nod doesn't catch NTOS trojan

Discussion in 'NOD32 version 2 Forum' started by mantra, Mar 16, 2008.

Thread Status:
Not open for further replies.
  1. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,153
    Hi
    yesterday i downloaded a program "capture one " from a mirror
    it's a 50mb of program
    i click on the install , and after some time the setup told me "it's for 64 and not for 32bit"

    well this makes me suspicious
    i run threatfire and re-install the program
    threatfire detect & block the files , i send this files to virus total and they are a exe and video.dll and audio.dll they are the ntos trojan


    well i have the last version of nod32 2.7 last built


    why it doesn't catch them??

    thanks

    ps can nod32 run on safemode or does it have a command line to clean the files on the boot ,like avast?
     
  2. PaulB2005

    PaulB2005 Registered Member

    Joined:
    Apr 19, 2005
    Posts:
    525
    It depends on two things. a) you might have a new varient that's not detected yet and b) your settings might not allow detection (although i doubt it)
     
  3. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hi, submit that files in password protected archive (password will be "infected") to samples[at]eset[dot]sk for analysis.

    You can delete these files by Avenger. Run exe file and write this:

    Code:
    Files to delete:
    full paths of files in succesive lines
    * If files are located in the same folder, use "Folders to delete:"

    Click on "Execute", OK, computer will be restarted.

    I don't recommend use Avenger and similar utilities for beginners! Better is using Avenger after application some utility, UPM eg.

    You can use MoveOnBoot, too.
     
    Last edited: Mar 16, 2008
  4. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Hi mantra. I suggest you post a hijackthis log at a malware removal forum.

    thanatos
     
  5. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,153
    the link of upm is dead:thumbd:
     
  6. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hi thanatos, today's malware start be better and better. My testing says that some samples can hide before HijackThis (and it wasn't rootkit). ;)

    Why, it is support forum.
     
  7. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,153
    it's a shame that nod32 did not detect it
    but i can know if it does encryp my hds ? i have many hds
     
  8. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,153
    not the link is working

    but is UPM a software or a forum

    by the way the alternative about avenger is moveonboot ?
     
  9. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Last, when I cleaned infected pc with this sample, it was written in few Registry values. But you can't delete whole value, you can only repair it. ;)

    Software sure, yes MoveOnBoot can be alternative.
     
  10. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Renaming hjt helps.

    Maybe it's a new variant of NTOS. Go to the following links to know more about the trojan.

    http://www.prevx.com/blog/31/Ransomware-Holding-Corporate-America-Ransom.html
    http://www.gamerswithjobs.com/node/37494?page=1

    thanatos
     
  11. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,153
    Last edited: Mar 16, 2008
  12. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    You can try this removal tool by Prevx.

    Maybe the execution of NTOS was blocked by ThreatFire. However, I still insist you go to a malware removal forum.

    thanatos
     
    Last edited by a moderator: Mar 16, 2008
  13. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,153
  14. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    The trojan will encrypt your files, drives once it is executed. However, maybe ThreatFire blocked ntos.exe from running. Just to be sure your infected or not, post an hjt log at a malware removal forum. Choose one forum from here.

    thanatos
     
  15. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,153
  16. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Mantra,

    You have an active thread on the topic here, please keep the discussion localized in this thread. The members already responding here clearly have the knowledge to answer the question posed, or you could perform a generalized Internet based search and obtain the same information.

    As for the current status of your machine, if you're guessing as you indicate, it's probably time to avail yourself of some of the excellent advice already offered and validate the state of your system via assistance rendered at a malware removal forum.

    Blue
     
  17. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,153
    sorry bluezanetti
    other operatos advises me to open in another forum
    i think that i did not understand as well the advises
     
  18. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,153
    thanks
    i will do it
    but which software can i run to be sure i haven't in my pc any more
    and can i know if it did start to encrypt my files?
     
  19. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,153
  20. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Mantra,

    As always, understand in detail what is in front of you prior to performing any task. In part, that is why thanatos_theos has been insistent that you visit one of the malware removal forums presented in the list provided - once again, it is here.

    With respect to the specific malware that you appear to have been subject to, visit the links provided above. They are:
    • unRansom..Me! Prevx blog entry by Jacques Erasmus. This blog entry also has a technical analysis provided by Marco Giuliani (the pdf file containing that analysis is here - note this is a direct download link), read that as well since it provides some details which should allow you to assess whether you've been infected. As a caution, I do not know whether this information is dated, hence the guidance to consult with those involved in active malware removal. Their knowledge on this topic should be current.
    • Direct download link to the Prevx provided unransomme.exe. However, read and understand the blog entry before using this tool
    The last thing is to set in motion a chain of events to address a situation that is incompletely characterized.

    Blue
     
  21. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,153
    thanks really to all
    i really appreciate your help
    this forum rocks!:thumb: :thumb: :thumb:

    well about

    i want to apologize , i did not understand well , english is not my language
    by the way thanks again!
     
  22. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Mantra,

    No problem. If something is not clear, just ask, although I do understand that if language itself is the issue - and that occurs in any diverse forum frequently - sometimes the need to ask is not obvious, which is why a bit of patience is also recommended for all.

    Also, my comments are not just for you, but for the reader at large. We've all run into situations (at times by our own hands) for which the cure was clearly worse than the problem that we were trying to address. We all need to be on guard against this particular issue, and it often is due to having incomplete understanding of the situation.

    Blue
     
  23. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    The first bytes of the encrypted files contain the string "GLAMOUR" followed by the encrypted data. The trojan then creates a read_me.txt file and drops it on all folders containing encrypted files.

    More info here.

    thanatos
     
Thread Status:
Not open for further replies.