NOD32 False positives here?

Discussion in 'NOD32 version 2 Forum' started by optigrab, Jul 10, 2004.

Thread Status:
Not open for further replies.
  1. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Friends,

    Left the apartment for a few minutes with the wife surfing and F-Prot DOS running a scheduled system scan. Wife called my mobile to say a virus had been found. When I returned home I discovered it wasn't F-Prot but NOD32 that had popped up. The alert looked fishy to me, so I chose Quarantine and Rename rather than Delete. Quarantine wouldn't work and rename balked a bit, but I think I managed to avoid hitting delete. Moving along, NOD32 immediately reported several more instances of this trojan, until I finally figured I'd stop hitting rename and simply reboot. After reboot I scanned both C:\WINNT and C:\I386 and NOD32 came up clean.

    Anyone have any idea what happened? Should I (can I) restore the files that were renamed?

    Many thanks, brothers and sisters.

    - Optigrab

    Time Module Object Name Virus Action User Info
    7/10/2004 11:21:07 AM AMON file C:\WINNT\ServicePackFiles\I386\NETAPI32.VVVVVVVDLL Exploit.CAN.2003-0533 trojan NT AUTHORITY\SYSTEM
    7/10/2004 11:20:57 AM AMON file C:\WINNT\$NtUninstallKB835732$\NETAPI32.VVVVVDLL Exploit.CAN.2003-0533 trojan NT AUTHORITY\SYSTEM
    7/10/2004C:\WINNT\ServicePackFiles\I386\NETAPI32.VVVVVVDLL Exploit.CAN.2003-0533 trojan renamed to C:\WINNT\ServicePackFiles\I386\NETAPI32.VVVVVVVDLL NT AUTHORITY\SYSTEM
    7/10/2004 11:20:51 AM AMON file C:\WINNT\$NtUninstallKB835732$\NETAPI32.VVVVDLL Exploit.CAN.2003-0533 trojan renamed to C:\WINNT\$NtUninstallKB835732$\NETAPI32.VVVVVDLL NT AUTHORITY\SYSTEM
    7/10/2004 11:20:47 AM AMON file C:\WINNT\ServicePackFiles\I386\NETAPI32.VVVVVDLL Exploit.CAN.2003-0533 trojan error occured while quarantining the object - - renamed to C:\WINNT\ServicePackFiles\I386\NETAPI32.VVVVVVDLL NT AUTHORITY\SYSTEM
    7/10/2004 11:20:42 AM AMON file C:\WINNT\$NtUninstallKB835732$\NETAPI32.VVVDLL Exploit.CAN.2003-0533 trojan renamed to C:\WINNT\$NtUninstallKB835732$\NETAPI32.VVVVDLL NT AUTHORITY\SYSTEM
    7/10/2004 11:20:40 AM AMON file C:\WINNT\ServicePackFiles\I386\NETAPI32.VVVVDLL Exploit.CAN.2003-0533 trojan renamed to C:\WINNT\ServicePackFiles\I386\NETAPI32.VVVVVDLL NT AUTHORITY\SYSTEM
    7/10/2004 11:20:39 AM AMON file C:\WINNT\$NtUninstallKB835732$\NETAPI32.VVDLL Exploit.CAN.2003-0533 trojan renamed to C:\WINNT\$NtUninstallKB835732$\NETAPI32.VVVDLL NT AUTHORITY\SYSTEM
    7/10/2004 11:20:34 AM AMON file C:\WINNT\ServicePackFiles\I386\NETAPI32.VVVDLL Exploit.CAN.2003-0533 trojan renamed to C:\WINNT\ServicePackFiles\I386\NETAPI32.VVVVDLL NT AUTHORITY\SYSTEM
    7/10/2004 11:20:31 AM AMON file C:\WINNT\$NtUninstallKB835732$\NETAPI32.VDLL Exploit.CAN.2003-0533 trojan renamed to C:\WINNT\$NtUninstallKB835732$\NETAPI32.VVDLL NT AUTHORITY\SYSTEM
    7/10/2004 11:20:29 AM AMON file C:\WINNT\ServicePackFiles\I386\NETAPI32.VVDLL Exploit.CAN.2003-0533 trojan renamed to C:\WINNT\ServicePackFiles\I386\NETAPI32.VVVDLL NT AUTHORITY\SYSTEM
    7/10/2004 11:20:25 AM AMON file C:\WINNT\$NtUninstallKB835732$\NETAPI32.DLL Exploit.CAN.2003-0533 trojan renamed to C:\WINNT\$NtUninstallKB835732$\NETAPI32.VDLL NT AUTHORITY\SYSTEM
    7/10/2004 11:20:23 AM AMON file C:\WINNT\ServicePackFiles\I386\NETAPI32.VDLL Exploit.CAN.2003-0533 trojan renamed to C:\WINNT\ServicePackFiles\I386\NETAPI32.VVDLL NT AUTHORITY\SYSTEM
    7/10/2004 11:20:09 AM AMON file C:\WINNT\$NtUninstallKB835732$\NETAPI32.DLL Exploit.CAN.2003-0533 trojan NT AUTHORITY\SYSTEM
    7/10/2004 11:20:06 AM AMON file C:\WINNT\$N46CE~1\NETAPI32.DLL Exploit.CAN.2003-0533 trojan
    7/10/2004 11:19:49 AM AMON file C:\WINNT\ServicePackFiles\I386\NETAPI32.DLL Exploit.CAN.2003-0533 trojan error while renaming - error while renaming - error while deleting NT AUTHORITY\SYSTEM
    7/10/2004 11:16:32 AM AMON file C:\WINNT\SERVIC~1\I386\NETAPI32.DLL Exploit.CAN.2003-0533 trojan error occured while quarantining the object - - renamed to C:\WINNT\SERVIC~1\I386\NETAPI32.VDLL
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas

