New virus but Nod don't find it.

Discussion in 'NOD32 version 2 Forum' started by guilijan, Jul 6, 2006.

Thread Status:
Not open for further replies.
  1. guilijan

    guilijan Registered Member

    Joined:
    Jun 25, 2006
    Posts:
    206
    I've done a full online scan with Kaspersky and it found in C:\archivos de programa\ESET\Cache\FND0.NFI a virus, Trojan-Proxy.win32.Horst.bl
    After it I do a scan in http://virusscan.jotti.org/
    and
    Dr. Web found Trojan.Spambot
    F-Prot found W32/Methodbod.gen
    BitDefender found Trojan.Proxy.Horst.Q
    Kaspersky found Trojan-Proxy.Win32.Horst.bl

    Look where the file is.

    I've send the file to Eset but no answer yet.
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi guilijan, welcome to Wilders.

    This Trojan is detected by NOD32 as Win32/TrojanProxy.Horst.BF

    Please check your settings against those found in this thread and run a further scan.

    Cheers :D
     
  3. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    false positive from KAV ?

    https://www.wilderssecurity.com/showthread.php?p=772989#post772989

     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  5. guilijan

    guilijan Registered Member

    Joined:
    Jun 25, 2006
    Posts:
    206
    Hi thank for your answer, but Nod don't find it.
    I do a scan with it and don't find.
    Then after kaspersky scan and when it found it, i do a file scan with http://virusscan.jotti.org/ an it says Nod dont found nothing, as I know but say that Kav, DrWeb, F-Prot and Bit Defender found a trojan.
    So I do a new file sacan with Nod (1.1647) and again don't found nothing.
    I send the file to Eset but no answer yet so I don't know what to do with the file.

    False positive from Kav?
    And F-Prot
    And DrWeb
    And BitDefender
     
  6. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    What is there for Nod to find since it is already in Nod's cache from a previous Nod find :doubt:
     
  7. guilijan

    guilijan Registered Member

    Joined:
    Jun 25, 2006
    Posts:
    206
    Bubba sorry but I don't undestand you.
    Have I a trojan or not?
    And most important, what to do with it?

    Oh I remember that same days ago I used Kav 6.0.300, the last version.
    So I set it not to start with WXP and install Nod to see how it works, and it found in Windows System this trojan (as I can remember it was smss.exe or something like that) Of course I delete it with nod an unistall Kav and now I'm using Nod.
    So can it be that that file in cache are taht what I scan and delete?
     
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    I suggest you visit the link I placed in my first post above and read the posts by Marcos concerning this where he states it is a False positive and also posts what you can do with it.
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    No you do NOT have a trojan at all.


    Nothing, there is nothing wrong with that file, see the link Bubba posted.

    Cheers :D
     
  10. guilijan

    guilijan Registered Member

    Joined:
    Jun 25, 2006
    Posts:
    206
    Thanks for your advice.
    I will dete it.
    Sorry guys but I speak spanish and ther are some words that I don't know to say in english.
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    No worries.

    Cheers :D
     
  12. ragnarok

    ragnarok Registered Member

    Joined:
    Jul 14, 2005
    Posts:
    36
    este tipo de archivos son, tal y como se señala en el vinculo dado por mr. bubba, informativos sobre virus/trojanos/etc que nod32 ha previamente neutralizado, asi es que no hay nada que hacer ahi, son falsos positivos para los demas antivirus que los detectan, (lo puedes revisar en tu vinculo de virusscan jotti, ya han sido reportados como tal).
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    NQI files only contain information about files detected by NOD32 that are stored in NOD32's quarantine.

    If an AV detects them, it's a serious FALSE POSITIVE as it does not contain anything malicious, just information about a particular file.

    NOD32 detects all variants of TP.Horst by ThreatSense without update.

    I'd suggest you check files at Virus Total (www.virustotal.com) which gives 100% correct results. Sometimes files uploaded to Jotti's scanner are shown as undetected though they actually are.
     
  14. Schouw

    Schouw AV Expert

    Joined:
    Jan 4, 2004
    Posts:
    29
    Location:
    Netherlands
    Both in this thread and in the thread that is referred to the reports talk about NFI files, not NQI files Marcos. :)

    NFI files are xored(encrypted) (malware)samples from nod's quarantine which KAV is able to unpack.

    So, those detections from KAV are definitely not false positives.
     
