porto, Portugal
    I did it right now with copy to my work e-mail, and received immediately this, here faking both e-mail addresses:

    Kaspersky Anti-Virus reports a problem: you sent a message with a virus !
    In the following message:
    ----------------------
    From:angblahelo@blahblah.com
    To:a.lopes@blahxyz.pt
    Sent on:15/03/04 00:07:08

    netd32.exe(application/octet-stream)   infected   Backdoor.IRCBot.gen

    ----------------------

    N}µë®vÓN4ß^ú+™«b¢táŠÉž²Æ {¬rœ‘ç[ÈÓƒßf§¶+â®ë,ÊË^šm§ÿðà  èw}
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Angelo,

    That makes sense in case you are running KAV as well. Disable KAVwhen sending such an email.

    On a side note: having more then one resident running antiviruses might easily conflict. Better to run just one resident, and other)s) on demand.

    regards,

    paul
     
  7. angelo_lopes

    angelo_lopes Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    145
    Location:
    Porto, Portugal
    No Paul. Sorry that English is not my mother language, maybe I didn't make myself clear. :)
    Before I install NOD32 on any computer, I _always_ uninstall any other AV software.

    I sent the file to samples@eset.com from home, with a copy to my e-mail address on my firm as I wrote.
    Here on my firm (I am working now :D) I have a firewall running Linux. I have qmail to relay mail to our Lotus Domino Server. The firewall have KAV installed, and it was KAV that detected the virus. Do you understand?
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Angelo,

    Thanks for the explanation. Yes, I do understand ;)

    regards.

    paul
     
  9. angelo_lopes

    angelo_lopes Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    145
    Location:
    Porto, Portugal
    If you agree I'll post here ESET's reply ...shall they answer me.
    They usually don't but this is matter for another post one day I'll post here when I will have time.
    I think I am on your "wave" Paul, fighting to show the world there is a better AV product.
    Not a supermaket AV like Norton and Mcaffee, and not bloatware like KAV.
    Regards,
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Sure; be our guest.

    I'm just an admin over on this board - not an Eset employee ;).

    Well, in my opinion everyone should go for the AV s/he feels most comfortable with. Personally, I do prefer NOD32 without any doubt. And since we are not into software bashing on this board, please let's refrain from negative comments on other AVs ;)

    regards.

    paul
     
  11. angelo_lopes

    angelo_lopes Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    145
    Location:
    Porto, Portugal
    You're right, and I like to read your words.
    Regarding the "others", better is no to have to say sorry,
    but they owe me to much time far from my family, my friends,
    my hobbies. I know you understand. ;)
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    bashing post from nameless removed.

    paul
     
  13. angelo_lopes

    angelo_lopes Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    145
    Location:
    Porto, Portugal
    Re: netd32.exe & cmd32.exe worms not detected by NOD32

    Paul
    March 15, 2004 I sent the file netd32.exe to samples@eset.com.
    One month later I didn't get one single word from them.
    Don't you think I am really patient? You offered to "jump in" in case of necessity. I think it's, unfortunately, necessary. :(
     
  14. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Re: netd32.exe & cmd32.exe worms not detected by NOD32

    Does NOD32 detect this worm now? If it does thats all you need really.

    On side Note:Keep in mind that many AV companies employ robotic submission system where machine answers you and not alive person. Interaction is not possible at all. IMHO I find this useless as well. ;)





    tECHNODROME
     
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: netd32.exe & cmd32.exe worms not detected by NOD32

    When submitting a sample to eset, it's recommended that you zip it and protect with a simple password (don't forget to include the password to the email so that we can unzip it here ;-).
     
  16. angelo_lopes

    angelo_lopes Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    145
    Location:
    Porto, Portugal
    Re: netd32.exe & cmd32.exe worms not detected by NOD32

    eh eh eh. Oops, I'm sorry.
    I am going to zip, password protect, and resend the file to Eset.
    Hopefully they will answer me o_O

    Best Regards,
     
Thread Status:
Not open for further replies.