NOD32 Flase alarm! Check if you want!

Discussion in 'NOD32 version 2 Forum' started by jg88swe, Jul 1, 2004.

Thread Status:
Not open for further replies.
  1. jg88swe

    jg88swe Guest

    hey, i while ago i notice that NOD32 detected false alert on the site Viruslist.com that Kaspersky have.

    I did sent this to Samples@nod32.com but i guess it was ignored...
    Check if you want: it will detect that the site is infected with a BAT.Supid.A Trojan. And i dont think thats really true...

    http://www.viruslist.com/eng/viruslist.html?id=1251344
     
  2. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear jg88swe, why don't you join the forum? i'm sure its a false alarm and i checked the page. this is what i found,

    format c: /autotest /q /u
    format d: /autotest /q /u

    these two lines should be the culprit. why don't you do a test. include those lines in a BAT file and see what NOD32 has to say about it.
     
  3. jg88swe

    jg88swe Guest

    What does

    format c: /autotest /q /u
    format d: /autotest /q /u

    do ?

    Ive check it and its a Stupid.a trojan... Hmm yeah i'll join the forum ;)
     
  4. jg88swe

    jg88swe Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    181
    yeah!
     
  5. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    welcome to the forum jg88swe, that command does a stealth low level format. its a classic command used in many BAT bugs.
     
  6. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    Dear AMRX,

    this is well known issue. On this Kapersky virus encyclopedia entry there is a batch code which if executed:

    1. prints two harmless lines of text
    Windows upgrading your system...
    Please wait

    2. formats the the C: drive
    3. prints text "Please wait...!"
    4. formats the the D: drive
    5. prints massage "Your system was hacked by virus from Vyatka (situated in deep ass of Russia)"

    This code is a regular piece of destructive malware and this is reason why it is detected.

    I rest my case.
     
  7. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    thanks for the explanation though its misdirected.
     
  8. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    That's a old quarrel between Kaspersky and ESET ;)

    Technically said it is a false positive, it is not a virus juste the code which copied and save as bat will be dangerous.
    ESET says he detects it for that raison (no need to publish a virus code on a website) . Eugene promissed a lon time a go he will remove it but never has done it.

    Regards,
     
  9. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Thanks for the clarification, I was going to ask how the text displayed could be dangerous!! You answered the question before I asked it, Thanks
     
  10. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    Ooops. Sorry :ninja:
     
  11. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    ESET modify detection for this trojan.
     
  12. DiGi

    DiGi Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    114
    Location:
    in the middle of nowhere
    Izi: and now..? NOD doesn't detect that code... (1.806) :(
     
  13. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear DiGi, is it true? i'm using 1.805 i guess. i'll go home and check it out. i'm glad NOD32 fixed the MSA.DLL issue. the code is harmless in a webpage but when inside a BAT file its trouble.
     
  14. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    If you add
    format c: /autotest /q /u
    format d: /autotest /q /u
    in bat file KAV recognize this as virus, NOD doesn't regognize as a virus.

    Is file with this (format c: /autotest /q /u; format d: /autotest /q /u) virus or is not?

    Bye
     
  15. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear izi, hard to say its virus as it won't replicate. but it does contain harmful code that formats your system. note that its a legitimate command and people can use it. but BAT viruses usually carried those commands in those days. NOD32 isn't that good against BAT viruses as it follows a clean approach, perhaps like Symantec.
     
Thread Status:
Not open for further replies.