NOD32/Eraser Issue

Discussion in 'NOD32 version 2 Forum' started by spy1, Jul 10, 2005.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Got this over-night (happened while computer was un-attended and doing a scheduled "Eraser" run of free disk space).

    Alert window said that the file had been quarantined, but when I searched the quarantine folder, it wasn't there.

    "In-depth" scan run immediately came up with no hits (clean).

    NOD's alerting on an Eraser v.5.7 "temp' file just about has to be a FP, right? Pete



    7/10/2005 8:39:06 AM - AMON - File system monitor Threat Alert triggered on NONE-WBYBJINPWT: C:\~ERAFSWD.TMP\HE545MVD.CSS is infected with VBS/Jesus virus.



    NOD32 antivirus system information
    Virus signature database version: 1.1164 (2005070:cool:
    Dated: Friday, July 08, 2005
    Virus signature database build: 5857

    Information on other scanner support parts
    Advanced heuristics module version: 1.016 (20050616)
    Advanced heuristics module build: 1085
    Internet filter version: 1.002 (2004070:cool:
    Internet filter build: 1013
    Archive support module version: 1.032 (20050623)
    Archive support module build version: 1120

    Information about installed components
    NOD32 For Windows NT/2000/XP/2003 - Base
    Version: 2.50.25
    NOD32 For Windows NT/2000/XP/2003 - Internet support
    Version: 2.50.25
    NOD32 for Windows NT/2000/XP/2003 - Standard component
    Version: 2.50.25

    Operating system information
    Platform: Windows XP
    Version: 5.1.2600 Service Pack 2
    Version of common control components: 5.82.2900
    RAM: 1024 MB
    Processor: AMD Athlon(tm) Processor (1325 MHz)
     
  2. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    Re: Jesus virus detection during Eraser run?

    I would send that file to support@eset.com and wait for answer from ESET.
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Jesus virus detection during Eraser run?

    That's a great idea, but the file doesn't exist anymore (the Eraser run was done by the time I got up this morning and Eraser deletes its' own temp files at the end of the run).

    Just did a "Search" of all files and folders (including 'Hidden" of course) for HE545MVD.CSS - nothing. Pete
     
  4. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Re: Jesus virus detection during Eraser run?

    My guess is that it is either a false positive or possibly maybe evidence of a long ago forgotten virus that you had removed from your computer (but traces were still lurking in the free space).
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Jesus virus detection during Eraser run?

    And my thought is that since it's just shown up after the latest update (not prior to that on any full scans), that it's a F/P of some kind. I'll just wait till tomorrow - maybe someone from eset will see the post then. Pete
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Jesus virus detection during Eraser run?

    Hello? Anyone from eSet around? Any thoughts on this? I noticed I did not get that alert anymore, even though I've been running Eraser nightly?. Pete
     
  7. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Re: Jesus virus detection during Eraser run?

    Sounds like a one-time false positive to me (though I do not work for Eset).
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Jesus virus detection during Eraser run?

    Well, "one-time" might not be the best description. :D

    Meant to post it when it happened, but I've been a little busy lately:

    7/14/2005 8:01:07 AM - AMON - File system monitor Threat Alert triggered on NONE-WBYBJINPWT: C:\~ERAFSWD.TMP\TO7VZXG1.VBS is infected with probably a variant of HTML/Exploit.DragDrop trojan.

    Time Module Object Name Threat Action User Information
    7/14/2005 8:01:07 AM AMON file C:\~ERAFSWD.TMP\TO7VZXG1.VBS probably a variant of HTML/Exploit.DragDrop trojan quarantined - deleted NONE-WBYBJINPWT\spy1 Event occurred on a new file created by the application: C:\Program Files\Eraser\eraser.exe. The file was moved to quarantine. You may close this window.

    I'm a little confused by the "quarantined - deleted" thing (which I just now noticed happened during the other "hit, too: "Time Module Object Name Threat Action User Information
    7/10/2005 8:39:06 AM AMON file C:\~ERAFSWD.TMP\HE545MVD.CSS VBS/Jesus virus quarantined - deleted NONE-WBYBJINPWT\spy1 Event occurred on a new file created by the application: C:\Program Files\Eraser\eraser.exe. The file was moved to quarantine. You may close this window. " ).