  15. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    your NOD32 previously detected this Trojan and put it into quarantine as a NFI file. No worries. ;) You could leave it there or delete it. NOD32 protects you anyway against it. :)
     
  16. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Any detection of a NFI or NQI file from the NOD32 quarantine is a false positive.

    If you do not want theses files kept in the NOD32 quarantine you are free to delete them.

    A detection of an encrypted un-executable file is a serious false positive.

    Cheers :)
     
  17. Schouw

    Schouw AV Expert

    Joined:
    Jan 4, 2004
    Posts:
    29
    Location:
    Netherlands
    Of course not. NQI yes, but not NFI. NFI files are simply encrypted versions of files.
    But when you decrypt it, it's executable. ;)
    So it's not a false positive.

    test.nfi packed PE-Crypt.XorPE
    test.nfi infected Trojan-Proxy.Win32.Horst.bl

    Perhaps it's time that someone gives me an AV expert tag. :)
     
  18. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Of course it's executable when it's decrypted - but it's not is it.
     
  19. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    I have often wondered how people "get" that tag:-do you have to ask for it? lol
     
  20. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Schouw is an AV expert, he works for Kaspersky ;)
     
  21. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    As long as the file is XOR'ed this particular file is not executable via CreateProcess, ShellExecute API or whatever. However, i do partly agree with Schouw that it's not really a completely false positive. Reason is being that a lot of droppers using such XOR'ed files, meaning they carry a XOR'ed file (malicious) at the end of their own file (or somewhere else "inside"), dropping it, decrypting it with the correct XOR key and executing it. Now since XOR'ing is a wellknown (older) XRay method and because it goes reasonable faster than bruteforcing other algorithms (such as combined ROR/ROL/NEG/SUB/ADD/XOR etc) some of the vendors have included it into "generic file processing". We did this too for example, the reason is stated a few lines before. I mean a simple XOR encryption is one of the oldest (and easiest) tricks to hide maleware. Basically XOR'ing is enough to prevent execution by accident in quarantine, but it is not a reason to claim that other av vendors having "false positives" on it.
     
  22. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Thanks for the clarification Inspector. I'll take that on-board.

    Would it be better then to say 'unnecessary positive' since detecting files encrypted and quarantined by an AV serves no real purpose in threat protection?
    Obviously if an AV checks for an XOR result it can not be expected to take notice of if a file is in a quarantine folder or not since this would result in a security hole, but surely not every file is XOR-ed and the result re-tested....?

    My point is that it's confusing for people - note the original posters confusion and hence the reason this thread was started was because a file that in it's present benign state was detected as a threat, causing that user to become worried they may have had an active threat on their PC which in this instance was clearly not the case.
     
    Last edited: Jul 8, 2006
  23. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Ok....let's set aside the use of the word False positive....what should the thread starter get out of all this as it relates to Nod support ?

    That NFI or NQI files contained in Nod's quarantine are prevented from execution and to be aware that from time to time other AV's will report malware found in Nod's cache after they have been unpacked by other AV's during a scan

    :doubt:
     
  24. guilijan

    guilijan Registered Member

    Joined:
    Jun 25, 2006
    Posts:
    206
    Hi I'm again.
    i Think (in my poor english) that Nod and Kav are the best antivirus, at least for home users.
    I've used Kav for a long time but when I try Nod to see how it works (two o three weeks ago) it find a virus in Windows-System as I say before, smss or something like that.
    Of course I send that file to Kav and it answear to me in about five minutes saying that it was a virus (I don't remember the name but trojan horse x x x x x)
    Then I decide to unistall Kav and go ahead with Nod.
    But when I did the Kav online scan that make this thread, Kav find a virus as I said.
    So I' become to be crazy.
    Thanks to people that answer to my post I feel good again.
    Perhaps Nod must answer more quickly, because I send the file to Nod and today no answear, and I think they will never answear to me.
    That is a point to Kav.
    Tahnk to all who discus this problem.

    You can see my questions in kav forum about my first problem
    http://forum.kaspersky.com/index.php?showtopic=16080&hl=
     
  25. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    This has already been discussed earlier; Eset does not answer any emails regarding virus samples. If the sample is malware; it will be detected on priority basis.

    Anyway, I agree with Inspector Clouseau on this, its not really a false positive or false negative IMO.
     
Thread Status:
Not open for further replies.