Nod Captured A Trojan Today

Discussion in 'NOD32 version 2 Forum' started by Mr2cents, Feb 16, 2005.

Thread Status:
Not open for further replies.
  1. Mr2cents

    Mr2cents Registered Member

    Joined:
    Sep 18, 2004
    Posts:
    497
    I've been trialing Nod32 for about 20 days. I always practice safe computing. However, I wanted to take Nod to the darkside of the web...Just to see if I could catch a trojan,or virus, or malware :D After all, I'm thinking pretty seriously about purchasing nod..So I wanted to see nod in action in the real world. Not on a test.

    So we start our journey..Armed with Nod32 and Boclean. Okay bad boys...come out where ever you are :D It didn't take long to find one. I entered a website. Then proceeded to click on a link. That's all it took, just one link. I got lucky..didn't even have to click on a second link. See screenshot.

    The full name of the trojan is: JS/TrojanDownloader.lstBAR.A trojan I couldn't find any information on this trojan by googling it. However, It tries to install a toolbar on Internet Explorer. I was running mozilla firefox. After quarantining the trojan.. I see a sign that says.....For IE users only. :D
     

    Attached Files:

    • Nod1.jpg
      Nod1.jpg
      File size:
      27.5 KB
      Views:
      378
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,724
    Location:
    Texas
  3. Big D1

    Big D1 Registered Member

    Joined:
    Aug 20, 2004
    Posts:
    68
    ronjor, agree with you 100%.

    Just last night, my son went to surf some kiddy game website, and IMON detected TrojanDownloader.Rameh.C trojan in a cab file from what appears to be right on the website's home page. Since I have two kids, and they both are very aware of the dangers of surfing, I have IMON set to automatically terminate the connection, so there were no files saved, and there was nothing to clean.
     
  4. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    Imagine that...another hit out of the park for NOD :D
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Have you read through Extra Settings for Nod32 in regards to Esets use of the word "Quarantine". That thread also show you how to tweak up Nod32 to the maximum.

    Hope this helps...

    Cheers :D
     
  6. Mr2cents

    Mr2cents Registered Member

    Joined:
    Sep 18, 2004
    Posts:
    497
    Hi Blackspear. Yes, I have nod tweaked just like your tutorial says. When nod caught the trojan. I just checked quaratine box and terminated the connection :D
     
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    That's good, just wanted to check ;) :D


    And you do understand that Quarantine only makes an encrypted "copy" of the infection, it does NOT isolate the file.

    Cheers :D
     
  8. Mr2cents

    Mr2cents Registered Member

    Joined:
    Sep 18, 2004
    Posts:
    497
    After Googling the file to see what this trojan does. I couldn't find any info, so I deleted the file. I rebooted and ran a virus scan ..just to be sure it was gone. The scan came up clean. No infections found. I also ran adaware and spybot and they found nothing. :D No I didn't know that it didn't isolate the file :eek:
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    That's what I thought, and also wanted to make sure that you did understand this. I have highlighted the fact several times in Extra Settings for Nod32, but being human we all tend to fly past something at some point in time ;) :D

    Cheers :D
     
  10. Mr2cents

    Mr2cents Registered Member

    Joined:
    Sep 18, 2004
    Posts:
    497
    Thanks for the info Blackspear. I think I had better go back through the tutorial again. :D Just to be sure :eek:
     
  11. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    You guys are so right. I just checked the CyberTech Help Forum and got a trojan on the first page. IMON terminated him and after running a scan I am clean. However, one question, is there any way to remove instance of trojan in IMON without rebooting?
     
  12. Mr2cents

    Mr2cents Registered Member

    Joined:
    Sep 18, 2004
    Posts:
    497
    I have a question. I've got nod set up to clean first, if cleaning isn't possible then to quaratine. When imon detects a virus..see screenshot...Do I just click the "Terminate & Disconnect, or must I put a checkmark inside the quaratine box? And then click "terminate & Disconnect?
     

    Attached Files:

    • nod5.jpg
      nod5.jpg
      File size:
      48.6 KB
      Views:
      224
  13. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,724
    Location:
    Texas
    Terminate the connection. Nothing makes it to your hard drive so there is nothing to quarantine.

    I would read through Blackspear's tutorial as well as the Nod support page so you are clear on these options.

    http://www.nod32.com/scriptless/support/nodfaq2.htm
     
    Last edited: Feb 16, 2005
  14. Mr2cents

    Mr2cents Registered Member

    Joined:
    Sep 18, 2004
    Posts:
    497
    Thanks for replying ronjor. I've read through Blackspears tutorial twice. This was the only thing that was confusing to me. I had previously been putting a check mark in the quarantine box, and then terminating the connection. Thanks for clearing this up for me . Thanks for the link to the faq on esets homepage. I haven't saw those before. :D
     
  15. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,724
    Location:
    Texas
    I believe the quarantine function may be changed in upcoming versions.
    Maybe things will get better. :)
     
    Last edited: Feb 16, 2005
  16. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    Actually the trojan I thought I had gotten at Cyber Tech Help forums was a false positive. I had just installed adblock (an extension) in Firefox and it caused a false positive every time I visited that forum. Since uninstalling adblock I no longer get the trojan.
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If the HTTP scanner in IMON detects a probable unknown virus via heuristics, the Copy to quarantine button (named Quarantine in the current version) is already ticked automatically.
     
  18. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Very nice Marcos, thanks for this information...

    Cheers :D
     
Thread Status:
Not open for further replies.