    I had thought that it got deleted when Eraser cleaned up its' temporary files after itself (and that may still be the case), but it also looks as though it could be NOD itself deleting these things. (I don't have NOD set to delete stuff it finds, at least to the best of my knowledge).

    I'm including a screenshot of the alert, which was still up on screen when I got up that morning. I don't know what's causing this, but according to the wording of the alerts, it's looking like a F/P that's being triggered by eraser.exe. Pete
     

    Attached Files:

  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Jesus virus detection during Eraser run?

    I find it very discouraging that no one from eset has attempted to address this - even after I sent a support email linking to this thread.
     
  10. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    Re: Jesus virus detection during Eraser run?

    I agree with you that Eset is very limited in giving answers here. They are great at giving stupid remarks every now and then here at Wilders and that's it. I see more interesting threads here without any Eset answers, while asked for. It's a shame.

    But G-Data for instance is quite the same. I know from my own experiences that the Kaspersky people are doing a much better job.
     
  11. Bandicoot

    Bandicoot Eset Staff

    Joined:
    Mar 23, 2004
    Posts:
    297
    Location:
    California
    Re: Jesus virus detection during Eraser run?

    I'm really sorry spy1, but no email was received at support@eset.us.
    Sorry you feel that way. I personally don't set out to offer NOD32 users stupid remarks... at least not until the issue has been answered/solved. After that, sometimes a little levity doesn't hurt.

    We will try to replicate this issue and respond ASAP.

    Bandicoot.
     
  12. Bandicoot

    Bandicoot Eset Staff

    Joined:
    Mar 23, 2004
    Posts:
    297
    Location:
    California
    Re: Jesus virus detection during Eraser run?

    I installed Eraser and couldn't find any issues. From your Threat Log details, the infiltration is being shown by NOD32 as a variant of HTML/Exploit.DragDrop which was added to the definitions on 19th April 2005. Did you find that an In-Depth Analysis did not flag this malware, prior to running Eraser?

    I don't think this is an FP from Eraser because NOD32 flagged the infiltration as a new file created by Eraser... probably as it unpacked or modified the file in some way, hence AMON stepped in. Although you requested NOD to quarantine the file, perhaps it couldn't because Eraser had already deleted it.

    Have you ran an In-Depth Analysis since?

    Bandicoot.
     
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Jesus virus detection during Eraser run?

    Yes sir - I run "in-depth" scans daily, just about. (The "In-Depth" scans never found a problem). I haven't experienced the alert since my last post. Pete
     
  14. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Jesus virus detection during Eraser run?

    Time Module Object Name Threat Action User Information
    11/4/2005 8:53:32 AM AMON file C:\~ERAFSWD.TMP\1H813VAH.SHB IRC/Sitex trojan NONE-WBYBJINPWT\spy1 Event occurred on a new file created by the application: C:\Program Files\Eraser\eraser.exe. The file has been deleted.


    Just to let you know that pesky little issue is still around (that's the first one I've seen since my last post, though).

    I notice it's identifying whatever it's finding as the IRC/Sitex trojan now though.

    Doesn't this stuff automatically get sent to Eset if the program's set up to do so? Pete
     
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: Jesus virus detection during Eraser run?

    There's no reason to submit the file once it has been identified by name.
     
  16. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Jesus virus detection during Eraser run?

    Okay, Marcos, then tell me this - are the alerts I'm getting legitimate, or a false positive?

    All Eraser is doing is gathering all the "free space" stuff into that temp file for over-writing and deletion - if there truly were an "attempted infection", then why didn't I get an alert when it actually occurred, rather than getting one while the Eraser run was taking place?

    It doesn't make any sense. Pete
     
  17. Haunting

    Haunting Registered Member

    Joined:
    Jun 24, 2005
    Posts:
    7
    Re: Jesus virus detection during Eraser run?

    The exact same issue happened to me the other night. I cannot recall what the threat was named, but it did happen.

