Nod detection

Discussion in 'NOD32 version 2 Forum' started by ellison64, Jan 22, 2005.

Thread Status:
Not open for further replies.
  1. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    I just downloaded a programme called secretary organiser from here...

    ~ snip ~ please do not post links to Trojans ~ Blackspear

    It seems a reputable site however that file secratary.exe contains a trojan ..identified by tds3 as

    scan Control Dumped @ 12:47:19 22-01-05
    Positive identification: TrojanDropper.Win32.Small.nm
    File: c:\downloads\secretary.exe
    Boclean also halts detects it (after execution)and stops it...

    01/21/2005 20:47:52: C:\WINDOWS\SYSTEM\SRCHBAR.DLL
    Trojan horse was found in above file
    SEARCHBAR6 TROJAN STOPPED by BOCLEAN!
    Active trojan horse was shut down. System now safe.
    Trojan horse was removed, registry cleaned.

    What i cant understand is that none of nods "profiles" detects it even though they have full seetings enabled i.e scan all files run packers etc,deep heuristics.Yet when i execute the file nod does pop up with this...
    file
    C:\windows\system\~glh0002.tmp
    virus
    win32 trojandownloader .agent.y trojan
    How does nod detect after execution but not before if the settings are all teh same in all profiles?.
    tia
    ellison
     
    Last edited by a moderator: Jan 22, 2005
  2. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    sorry for the link blackspear.I wasnt sure whether to post it.However as the site is reputable , and many people are sure to download from the site , then isnt naming the file and the site, in the intrests of those that dont want to inadvertently get infected ?It seems odd to me to snip the site name (unless its some warez site of course)as it warns potential downloaders to the dangers.
    ellison
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,763
    Location:
    Texas
    Did you by chance notify that site of a possibly infected file?
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Just don't want the innocents wandering there and trying out their anti-viruses to see if it works or not.

    Can you please send an email to support@nod32.com with the link and also a link back to this thread.

    Let us know how you go...

    Cheers :D
     
  5. Atangel

    Atangel Registered Member

    Joined:
    Aug 29, 2004
    Posts:
    53
    It is an expectation thing, I think most AV catch viruses, but aren't great with trojan. Most anti-trojans are great with trojans, but aren't anything like any good with viruses...

    It's why I have both, and so do you (TDS)!

    But the other thing is that sometimes neither product will see the nasty until it runs, for whatver reason.... compressed, encrypted, etc. It isn't until it runs that it look familiar.
     
  6. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    ronjour...
    Im not exactly sure how to as i cant find any contact info.I have however posted in the forums there pointing out the trojan in the file.

    Blackspear...
    have done as you requested.

    Atangel...
    Yes its a good idea to have layered security.Possibly the detection after running is maybe a file of somesort being planted in system folder .

    ellison
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,763
    Location:
    Texas
    Great ellison64! Thanks for the feedback.
     
  8. oops

    oops Guest

    NOD doesn't unpack, on-demand scanner will detect
    it..If you open the file AMON will catch it.. Happened to me last week, that's why BOclean is on my machine..
     
Thread Status:
Not open for further replies.