NOD32 Flase alarm! Check if you want!

Discussion in 'NOD32 version 2 Forum' started by jg88swe, Jul 1, 2004.

Thread Status:
Not open for further replies.
  1. jg88swe

    jg88swe Guest

    hey, i while ago i notice that NOD32 detected false alert on the site Viruslist.com that Kaspersky have.

    I did sent this to Samples@nod32.com but i guess it was ignored...
    Check if you want: it will detect that the site is infected with a BAT.Supid.A Trojan. And i dont think thats really true...

    http://www.viruslist.com/eng/viruslist.html?id=1251344
     
  2. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear jg88swe, why don't you join the forum? i'm sure its a false alarm and i checked the page. this is what i found,

    format c: /autotest /q /u
    format d: /autotest /q /u

    these two lines should be the culprit. why don't you do a test. include those lines in a BAT file and see what NOD32 has to say about it.
     
  3. jg88swe

    jg88swe Guest

    What does

    format c: /autotest /q /u
    format d: /autotest /q /u

    do ?

    Ive check it and its a Stupid.a trojan... Hmm yeah i'll join the forum ;)
     
  4. jg88swe

    jg88swe Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    181
    yeah!
     
  5. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    welcome to the forum jg88swe, that command does a stealth low level format. its a classic command used in many BAT bugs.
     
  6. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    Dear AMRX,

    this is well known issue. On this Kapersky virus encyclopedia entry there is a batch code which if executed:

    1. prints two harmless lines of text
    Windows upgrading your system...
    Please wait

    2. formats the the C: drive
    3. prints text "Please wait...!"
    4. formats the the D: drive
    5. prints massage "Your system was hacked by virus from Vyatka (situated in deep ass of Russia)"

    This code is a regular piece of destructive malware and this is reason why it is detected.

    I rest my case.
     
  7. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    thanks for the explanation though its misdirected.
     
  8. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    That's a old quarrel between Kaspersky and ESET ;)

    Technically said it is a false positive, it is not a virus juste the code which copied and save as bat will be dangerous.
    ESET says he detects it for that raison (no need to publish a virus code on a website) . Eugene promissed a lon time a go he will remove it but never has done it.

    Regards,
     
  9. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Thanks for the clarification, I was going to ask how the text displayed could be dangerous!! You answered the question before I asked it, Thanks
     
  10. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    Ooops. Sorry :ninja:
     
  11. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    ESET modify detection for this trojan.
     
  12. DiGi

    DiGi Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    114
    Location:
    in the middle of nowhere
    Izi: and now..? NOD doesn't detect that code... (1.806) :(
     
  13. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear DiGi, is it true? i'm using 1.805 i guess. i'll go home and check it out. i'm glad NOD32 fixed the MSA.DLL issue. the code is harmless in a webpage but when inside a BAT file its trouble.
     
  14. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    If you add
    format c: /autotest /q /u
    format d: /autotest /q /u
    in bat file KAV recognize this as virus, NOD doesn't regognize as a virus.

    Is file with this (format c: /autotest /q /u; format d: /autotest /q /u) virus or is not?

    Bye
     
  15. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear izi, hard to say its virus as it won't replicate. but it does contain harmful code that formats your system. note that its a legitimate command and people can use it. but BAT viruses usually carried those commands in those days. NOD32 isn't that good against BAT viruses as it follows a clean approach, perhaps like Symantec.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.