These two trojans were not fully detected.

Discussion in 'NOD32 version 2 Forum' started by testg, Aug 23, 2003.

Thread Status:
Not open for further replies.
  1. testg

    testg Guest

    Ok I've sent the samples but I also want you guys to be on a lookout for theese files on your system. Theese files are Payload.dat which is dropped in your c:\ by msmsgri32.exe which will be in your taskmanager and located in c:\winnt\system32

    Was a bit dissapointed since Symantec got them but oh well.
     
  2. testg

    testg Guest

    Sorry missed a few points.

    The other was:

    NTOSKRNL.exe (yes I know it's a valid process and a valid file so don't be alarmed with that, just give it a scan to make sure it's fine....Nod32 detected it as a unknown virus on one system and on the other it was fine...so it looks like some strain has hooked itself into the ntoskrnl.exe)
     
  3. Samaritan

    Samaritan Registered Member

    Joined:
    Dec 27, 2002
    Posts:
    15
    Location:
    New Zealand
    Can you name the virus please?
    I want to check to dates of when Nod updated it's files regarding it.

    Thanks.
     
  4. testg

    testg Guest

    Not to sure about the name since it was killed.
    Nod32 ID it as an uknown virus.
    While the trojan was ID by Symantec as Backdoor.Roxy and the Payload.dat was ID by NOD as Slanper.B Trojan that was only the Payload.dat and NOT msmsgri32.exe (which drops the payload.dat).
     
  5. testg

    testg Guest

    Sorry again missed a few ponits.
    The virus was killed by a symantec on my testbed, I have the log file there but now I am at home and not at work thus unable to check the logs (the machine is a stand alone non networked testbed).
     
  6. Samaritan

    Samaritan Registered Member

    Joined:
    Dec 27, 2002
    Posts:
    15
    Location:
    New Zealand
    Thanks for that.

    I noticed that the Backdoor.Roxy gets in through your ports, did you have the XP firewall turned on. And was it up to date with it's patches from windows update?
     
  7. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hi,

    >Ok I've sent the samples but I also want you guys to be on a lookout for theese files on your system. Theese files are Payload.dat which is dropped in your c:\ by msmsgri32.exe which will be in your taskmanager and located in c:\winnt\system32

    We received some samples, but would it be possible for anyone to send the file that drops the payload.dat - testg says it is "msmsgri32.exe" - to samples@eset.com with cc to support@eset.com with a subject "two trojans were not fully detected".?Zipped, pls.

    Thanks, :)

    jan
     
Thread Status:
Not open for further replies.