NOD32 not detecting mblast.exe

Discussion in 'NOD32 version 2 Forum' started by pepsi1, Aug 23, 2003.

Thread Status:
Not open for further replies.
  1. pepsi1

    pepsi1 Registered Member

    Joined:
    Aug 23, 2003
    Posts:
    4
    Hi People,
    Was having some problems with internet access, contacted customer service at my provider. Turns out I was infected with the W32/Blaster worm.

    As infections go, it is relatively benign, but I was dismayed that NOD32 did not detect this worm.

    mblast.exe was one of my processes running when I pressed ctrl-alt-del and the mblast file was in \system32, so it was very easy for ME to see that the worm was active.

    Yet when I run nod32 scan it did not detect it.

    I am running with a virus definition update from earlier this week.

    Any suggestions? When I do a scan, I have ALWAYS received a couple error messages about MBR records, but from reading the forum I think I see how to avoid these in the future, but otherwise scans seem to be normal and don't find anything.

    Thanks for any help.
     
  2. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    Comparing the SARC with the NOD32 update site, it sure looks like NOD32 has issued definitions for all of the worm versions.

    NOD32 - v.1.480 (20030812)
    Virus signature database updates:
    Win32/Lovsan.A, Win32/PSW.Pet.F

    From the update list here: http://www.nod32.com/support/info.htm#CurVersion

    On the 13th: Win32/Lovsan.A.unp
    On the 13th: Win32/Lovsan.C
    On the 18th: Win32/Lovsan.A:AsPack
    On the 19th: Win32/Lovsan.D

    http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

    http://www.symantec.com/avcenter/venc/data/w32.blaster.b.worm.html

    http://www.symantec.com/avcenter/venc/data/w32.blaster.c.worm.html
     
  3. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    pepsi1,

    A couple of questions:

    • what does the update info states in regard to the database version?
    • do you have the IMON enabled?
    • please post a screen shot from the AMON after scanning

    As marti pointed out correctly, all Lovsan variants are covered and detected.

    regards.

    paul
     
  4. pepsi1

    pepsi1 Registered Member

    Joined:
    Aug 23, 2003
    Posts:
    4
    Dear People,

    I really appreciate the effort. Database information is below. I have attached a screenshot of the NOD32 scan. At this point I had removed the mblast worm file (mblast.exe) but not the registry entry.

    I have purchased, and am running Version 2 on another computer and this morning it identified a blast virus as an attachment in an email. So that computer/NOD32 setup seems to be working fine.

    Any thoughts on why the worm was not identified would be appreciated.


    Mike M

    NOD32 system information
    Version:         1.474 (20030804)
    Installed on:      08/04/2003
    Virus database build:   3136
    Environment version:   1.047
    Last Update attempt:   08/14/03 16:18:01

    Operating system information
    Platform:   Windows XP
    Version:   5.1.2600
    Common controls version: 5.82.2600
    RAM:   255 MB

    Diagnostics information
    Base module build:   3084
     

    Attached Files:

  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    pepsi,

    Your screen shot shows (left bottom corner), you updated the database last for the database update from August 4th, 2003. - version 1.474. FYI: the latest update is version 1.491 from August 21th, 2003.

    I'll take it your question has been answered. Be sure to update or check for updates at least once a day.

    regards.

    paul
     
  6. pepsi1

    pepsi1 Registered Member

    Joined:
    Aug 23, 2003
    Posts:
    4
    Dear Paul,

    I appreciate the response. I will assume then that the software was performing correctly, but my failure to update the database lead to my demise.

    Thanks, Mike M
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    My pleasure, Mike ;)

    That's indeed the correct assumption. You might consider to configure the software to look for/install updates at intervals chosen by yourself.

    Take good care and regards,

    paul
     
  8. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    Also, I recommend that you install version 2 instead. Just download it using your current username and password, uninstall the old version, reboot, and install the new version.

    You should also leave the scheduled updates at their default settings/interval, and just make sure after a day or two that you got the latest updates.

    Best regards,
    Anders
     
  9. pepsi1

    pepsi1 Registered Member

    Joined:
    Aug 23, 2003
    Posts:
    4
    Dear Anders and Paul,

    Thanks for your help. I think it's all sorted now. I downloaded version 2 last night after I saw how well it worked on another computer we have.

    So now it is happily updating and hopefully I should be safer.

    Bye, Mike M
     
  10. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    msblaster (or luvsan) is not an email borne worm.

    If you were infected that means that a) you didn't have your PC patched with the MS critical update that was available in July and b) you had ports open on the internet and either weren't running a firewall or if you had a firewall it was misconfigured. Such open and vulnerable machines could be infected within 30 seconds of going online. This particular worm wasn't particularly destructive to the infected host, but the next one could be. If you're not running a firewall of some sort get one. There are good free ones available. Even a properly configured NAT router that filters incoming ports should help.

    Don't just rely just on your AV to protect you (especially from worms and trojans that take advantage of open ports on the internet) and an AV certainly can't offer its best protection against the newest threats if it isn't regularly updated.

    NOD version 2 has an automatic update feature which is extemely convenient. I set mine so it checks for updates every three hours ( I think the default is every hour). It downloads and installs the update without any fuss. The auto updater works so well it's the first time I've ever allowed any application to auto update itself. ESET's made it as easy as it can be to maintain an updated AV so might as well take advantage of it.
     
  11. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    >NOD version 2 has an automatic update feature which is extemely convenient.

    Yes. The auto update feature is great. However, some of us like to have a bit more control. I really like that I can have it set to look every hour and then to ask me before updating when it finds an update. I agree that the auto update is very fast and doesn't cause problems. I especially like that Eset corrected the problem in version 1 and version 2 beta where the mouse would become unusable during the update. Even though the update is fast, I still didn't like that my mouse wouldn't work. Now though, the mouse continues to work and the update is fast.
     
Thread Status:
Not open for further replies.