Question about a NOD32 detection last week

Discussion in 'ESET NOD32 Antivirus' started by chromebuster, May 27, 2010.

Thread Status:
Not open for further replies.
  1. chromebuster

    chromebuster Registered Member

    Joined:
    May 27, 2010
    Posts:
    18
    Hi Folks,
    I had one question. Last week, or was it two weeks ago now? Well, I really don't remember, but I do know that NOD32 detected a file in my windows folder called fzytua.exe, and it detected it as Trojan Win32/Kryptik.EEI, and luckly, it was able to be deleted. But the bad thing is, when i clicked on the file and received a notification from Win Patrol that it was an automatic startup program, I allowed it despite the randomly named process. My question is, what exactly is kryptik.EEI, do any of the following files belong to it: Fzytua.exe, fhf.exe, or Fhg.exe? The latter were found in my temp folder, and the first was in my windows folder. I was able to manually delete those in my temp folder, but your product found the first in my windows folder. The program was trying to download and update something that It automatically downloaded, and then ads were popping up all over the place. Things are looking great thanks to you folks, but I'm just curious what I was up against then. In other words, what is Kryptik.EEI, and does it have anything to do with any of the TDSS variants? Thanks.

    Chromebuster
     
    Last edited: May 27, 2010
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Since Kryptik is a generic heuristic detection, it can be anything.
     
  3. chromebuster

    chromebuster Registered Member

    Joined:
    May 27, 2010
    Posts:
    18
    Thanks. But the interesting thing is that when I used a secondary scanner (Malwarebytes), it found two registry entries each belonging to trojan.fakeAlert. So, as you said, that it could have been anything, could it be possible that some kryptik variants download rogue scanners, and that is what the darn thing was updating? And the other thing I don't get is how the huristic engine didn't see the file right when I clicked it. And nor did web access protection monitor come up and ask me what I wanted to do with it. Could that have been due to the simple fact that I was using Firefox at the time? isn't that right that you guys do not monitor web access in firefox? What throws me even more, is that the trojan didn't mind being deleted! Some malware authors really are quite dumb, aren't they? LOL. I was able to take out those two temp files in a flash. Well anyway, thanks for the input.

    Chromebuster
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Rogue programs are often detected as variants of Kryptik.

    Surely the file was supposed to be detected and blocked by web protection. The only reason why it wasn't that occurs me is that detection was added shortly after you got infected. However, if the file was actually registered in the registry to start with Windows, the startup scan run after update must have revealed it. I assume that those two registry keys were not found in the run keys that are checked by the startup scanner.
     
  5. chromebuster

    chromebuster Registered Member

    Joined:
    May 27, 2010
    Posts:
    18
    You know, surprisingly, I never thought to check that. But as far as I know, I got no popups from NOD32 regarding any registry entries. Is there a way to show the startup scan log? If so, I'll show it and check. For now that you mentioned it, I am curious myself. And upon looking at the updates, I think the particular variant was addedd prior to the date of infection (May 8, found in the scan on May 9). I can't remember the version of the database though. I can certainly check if you want me to. and interestingly enough, my friend tells me that the author of the malware was able to be sneaky by hiding it underneath the installer, and that's why you folks didn't see it until it actually got through. I can imagine that happens.

    Chromebuster
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    1, files scanned during startup scans as well as files scanned by real-time protection are not logged unless a threat is found.

    2, it's impossible to tell when the detection for your variant was added without getting the file and scanning it with older signature db versions.

    3, any file that is written to the disk is scanned with advanced heuristics and runtime archives so it would have been caught upon saving to the disk at least. Still, the only explanation that occurs me is that the detection was addded after you got infected, assuming that you kept EAV up to date and have never disabled protection modules.
     
  7. chromebuster

    chromebuster Registered Member

    Joined:
    May 27, 2010
    Posts:
    18
    I can tell you that I never disabled any part of the protection engine. But just so that this doesn't happen again, should i add firefox as a browser so that it will be monitored by web access protection? I didn't do that. And just for the future, what is the best way for me to find resources on malware that is detected using generic names? Let me know. Thanks.

    Chromebuster
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The HTTP communication on standard ports is checked automatically regardless of whether an application is set as a web browser.
     
Thread Status:
Not open for further replies.