Nod Just saved Me

Discussion in 'NOD32 version 2 Forum' started by jram, Nov 13, 2005.

Thread Status:
Not open for further replies.
  1. jram

    jram Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    3
  2. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    My guess is that the IMON portion of NOD32 saw that an adware file was downloading, so it interrupted the download. This accounts for the "site has no data" message. However, sometimes IMON can get overwhelmed, especially if the IMON --> Setup --> HTTP --> Client compatability setting for Firefox is set to "Higher Compatability". This is the default.

    Fortunately, AMON is still around to catch any files that slip through onto the hard drive. The location of this file is in the the Firefox browser cache. Once the file was created, AMON got to it and put up a big stop sign before it could do anything.

    Just NOD32 doing its job. If you want to try "Higher efficiency" mode instead of "Higher compatability", go to the location I mentioned above and double-click the red "Higher compatability" text to change it.

    I myself run in "Higher compatability" mode, so I do occasionally see the files that "slip through". However, I am comfortable with AMON that I trust it to catch what little does slip through. This is just my personal preference, though.
     
  3. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    You should be in no danger even if Firefox caches a malicious file. Firefox renames cached files so they cannot execute. The only way you would be in danger is if you purposely type about:cache into the location bar and press enter, then click 'list cache entries', then navigate to the file, save it and execute it.

    There is no support built into Firefox for vbs, activeX or other 'IE only' scripts so even if NOD had allowed the download of the file, all you would have needed to do to be rid of it would be to clear the Firefox cache.
     
  4. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Hi jram,

    Nod did you rightous!

    I'm a new Nod user and I opened Nod and was looking at Amon and discovered cookies.text file showing, and that's when it dawned on me it was scanning cookies also. It never occured to me.

    I have been wondering why my other progies never find anything. I was questioning their reliability. Due to Nod being installed that's the only assumption I can come too.

    Regards,
     
  5. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    The Win32 Sober Y worm which came in an email I got this afternoon was first captured today according to virus Radar, yet I didn't see it in todays updates. How was it detected, heuristically or generic signature?

    PS The email was supposedly from the F.B.I.:rolleyes: :eek:
     
    Last edited: Nov 21, 2005
  6. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Sober.Y is old in internet time. I have also seen a burst of them today at many sites.

    NOD32 - 1.1291 (2005111:cool:
    Virus signature database updates:
    HTML/Exploit.Mht.BL, IRC/SdBot (2), Win32/Adware.SpySheriff, Win32/Agobot, Win32/Banito.AE, Win32/Bobax.AL, Win32/Brontok.S (2), Win32/Hupigon, Win32/IRCBot.PK (2), Win32/Modobot (2), Win32/Modobot.H (2), Win32/Mytob.MM, Win32/Mytob.MN, Win32/Mytob.MO, Win32/Optix.Pro.13, Win32/Rbot (7), Win32/Sealer.B (4), Win32/Small.FB (2), Win32/Sober.Y (2), Win32/Spy.007 Spy (2), Win32/Spy.Agent.CH, Win32/Spy.Banbra.DF, Win32/Spy.Banbra.DT (2), Win32/Spy.Bancos.JL (2), Win32/Spy.Bancos.U (5), Win32/Spy.Banker, Win32/Spy.Banker.NGV (2), Win32/Spy.Banker.NGW (2), Win32/Spy.Banker.VJ (2), Win32/Spy.Delf.LI (2), Win32/StartPage.ADH (:cool:, Win32/StartPage.AFH (2), Win32/StartPage.AFJ (2), Win32/TrojanDownloader.Agent.BQ (5), Win32/TrojanDownloader.Banload.HU (2), Win32/TrojanDownloader.Banload.HV (2), Win32/TrojanDownloader.Banload.IA (2), Win32/TrojanDownloader.Banload.NAA (2), Win32/TrojanDownloader.Dadobra.FX, Win32/TrojanDownloader.IstBar, Win32/TrojanDownloader.Small.AOD (2), Win32/TrojanD
     
  7. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Thank's for the response. So how is it then that Virus Radar shows it as first captured 21/11/05? o_O
     
    Last edited by a moderator: Nov 22, 2005
  8. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Most likely because that is the first time this particular server received it as Sober.Y. It could have been a variant of (i.e. 178. probably a variant of Win32/Sober ...) and then switched to the actual signature. ;)

     
Thread Status:
Not open for further replies.