Sober.C Renamed!!

Discussion in 'NOD32 version 2 Forum' started by Vinnie, Dec 29, 2003.

Thread Status:
Not open for further replies.
  1. Vinnie

    Vinnie Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    19
    Location:
    Bournemouth, UK
    Hi
    I have had several attacks over the weekend and today of the Sober.C worm through one of my mail accounts. Each time NOD32 has countered it.
    Problem is I keep deleting it and the same one is there and won't download of the server when I delete it.
    So I renamed it and the mail downloaded along with other mail which I was expecting.
    Because I renamed it, does this mean that it is still active on my machine?
    As it stands NOD is not picking anything up unusual but I have this horrible feeling that it's there somewhere with whatever it's been renamed too.
    Or have I nothing to worry about?

    Thanks

    Vincent
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hi Vinnie,
    would you please be more specific as to what mail client you use?
     
  3. Vinnie

    Vinnie Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    19
    Location:
    Bournemouth, UK
    Hi Marcos

    It was Outlook Express. But having said that I then configured it into Outlook 2003 to see if I could download it there, but the virus popped up there as well. It also poppe dup in Pegasus my other mail client and it would not download fromt hat either.

    The question here is: Becasue I renamed a virus using NOD's renaming utility does this mean the virus is gone and dead or is it still there?
     
  4. Vinnie

    Vinnie Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    19
    Location:
    Bournemouth, UK
    Hi
    I'm bumping this up. I am not convinced that there is nobody here that does not know the answer to this question.
    So bumping it to bring it back to everybody's attention.

    Thank you
     
  5. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    I'm still kind of foggy about your problems.

    1. Can you not access the mail server directly to delete the problem infected mail from there? For example, my ISP's allow me to check for mail on their site and I can delete emails there so they never get downloaded to my email client. Some email clients like Poco allow you view the mail on the server so one can check things out prior to downloading.

    2. If you renamed a file you downloaded rather than deleting it, it should still be on your hard drive. You can't find it? It's not showing within your email client?

    Then I think the question is for ESET: when IMON (presumably) renames a email/attachment, what is it renamed to and does NOD move the file or just leave it in place? Presumably it should rename it in such a manner that the file is not readily executable. But to go back and delete it, the file's location would be good to know.

    Perhaps you also should email ESET support directly if you haven't already with full information regarding the circumstances and your OS, email client, etc.
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you select the rename option, the letter v will be added before the file extension (e.g. exe will be renamed to vexe, etc.)
     
  7. Vinnie

    Vinnie Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    19
    Location:
    Bournemouth, UK
    Okay fair enough it gets renamed. It then downloaded fine into my client without any incidence. I then deleted the email.

    My question is: Is that virus still active even though it's been renamed, downlaoded and then deleted?
     
  8. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    If the infected file has been renamed it cannot execute; if it's been deleted it's effectively gone. "Gone" in the sense that any deleted files are gone from your HD: that is, it's no longer accessible and can be overwritten.

    Presumably the virus was never "active" since it didn't run as IMON caught it prior to execution. Once renamed it is no longer in an executable form. If it can't execute it can't infect. If it's deleted it can no longer be accessed. (Unless you use a recovery utility to recover it in some fashion.)
     
  9. Vinnie

    Vinnie Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    19
    Location:
    Bournemouth, UK
    Sig and Marcos, thank you both for the info. I wasn't sure if that was the case.
    Thankfuly NOD32 renamed it because the characteristics of the worm work so that when you are downloading it and a resident antivirus catches it and deletes it, it will then refuse to give you the email so that when you try downloading the emails again it will be back. The only way is to rename it then delete it.

    I noticed that I got another one come through tonight and took a snapshot of it before I renamed it. You can find the picture enclosed as an jpg atatchment.
     

    Attached Files:

  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I don't see the point of "Rename" being an option (if anything, it should be an ADVANCED option, hidden obsurely), if it has the ability to cause this much confusion. If delete was the only other available choice, then there is no choice but to delete, the average user would not want to "Leave", so delete would be clicked on...

    Am I correct in my way of thinking o_O

    Cheers :D
     
  11. Vinnie

    Vinnie Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    19
    Location:
    Bournemouth, UK
    No your not wrong, but in this case you are. If you read the post again you will see that I did try and delete and NOD32 deleted it. But what happened was it left the email intact and timing out on the server, it just would not download the other normal emails that were trapped behind it.
    The only thing to do was rename and let it download then delete it manually.
    What options were open to me otherwise?
     
  12. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Sure, I see your point, however, did anyone from Eset explain or give reason as to why it was blocking your other emails? It sounds like this a Nod problem, and that being the case, are they going to fix it?

    Cheers :D
     
  13. Vinnie

    Vinnie Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    19
    Location:
    Bournemouth, UK
    Yes good point and am submitting a report on it. Thanks again. ;)
     
Thread Status:
Not open for further replies.