NOD 32 VS Smitfraud?

Discussion in 'NOD32 version 2 Forum' started by TSP, Jul 7, 2007.

Thread Status:
Not open for further replies.
  1. TSP

    TSP Registered Member

    Joined:
    Jul 7, 2007
    Posts:
    2
    Just curious as to how affective is Nod 32 against smitfraud-ebay whatever? Which is a hybrid Trojan, malware, spyware , Phishing etc. I figured Norton AV 2007 W/ Norton Firewall along W/Ad-aware 2006 Pro should of been enough but guess not.

    I had a date with Smitfraud 3 weeks ago and found myself reformatting because the patches that claimed to remove it didnt, and I also found 1k racked up on my credit card (Thanks for the great protection Norton).

    So anyway has there been tests done on this specific hybrid virus? And can NOD 32 handle this nasty thing?

    Thanks,

    TSP

    p.s.I am using my 30 day trial.
     
    Last edited: Jul 7, 2007
  2. codpet

    codpet Registered Member

    Joined:
    Jul 8, 2007
    Posts:
    28
    I have never heard of that threat - but I hope you don't run across W32.SpyBot.Worm. I know for a fact that NOD32 can't pick that one up.

    I spent hours cleaning up the mess on our network yesterday. Granted Norton Corp picked up the threat, it only did so with the latest definitions from that very day, and the worm was still screwing the Norton installation up.

    I haven't come across any product that can detect everything. Even though the threat was very apparent, it was still not detected by a few products I used to try and remove it.
     
  3. TSP

    TSP Registered Member

    Joined:
    Jul 7, 2007
    Posts:
    2
    Codpet just hope smithfraud aka smitfraud does not get on your network. I do not want to even imagine what that thing could do on a network. It is not very common, however after doing research on it I had found it to be one of the worst.
     
  4. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    I've run across Smitfraud many times (on clients PCs...not mine)...it's a very aggressive malware that constantly changes. Many variants of it..Spyfalcon, Spysheriff, etc etc. I've not seen any antivirus program that can remove it...I've always resorted to the special removal tools you can easily find for this infection at BleepingComputer, along with some other tools I commonly use such as the TCP/Winsock repair utility, manual cleaning, Spybot S&D, SuperAntispyware, etc. I've seen some variants of this bugger make it onto computers that have NOD32 installed also..regardless of settings.
     
  5. ASpace

    ASpace Guest


    And as everything on that planet , even these tools aren't perfect. Once in December last year , I used all the tools + AutoRuns + scan with Spybot S&D and Ad-Aware and even after that NOD found six more files that belonged to the malware ;)
     
  6. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England

    6x that it didn't find in the beginning?
     
  7. jayps

    jayps Registered Member

    Joined:
    Jul 19, 2007
    Posts:
    5
    Hi All,

    In one of my PC's I had smitfaud-c, detected but not cleaned by Spybot S&D, but not detected at all by NOD32.
    Another incident was a bt848rom.dll-a variant of Win32/Spy Goldun.GU trojan which was starting all services, including NOD32. Detected but not cleaned by NOD32

    Both incidents reported. No reply received.

    Today, another user called me that when he uses his USB at home, his McAfee detects that it is infected with a trojan. Upon checking the PC, it has the latest updates for NOD32, did an indepth scan and it found nothing. Further investigation showed the trojan is songs.exe, maybe a renamed my documents.exe, possible brontok variant? I manually deleted the file, edited registry etc. Submitted the file to Eset, hoepfully I get a reply.
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi jayps, welcome top Wilders.

    Please read this thread on dealing with infected systems and file submission.

    Blackspear.
     
  9. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    411
    Location:
    London England UK
    But that thread says nothing about Brontok. A client of mine brought his NOD32-protected laptop over last weekend, because it was playing up. It turned out he had acquired Brontok recently, and it had got by NOD32's defences.

    I've seen Spybot Search and Destroy find instances of SmitFraud and freeze up trying to remove them. Repeated reboots and rescans eventually break SmitFraud into submission, but you have to be patient. S&D often appears stuck, when, in fact, it is busy cutting out crud from your forest.

    Perhaps, you ought to be thinking of making NOD32 less signature-dependent. I have never got infected by trojans or viruses while running MJ Registry Watcher - it always spots anything trying to set itself to auto-run. Couple that with an anti-rootkit program like Sophos' offering, and S&D, I run very clean systems wherever I go.
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    It does, if your system is infected after running scans with NOD32, then run the tools mentioned and email support.

    Blackspear.

    PS. if you are still having update issues, send me a PM.
     
  11. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Ugh..I just had a new variant of Smitfraud sneak into a lappy that was running NOD last week. Smitty is a nasty one.
     
  12. jayps

    jayps Registered Member

    Joined:
    Jul 19, 2007
    Posts:
    5
    Thanks Blackspear.

    I actually sent it the infected file via the web today and to my vendor via email. It is very strange that their NOD32 detected the malware while mine didnt.

    From vendor email:
    ***********************
    A virus (TROJ_VB.CBJ) was detected in the file (SONGS.rar/SONGS.exe). Action taken = remove
    ***********-***********
    __________ NOD32 2405 (20070718 ) Information __________

    This message was checked by NOD32 antivirus system.
    http://www.eset.com

    My NOD32 version across my clients:
    NOD32 antivirus system information
    Virus signature database version: 2406 (20070719)
    Dated: Thursday, July 19, 2007
    Virus signature database build: 10349

    Information on other scanner support parts
    Advanced heuristics module version: 1.064 (20070717)
    Advanced heuristics module build: 1163
    Internet filter version: 1.002 (20040708 )
    Internet filter build: 1013
    Archive support module version: 1.055 (20070712)
    Archive support module build version: 1192


    Then I saved the file to c:\temp\virus\ and made NOD32 scan the folder. I got this:
    Scan performed at: 07/19/2007 18:33:17 PM
    Date: 19.7.2007 Time: 18:33:29
    Anti-Stealth technology is enabled.
    Scanned disks, folders and files: c:\temp\virus\
    c:\temp\virus\SONGS.rar »RAR »SONGS.exe - is OK
    Number of scanned files: 1
    Number of threats found: 0
    Time of completion: 18:33:29 Total scanning time: 0 sec (00:00:00)



    I'll try to do whats posted in the link tomorrow.
     
Thread Status:
Not open for further replies.