    The odd thing is, I have 3 hard drives in this system, it only happened on the drive that Windows was installed on.

    The other two drives, eraser ran with zero problems, and Nod32 didn't produce any alerts on those other 2 drives in wiping the free space.
     
  18. Bandicoot

    Bandicoot Eset Staff

    Joined:
    Mar 23, 2004
    Posts:
    297
    Location:
    California
    Re: Jesus virus detection during Eraser run?

    Hi Spy1,

    This is a different trojan to the issue you had back in July, but it seems that Eraser has again modified a file, possibly de-compressing it, whilst slinging it in Eraser's temp folder, at which point AMON has cleared his throat and quietly said "I've found something sir".

    I'm not sure why one of NOD32's modules didn't alert you when this malware first arrived (I'm sure you keep NOD32 automatically up to date) but, assuming this trojan arrived via the internet, have you got IMON set to scan all files? (ie: extension names).

    Bandicoot.
     
  19. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Jesus virus detection during Eraser run?

    Hi, Bandicoot!

    Yes, IMON is set (and always has been) to "Scan all files" .

    I wondered whether Eraser "un-packed" something, too (I guess I'll have to ask them) - I had just assumed that it didn't do that since all it was working with was free space (IOW, things that had already been deleted - marked as available for over-writing).

    I've never heard of a deleted file that could be a threat under any circumstances, though - have you? Opens up a rather ugly can of worms, if possible.

    I suppose IMON could have missed it initially if it were un-able to un-pack it - it's just kind of a stretch to imagine Eraser being able to un-pack something that NOD32 can't.

    Thanks for your response. Pete

    * http://www.snugserver.com/phpbb2/viewtopic.php?t=1512
     
    Last edited: Nov 7, 2005
  20. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Jesus virus detection during Eraser run?

    I was just wondering - since I re-installed NOD32 per advice, have you been receiving any notifications about the eraser temp files that get identified as various malware's via the "ThreatSense" mechanism?

    Just got another one:

    1/21/2006 8:27:24 AM - AMON - File system monitor Threat Alert triggered on STEVEN-KDHP68D1: F:\~ERAFSWD.TMP\7AG1PA8F.HTT is infected with probably a variant of BAT/Bomgen.G virus.

    Pete
     
  21. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Re: Jesus virus detection during Eraser run?

    Well, that's very strange, spy! o_O

    How long have you been using NOD32. Perhaps your computer got infected before installing NOD.
    Or perhaps you may try to get a fresh copy of Eraser from their webiste and install it again.

    Sorry, if I repeat something , becuase I haven't read all the replies. :)
     
  22. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Jesus virus detection during Eraser run?

    I did both those things subsequent to having done a low-level, multiple erasure and re-format of my computer at the end of last year.

    But thanks anyway. Pete
     
  23. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Jesus virus detection during Eraser run?

    1/28/2006 21:33:34 PM - AMON - File system monitor Threat Alert triggered on STEVEN-KDHP68D1: F:\~ERAFSWD.TMP\EXP4HU57.INI is infected with probably a variant of VBS/Zulu.G virus.
     
  24. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Time Module Object Name Threat Action User Information
    2/4/2006 9:23:42 AM AMON file F:\~ERAFSWD.TMP\ACBAPFO7.EML probably a variant of VBS/Forgotten.A virus quarantined - deleted STEVEN-KDHP68D1\spy1 Event occurred on a new file created by the application: F:\Program Files\Eraser\eraser.exe. The file was moved to quarantine. You may close this window.

    P.S - I've got some stuff in the "infected" file within the Eset folder - should I send it?
     
  25. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Jesus virus detection during Eraser run?

    2/4/2006 19:32:19 PM - AMON - File system monitor Threat Alert triggered on STEVEN-KDHP68D1: F:\~ERAFSWD.TMP\P7XCIOP9.VBS is infected with probably a variant of HTML/Exploit.Mht.AB trojan.

    This is just a little nuts, wouldn't you say?

    Different threats identified every time?

    Sure would be nice if someone from Eset would take a look at this problem.

    Pete
     
Thread Status:
Not open for further replies.