NOD32 infected

Discussion in 'NOD32 version 2 Forum' started by ralfs, May 19, 2007.

Thread Status:
Not open for further replies.
  1. ralfs

    ralfs Registered Member

    Joined:
    May 19, 2007
    Posts:
    3
    Hi all,

    I have a dedicated hosted server which I can use RDP to access it.
    This server runs IIS, MySQL and MS-DNS (secondary).

    Yesterday I logged on the server and I saw that the server has been infected with Win32/Parite.B.
    I enabled email notifications and got this (among with other files infected):
    18/5/2007 19:13:48 ?? - AMON - File system monitor Threat Alert triggered on XXXXXXXXXXX: C:\Program Files\Eset\nod32.exe is infected with Win32/Parite.B virus.
    18/5/2007 19:14:47 ?? - AMON - File system monitor Threat Alert triggered on XXXXXXXXXXX: C:\downloads\nentenst.exe is infected with Win32/Parite.B virus.

    Of course NOD32 reported that CRC is bad and AMON had stopped working.

    NOD32 was running all the time with automatic updates and had latest signatures. Server is Windows 2003 and had automatic and automatic installation and restart if needed.
    The server is publicly exposed and there is no firewall to protect it.

    The server had to be reformatted and setup from scratch as RDP access was dropped after a while (apparently it started infecting the windows system files as well) and my provider couldn't do much after they cleaned the virus in safe mode as in normal mode RDP would crash.

    What I suspect is that the virus was dropped because:
    http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx
    wasn't installed on the server as it should had been very recently released on Windows Update.

    So, can a virus be dropped using the above mentioned DNS exploit and AMON cannot "catch it"?
    If yes what can i do to avoid similar issues in the future, because I think that even a firewall wouldn't protect me in this case.
    If no, please check it :D
     
  2. ASpace

    ASpace Guest

    You should enable a firewall but configure it well . Without a firewall , the server is like an open yard , nothing stops anybody.

    Check with IT/network specialist how to configure the firewall on the server . Ensure NOD32 is set to automatic update and always running.

    W32 Parite.B is very nasty infection
     
  3. ralfs

    ralfs Registered Member

    Joined:
    May 19, 2007
    Posts:
    3
    Marcos: I apologize for editing this post in error, feel free to replace it with the original post.
     
    Last edited by a moderator: May 21, 2007
  4. ASpace

    ASpace Guest

    I am not an expert / firewall expert , you should talk to such person who can really help .


    This is also a mystery for me , I also think AMON should have caught the virus earlier . May be someone else can give more precise answer . Next time make sure AMON is configured better (for the server the default configuration is fine).
     
  5. ralfs

    ralfs Registered Member

    Joined:
    May 19, 2007
    Posts:
    3
    Is anyone from NOD32 team available to comment on this?
     
  6. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    I'm surprised an Eset moderator has not replied... You're probably best off emailing support[at]eset.com for a faster response/personal support, with a link to this thread in the email.
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    There could be several reasons for that:
    1. outdated version of NOD32 at the time of infection
    2. AMON disabled at the time of infection
    3. detecion for that Parite variant was added after the infection has taken place
     
Thread Status:
Not open for further replies.