Not-A-Virus.Tool.Reboot

Discussion in 'NOD32 version 2 Forum' started by 4now, Jul 8, 2005.

Thread Status:
Not open for further replies.
  1. 4now

    4now Registered Member

    Joined:
    Oct 9, 2004
    Posts:
    89
    I was surprised to get a blue sreen while surfing with Opera, yesterday evening. Never had a blue screen before. I decided to do scans today and Ewido caught C:\windows\_MSRSTRT.EXE, Not-A-Virus.Tool.Reboot

    Is this anything serious, or related to the BS. Is it a trojan or a virus? Should it have passed by Nod?

    thanks
     
  2. Ailric

    Ailric Guest

  3. hadi

    hadi Guest

  4. 4now

    4now Registered Member

    Joined:
    Oct 9, 2004
    Posts:
    89
    Ewido has it in quarantine -- I don't think I should release it?

    I'm certain I haven't use any such utilities program - especially since my last Ewido scan
     
  5. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    I suggest you send it to analysis. Better safe than sorry ;)
     
  6. 4now

    4now Registered Member

    Joined:
    Oct 9, 2004
    Posts:
    89
    you mean send it to Nod

    should I release it? presently in quarantine with an .ess extension.


    scans of the .ess files came up with negatives from Kaspersky and possible from jotti
     
  7. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    If NOD is your AV, then yes, send it to Eset.
    It could be something or it could be harmless.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please read the threat name more carefully: NOT-A-VIRUS.Tool.Reboot. NOD32 used to detect it in the past, but then we decided not to detect it because such tools are used by various programs and are used to reboot the machine (e.g. after installation of a particular program).
     
  9. 4now

    4now Registered Member

    Joined:
    Oct 9, 2004
    Posts:
    89
    like a virus writer wouldn't use such a name
     
  10. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    You do have a point 4Now, name a new virii after a 'previously' detected malware, success guaranteed.
     
  11. 4now

    4now Registered Member

    Joined:
    Oct 9, 2004
    Posts:
    89
    well I think that I have submitted the .exe version

    I went to Control Panel/Quarantine/add

    on 'submit' it asks for file destination again - so I pointed to the original file - instead of searching for the Nod 32 quarantine folder, because I'm not sure why it would be asking for directions (to a known location?).

    Did I manage to pass the test?
     
  12. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    You can go into the quarantine menu in NOD32, click add and select the file.
    Now it should be in the list - Just rightclick and select 'submit for analysis'.

    http://img11.imageshack.us/img11/4797/add6tq.jpg
     
  13. 4now

    4now Registered Member

    Joined:
    Oct 9, 2004
    Posts:
    89
    when you hit 'submit for analysis' it asks for 'file' and '...' <choose path>

    what goes in there?
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Navigate to where the infected/suspicious file is located on your system, and click on it.

    Cheers :D
     
  15. 4now

    4now Registered Member

    Joined:
    Oct 9, 2004
    Posts:
    89
    ok - thats what I did. Thanks blackspear
     
  16. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    When it's in the quarantine, NOD already has a copy of the file stored in the quarantine folder (encrypted of course).
    This is how it should look like when you rightclick on the file in the list and select 'submit ...':
    http://img199.imageshack.us/img199/3969/sublit6pb.jpg
     
  17. 4now

    4now Registered Member

    Joined:
    Oct 9, 2004
    Posts:
    89
    a different way

    thanks
     
  18. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    I am of the belief that NOD32 would normally be unfooled and detect the threat anyway via AH. :)
     
  19. beng

    beng Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    38
    Location:
    Melbourne/Australia
    I think we have missed the point here though, why is/was the file created in the first place?
    Regardless of whether it should be detected as a Virus etc.......
    4Now stated that no utilities had been run...
    It's obviously too late now, but if ever I find this sort of suspicious file, I usually check the date/time (yes I know that can be faked) and then look for a legitimate folder/file etc that was created at the same time.
    ie if a folder like /program files/mynewwhizbangapplication was created at exactly the same time, then I don't feel so wary.

    Cheers Ben.
     
  20. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    But the new virus will have different behaviour...and then heuristics will catch it. :)
     
  21. 4now

    4now Registered Member

    Joined:
    Oct 9, 2004
    Posts:
    89
    that a good idea beng. I will remember next time.

    I haven't had any word from eset, so there's really know way to know that it was positive yet. Only the submission to the jotti site came with positives. One from it's Kaspersky engine, but strangely the Kaspersky site revealed a negative.

    I just find it strange that I had a blue screen while browsing of all things. I've never had anything like this on my stable system. And I had just done scans a few days ago -- Ewido usually never finds anything.

    It could be just a coincidence. It seems that Ewido has just upgraded to 3.5 from 3.0 in its last update - so perhaps its more sensitive.
     
  22. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    But still, better safe than sorry.
     
  23. hadi

    hadi Guest

    why don't you Google it. it might turn to be a "normal`" file for certain app
     
  24. beng

    beng Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    38
    Location:
    Melbourne/Australia
    G'day Hadi,
    Great point.. however Ailric and Marcos beat you to the answer <grin>.
     
  25. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Should it have passed Ewido's realtime guard?
     
Thread Status:
Not open for further replies.