    Info here
     
  3. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Thanks Ronjor, but the neither the process or executible as described in your link are found on my system. Also, I'm not certain why the trojan would be discovered in C:\WINNT\ServicePackFiles\I386\NETAPI32.

    :(
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    Me either. Sounds like a false positive. If the .dlls aren't there--?

    Sorry. I see what operating system you are using.
     
  5. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Well NETAPI32.DLL was there, that's what was renamed. Whether or not it contained a trojan is my question. Other references seem to indicate the Exploit CAN-2003-0349 is addressed by the same patch that addressed Sasser. But I am fully patched.

    I'm using W2K Pro, but I have a Ghost backup from last weekend, so I can restore the file or the whole partition if I like, I guess.
     
  6. Budman

    Budman Registered Member

    Joined:
    Dec 23, 2002
    Posts:
    24
    I have the same problem. Amon popped up 5 minutes after this mornings update. Unfortunately, I chose delete the first time it popped up. How can I keep NOD32 from deleting this valid file when I reboot? I'm convinced it's a false positive.

    Buddy
     
  7. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Sincere thanks Ronjor. Budman, interesting that it happend to you too. I'm going to restore the file(s) from my ghost image and see what happens. Thanks.
     
  8. Budman

    Budman Registered Member

    Joined:
    Dec 23, 2002
    Posts:
    24
    I'm running Win2K SP4 also. Here is the virus log when I was messing with it. I tried moving a copy to another directory as you can see. I excluded the copy in WINNT/SYSTEM32 after several pop ups.

