Several Unknown Viruses NOT picked up

Discussion in 'NOD32 version 2 Forum' started by Blackspear, May 15, 2004.

Thread Status:
Not open for further replies.
  1. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I have been sent these three viruses in the last hour at my hotmail account, neither the McAfee scanner at Hotmail, nor amon on my system picked up these viruses. I downloaded them through my pop3 account and saved the files to demonstrate how AMON works to a client.

    In the virus logs the following is mentioned, though AMON did not pop up with it's usual RED window, nothing happened until I ran a scan and it was ONLY 1 virus that was picked up and deleted.

    Nod32 LOGS in Control Centre:
    Time Module Object Name Virus Action User Info
    15/05/2004 16:28:04 PM AMON file C:\Documents and Settings\PC User\Local Settings\Temporary Internet Files\Content.IE5\3A47VHG5\all_launch_reg[1].htm probably modified trojan JS/NoClose.L error while cleaning - operation unavailable for this type of object

    I have sent the three different viruses to samples@nod32.com

    Cheers :D
     

    Attached Files:

    Last edited: May 15, 2004
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    This is a picture of a Nod scan, showing the same files as locked...

    Cheers :D
     

    Attached Files:

  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    How they arrive by email... Each arrived seperately.

    Cheers :D
     

    Attached Files:

  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    This is the Spybot Search and Destroy 1.3 LOG info:

    15/05/2004 4:17:20 PM Denied value "discdirhost" (new data: "C:\WINDOWS\System32\diagrundisc.exe") added in System Startup user entry!
    15/05/2004 4:17:23 PM Denied value "windirsmss32" (new data: "C:\WINDOWS\System32\diagrundisc.exe") added in System Startup global entry!
    15/05/2004 11:46:10 PM Denied value "servicesmss32" (new data: "C:\WINDOWS\System32\runsmss32.exe") added in System Startup user entry!
    15/05/2004 11:46:15 PM Denied value "smss32" (new data: "C:\WINDOWS\System32\runsmss32.exe") added in System Startup global entry!

    Cheers :D
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Latest arrival that installed and attempted to alter the registry which Spybot S & D 1.3 warned me of...

    Cheers :D
     

    Attached Files:

  6. Schouw

    Schouw AV Expert

    Joined:
    Jan 4, 2004
    Posts:
    29
    Location:
    Netherlands
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    They are now detected by Nod with the update that arrived this morning 1.761

    ALL are Sober.G in various forms, it is coming in thick and fast, I don't usually receive many viruses at all through my Hotmail account, more have arrived in since last night. From the size of each file (69k) it was/is obvious that each email is a virus, let alone the extension (.PIF, .SCR and .BAT) that gives it away.

    I do wonder why though, AMON shows a log of 2 instances where it tried to deal with the worm in 1 of its forms, HOWEVER, I was sitting in front of the computer trying to show that AMON pounces on a detection and immediately throws up a glaring red notice... THIS DID NOT HAPPEN, AMON's warning was NOT there, nothing happenned except Spybot S & D's (v1.3) resident scanner detected registry changes and warned me about them. I only found out through a system scan with Nod that yes indeed I had been infected.

    Cheers :D
     

    Attached Files:

    Last edited: May 15, 2004
Thread Status:
Not open for further replies.