NOD32 kernel is automatically terminated by Fujacks

Discussion in 'NOD32 version 2 Forum' started by melan, Apr 23, 2007.

Thread Status:
Not open for further replies.
  1. melan

    melan Registered Member

    Joined:
    Apr 23, 2007
    Posts:
    7
    I'm using ver 2.7 of NOD32. I Have the latest virus updates as at 23/04/2007 .Recently there was a virus on my USB media drive. NOD32 identified it as a variant of Fujacks virus and notify me with the warning screen. After about 2 seconds it shuts down the Control center automatically. Then can only access NOD32 via on demand scanner. Then have to manually scan and delete the spoclsv.exe file in Windows/system32/drivers/ folder. After that, when the computer is restarted again, NOD32 works as usual.

    Anti stealth - is enabled
    Allow manual stop of AMON- is disabled.

    Why Nod32 doesn't resist this termination?

    I had alot of faith in NOD32 as the best AV software....

    Please help.
     
  2. ASpace

    ASpace Guest

    Have no idea , but it seems that it was detected later ... At least caught ...

    If you have set NOD to place of copy of the crap in the Quaratine , you can navigate to the related encrupted files within Windows Explorer (C:\Program files\ESET\Infected) and send these two files (secure encrupted copy of the malicious file(s)) to ESET Support so that they have a look at it .
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    I'm doubtful it actually terminated the kernel process (nod32krn.exe) responsible for blocking malware. By the way, it must have been detected by AMON on create and moved to quarantine to prevent it from being executed.
     
  4. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    "variant of Fujacks" - doesn't that mean it was an heuristic detection? If so, isn't it right that AMON doesn't prevent the execution of malware that are detected heuristically (only upon moving/creation)?

    Also, was it the virus on the USB media that was detected or the one "dropped" in Windows\system32\drivers folder? Or both?
     
  5. melan

    melan Registered Member

    Joined:
    Apr 23, 2007
    Posts:
    7
    virus was on the usb media. when i accessed the usb drive it automatically trensfers to the computer. AMON automatically detects it and shows the warning screen with information and relevent options to delete or not. But 2 seconds after the screen appears, NOD32 is automatically terminated by this virus. After that i can't launch NOD32 control centre from nod32kui.exe. When i try that I get the followinng message, "Error Occurred during communication with NOD32 kernel service" .

    I have to manually scan and delete the spoclsv.exe file in Windows/system32/drivers/ folder or directly delete this file from this folder.

    This is not WIn32/Fujacks.K worm. It is identified by Nod32 as A variant of WIn32/Fujacks virus.

    I think this is a very critical problem with this software of not properly resisting this malware.
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    This will be addressed in v3. As a workaround, you can install ESS beta and enable advanced heuristics and runtime packers to be used on access. The only downside is that enabling these options might slow down accessing complexly runtime-packed files.
     
  7. melan

    melan Registered Member

    Joined:
    Apr 23, 2007
    Posts:
    7
    I found a solution for the prob. In AMON go to setup , then Actions tab and enable "Move newly created infected files to quarantine. This must be enabled to prevent this automatic termination. Otherwise this Fujacks can attack NOD32.
     
  8. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    My NOD32 install had the setting you described set on install. So users should be protected, me thinks...
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    It's always set by default, there's no reason to change it.
     
  10. melan

    melan Registered Member

    Joined:
    Apr 23, 2007
    Posts:
    7
    Then it should be my fault then. Now I can prove to others that NOD32 can not be beaten. Anyway thanks for you replys guys. .... Best Regards....

    Melan
     
  11. melan

    melan Registered Member

    Joined:
    Apr 23, 2007
    Posts:
    7
    this virus is now identified as Win32/Fujacks.Q according to version 2226 on 28/04/2007

    NOD32 - v.2226 (2007042:cool:
    Virus signature database updates:
    Win32/Agent.E (3), Win32/Agent.G (4), Win32/Agobot, Win32/Bagle.IH (2), Win32/Bagle.II, Win32/Bagle.IJ (3), Win32/Bagle.IK (3), Win32/Delf.AZ (3), Win32/Delf.BA (2), Win32/Fujacks.AL, Win32/Fujacks.AQ (2), Win32/Fujacks.AR, Win32/Fujacks.AS (2), Win32/Fujacks.L (3), Win32/Fujacks.Q, Win32/Gnil.A (5), Win32/IRCBot.UG, Win32/IRCBot.VG, Win32/IRCBot.WV (2), Win32/Mytob.FJ, Win32/Nuwar.Gen, Win32/Small.NAV (2), Win32/Surubat.B, Win32/TrojanDownloader.Lopin, Win32/TrojanDownloader.Small.EFR, Win32/TrojanDownloader.Small.EOK, Win32/VB.NIG, Win32/VB.NKL, Win32/VB.NKM (2)
     
Thread Status:
Not open for further replies.