    Time Module Object Name Virus Action User Info
    7/10/2004 11:45:42 AM AMON file D:\Documents and Settings\Administrator\Desktop\Temporary Folder\NETAPI32.DLL Exploit.CAN.2003-0533 trojan error occured while quarantining the object - - renamed to D:\Documents and Settings\Administrator\Desktop\Temporary Folder\NETAPI32.VDLL TOOKAY\Administrator
    7/10/2004 11:20:03 AM AMON file D:\Documents and Settings\Administrator\Desktop\Temporary Folder\NETAPI32.DLL Exploit.CAN.2003-0533 trojan TOOKAY\Administrator
    7/10/2004 11:19:33 AM AMON file D:\Documents and Settings\Administrator\Desktop\Temporary Folder\NETAPI32.DLL Exploit.CAN.2003-0533 trojan TOOKAY\Administrator
    7/10/2004 11:08:30 AM AMON file D:\WINNT\system32\NETAPI32.DLL Exploit.CAN.2003-0533 trojan renamed to D:\WINNT\system32\NETAPI32.V09DLL (after the next restart) TOOKAY\Administrator
    7/10/2004 11:06:46 AM AMON file D:\WINNT\system32\NETAPI32.DLL Exploit.CAN.2003-0533 trojan error occured while quarantining the object - - renamed to D:\WINNT\system32\NETAPI32.V08DLL (after the next restart) TOOKAY\Administrator
    7/10/2004 11:06:23 AM AMON file D:\WINNT\system32\NETAPI32.DLL Exploit.CAN.2003-0533 trojan error occured while quarantining the object - - renamed to D:\WINNT\system32\NETAPI32.V07DLL (after the next restart) TOOKAY\Administrator
    7/10/2004 11:04:54 AM AMON file D:\WINNT\SYSTEM32\NETAPI32.DLL Exploit.CAN.2003-0533 trojan renamed to D:\WINNT\SYSTEM32\NETAPI32.V06DLL (after the next restart) TOOKAY\Administrator
    7/10/2004 11:04:03 AM AMON file D:\WINNT\system32\NETAPI32.DLL Exploit.CAN.2003-0533 trojan renamed to D:\WINNT\system32\NETAPI32.V05DLL (after the next restart) TOOKAY\Administrator
    7/10/2004 11:03:22 AM AMON file D:\WINNT\system32\NETAPI32.DLL Exploit.CAN.2003-0533 trojan TOOKAY\Administrator
    7/10/2004 11:02:56 AM AMON file D:\WINNT\system32\NETAPI32.DLL Exploit.CAN.2003-0533 trojan renamed to D:\WINNT\system32\NETAPI32.V04DLL (after the next restart) TOOKAY\Administrator
    7/10/2004 11:02:47 AM AMON file D:\WINNT\system32\NETAPI32.DLL Exploit.CAN.2003-0533 trojan renamed to D:\WINNT\system32\NETAPI32.V03DLL (after the next restart) TOOKAY\Administrator
    7/10/2004 11:02:05 AM AMON file D:\WINNT\system32\NETAPI32.DLL Exploit.CAN.2003-0533 trojan renamed to D:\WINNT\system32\NETAPI32.V02DLL (after the next restart) TOOKAY\Administrator
    7/10/2004 10:59:51 AM AMON file D:\WINNT\System32\NETAPI32.DLL Exploit.CAN.2003-0533 trojan deleted (after the next restart) TOOKAY\Administrator
    7/10/2004 10:59:09 AM AMON file D:\WINNT\system32\NETAPI32.DLL Exploit.CAN.2003-0533 trojan renamed to D:\WINNT\system32\NETAPI32.V01DLL (after the next restart) TOOKAY\Administrator
    7/10/2004 10:58:38 AM AMON file D:\WINNT\system32\NETAPI32.DLL Exploit.CAN.2003-0533 trojan renamed to D:\WINNT\system32\NETAPI32.V00DLL (after the next restart) TOOKAY\Administrator
    7/10/2004 10:56:44 AM AMON file D:\WINNT\system32\NETAPI32.DLL Exploit.CAN.2003-0533 trojan renamed to D:\WINNT\system32\NETAPI32.VDLL (after the next restart) TOOKAY\Administrator


    Buddy
     
  9. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Weel I'm obviously not as bright as I thought :rolleyes:

    Just using Ghost to explore (not restore) my ghost image from 7/5/04 and NOD32 lit up like a Christmas tree. So I'll not be restoring anything yet.

    I also note that NOD32 doesn't seem to care much for renaming a file. Even though I've renamed the files it has complained about, it still alerts me, so the same file keeps getting renamed as long as I willing to keep hitting "rename". I'll have to see if this is because of my NOD32 settings.
     
  10. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    I also note that today's update contained a sig for Exploit.CAN.2003-0533, the culprit in this thread. Still I'm not smart enough to figure if this is a FP.
     
  11. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    I have not had this alert using XP.
     
  12. Budman

    Budman Registered Member

    Joined:
    Dec 23, 2002
    Posts:
    24
    The other 2 things I seem to have in common is Outpost Pro and BoClean. o_O

    Buddy
     
  13. chrysty

    chrysty Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    2
    Hi ,
    Maybe NOD just does not like netapi32.dll !
    It came up with two instances of it on my PC running win2K.
    D:\WINNT\$NtUninstallKB835732$
    and
    D:\WINNT\servicepack files\338\netapi32.dll
    I have moved them , but do not know what to do now, as I am unsure whether they are in fact nasties as NOD thinks.
    Any ideas,
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you doubt whether the file in question is a false positive or a real virus, please send it to samples@nod32.com for analysis.
     
