Olmarik Trojan - How to guard aganst it?

Discussion in 'ESET NOD32 Antivirus' started by petef, Nov 28, 2010.

Thread Status:
Not open for further replies.
  1. petef

    petef Registered Member

    Joined:
    May 30, 2008
    Posts:
    38
    Location:
    USA, NJ
    I operate a computer service business and during the past few weeks several of my customers already running NOD32 became infected with the Olmarik.ADA Trojan which infected their MBR on the physical disk.

    After researching Olmarik here at Wilder's I originally tried various suggested cleaning tools but none worked. I was SUCCESSFUL at removing Olmarik by booting to an "Ultimate Windows Boot CD" , using Revovery Console to first do a.. chkdsk /r/p followed by FIXMBR and FIXBOOT. Since then, this is how I remove Olmarik MBR infections AFTER running the NOD32 scan on the infected hard drive from a clean computer.

    Ok, the above info is just for anyone else interested. My main reason for posting is to find out what measures can be taken with NOD32 to guard against this nasty virus disabling NOD32. Or... what additional measures have proven effective for keeping this Olmarik virus from disabling NOD32.

    For example, is SuperAntiSpyware pay version effective as a second layer of protection to keep NOD32 from being disabled?

    BTW: This is the first time in many years where after installing NOD32 on my customer's computers that they are coming back infected. So I do have a lot of faith in NOD32. I just need to know how to fortify to keep this from happening.


    ---pete---
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    what do you do to protect yourself against malware? how much time or will do you have transfer that knowledge onto your customers (assuming they equally have time or are willing to learn)
     
  3. petef

    petef Registered Member

    Joined:
    May 30, 2008
    Posts:
    38
    Location:
    USA, NJ
    I FULLY understand what you are saying, however, that kind of thinking is more idealistic and theoretical than practical. Practically speaking, the average person that comes to me for help is not able fully understand or even remember all that needs to be known about security or even control all the family members that use the computer and this is why we must rely upon software to protect against attack. I'm not looking for 100% perfection in security because I know that is not possible.

    Ok with all that said, in recent weeks our trusty NOD32 has proven to be vulnerable, specifically to this Olmarik virus, so all I'm asking is whether there are any specific tweeks that can be done to NOD32 or any additional software that can be used so that Olmarik can't disable (or has less of a chance) or otherwise defeat NOD32.

    Thank you :)

    ---pete---
     
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    On the contrary, my thinking, is precisely practical. There are no tweaks apart from keeping the AV current and active, from keeping the OS updated, from encouraging people to do minimum to protect themselves. Especially average people. It must be easier to recommend additional software and not following everyday common sense and easy security practice.
     
  5. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Last edited: Dec 1, 2010
  6. petef

    petef Registered Member

    Joined:
    May 30, 2008
    Posts:
    38
    Location:
    USA, NJ
    Yeah, I hear you, I don't even come in contact with any malware, so as Cudni suggests it's largely about the user and how they operate on the Internet. The real question to ask yourself is how many times did a particular anti-virus actually stop a virus in it's tracks and quarantine it.

    When I go to service a customer on a non-virus related issue I'll sometimes check the logs of their anti-virus program to see if it's been catching anything. If it has, I'll point it out to them to show them how effective their anti-virus app has been to protect them. Usually, if something gets past NOD32 I can clean it out easily if they call me right away, but this Olmarik thing is real bad, hard to get out, and renders NOD32 defenseless.

    I don't think that adding a password to NOD32 would help because one time I found all the files in the NOD32 program folder to be deleted. Other times, NOD32 won't startup and it's generally disabled. I'm thinking that having SuperAntiSpyware pay version running as a second layer of protection, may help.

    ---pete---
     
  7. madquest

    madquest Registered Member

    Joined:
    Dec 15, 2010
    Posts:
    1
    The Eset removal utility for Omarik is unable to clean the rootkit.
     
  8. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    did you contact support about it? They can advise you further, how to possibly detect if unknown variant it and then remove it
     
  9. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Did you use the correct removal tool, are you sure the rootkit was Olmarik ?

     
  10. get_it

    get_it Registered Member

    Joined:
    Aug 28, 2007
    Posts:
    99
    Sorry dont mean to hi-jack the thread, quick noob question here...

    Am i correct in assuming that the "stand-alone" removal tools are not included in the ESET AV or SS suites? (hence the name stand-alone)

    My second question would be if not, then why? Wouldn't incorporating them be beneficial to both ESET suites i.e. improve cleaning of malware?

    Regards
     
  11. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    Are we talking about business customers is a more managed environment, or just home users that you are supporting?
     
  12. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    I had one of these last week - the reason it got onto the machine was the client was using version 3.0 I think - not the latest v4.2

    The mbr-rootkit I removed using mbr.exe after confirming it's presence with gmer. v4.2 found the other portions and cleaned them, but v3.0 had missed them.
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    New variants of Olmariks are often detected by ESET proactively or detection is added very quickly (personally I've seen variants detected only by ESET or variants where ESET was one of 3-4 AVs to detect them).
    In order for recent Olmariks (tdl4) to be detected when already active, an update of the Anti-Stealth module is required. We assume this could be ready some time soon. For cleaning systems infected with Olmarik, you can use the ESET stand-alone Olmarik cleaners (one for tdl2/3 variants and a new one for tdl4 variants) that are downloadable from here. Note that after running the Olmarik TDL4 cleaner, it's necessary to restart the computer and run a full system scan for the cleaning to complete.
     
Thread Status:
Not open for further replies.