  15. Budman

    Budman Registered Member

    Joined:
    Dec 23, 2002
    Posts:
    24
    Hi Marcos,

    I did try to send it in when this first happened but I'm unable to since the file appears to be locked. My email program doesn't seem to be able to send it. I then tried moving it but still cannot send it.

    Back to the first post I made, is NOD32 going to delete NETAPI32.DLL if I reboot? As you can see in the log I posted, I mistakenly chose to delete the (trojan?) before thinking this could be a valid or necessary file.

    Buddy
     
  16. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    Hi all,

    Same here, on Win2000 SP4, see image.gif

    I have send the file to samples@nod32.com.

    rgds,
    Martin
     

    Attached Files:

    Last edited: Jul 11, 2004
  17. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    To email the files you will have to turn off AMON in NOD32. AMON isn't going to let you do anything with that file no matter what you rename them to.

    I sent my two files in already (from very same folders). This is almost certainly a FP, but we'll wait for the word from ESET. (that's why we pay them) ;)
     
    Last edited: Jul 11, 2004
  18. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    I disabled AMON and yep, we just wait what ESET have to report ;)

    rgds,
    Martin
     
  19. wayneh

    wayneh Registered Member

    Joined:
    Jul 11, 2004
    Posts:
    1
    Hi folks.
    Boss has rung me about three hours ago to say that the nod32 has corrupted all workstations at one of our sites that has not had the patches installed, they will not boot.
    I have been looking at it here at home and have completed the following tests three times to prove a point. without nod installed i can complete the sp4 install.

    1. clean install of W2k Server no patches no apps. <<DEFAULT INSTALL>>
    2. install NOD32 V2 and update to 807 restart.
    3. test all ok. as NETAPI32.dll is of a date 1999,
    4. reset the nod32 kernal service to a manual start so as NOD is not running on next restart. then restart the server. NOD not running, just installed.
    5. install SP4. SP4 copies files to drive location from CD. then starts installing files, when it gets to installing netapi32.dll it stalls and asks for confirmation that the netapi32 file is in the location that the SP copied it to. browsed to location and cofirm that file in that location retry fails, cancel says that only some of the files were updated and that you may need to use the recovery disk to repair windows.
    6. restart windows and goes into a continuos loop of restarting can not even get into safe mode.

    My boss is on site now working on how to fix while I am working at home replicating fault to send to ESET, can some one else help as well?
    thanks for your work.
     
  20. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Thanks. This added step and a bit of laziness has delayed me in sending in my sample, but I see from this and another thread that others have done so, so perhaps I needn't bother.
     
  21. shade91

    shade91 Registered Member

    Joined:
    Aug 23, 2003
    Posts:
    26
    This is a false positive. NOD32 is NOT a stranger to false positives as it has happened in the past.
     
  22. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    I wouldn't bother if I were you. Also turn AMON back on. Amon only needed to be turned of to access the files to email them.
     
  23. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada

    if AMON is running, itwill block access to the file during install, and the install will fail. If you have set NOD32 to automatically delete infected files, you run the risk of deleting false positives. I recommend against this. I configure NOD32 to ask me what to do. While it is waiting for my decision, it blocks access to the file. Delete first , ask questions later will often cause more trouble than the virus/trojan itself. In general, submit the file and wait for a reply. Let AMON block access while you wait.

    If you beleive Amon is not running and you still can't access the file, then uninstall NOD32 untill the sp can be applied.

    For the record, I installed sp4 with Amon running with no problems on w2k advanced server.
     
  24. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    I probably installed sp4 before the nod32 definition update that has the FP
     
  25. Budman

    Budman Registered Member

    Joined:
    Dec 23, 2002
    Posts:
    24
    Two questions.
    1. Did this last update fix the problem of the false alarm?
    2. Is there any way to keep NOD#@ from deleteing the file NETAPI32.DLL from the system32 folder since I made the stupid choice to click delete? It is marked for deletion after reboot at this time. You can see this in the logs from my previous post.

    BTW....Amon was jumping on this file every time my email (TheBat) or browser (Firefox) attempted any net traffic before I finally excluded the file.

    Buddy
     
Thread Status:
Not open for further replies.