Trojan Detected on Just One of Two Identical Installations

Discussion in 'ESET NOD32 Antivirus' started by Ardmore, Apr 16, 2009.

Thread Status:
Not open for further replies.
  1. Ardmore

    Ardmore Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    43
    Today my primary XP-SP2 pc ended up on a website with one of those fake-AV pop-ups ("your computer is at risk," followed by an almost-instant bogus "scan" revealing a system supposedly drowning in malware).

    I was quickly disconnecting from the internet and killing Firefox, and after maybe 5-10 seconds NOD32 v4 reported and quarantined Win32/TrojanDownloader.FakeAlert.YZ Trojan. The quarantined file is reported as an install.php of 271kb.

    Now I know I probably shouldn't have done this, but since I'm still trying to get comfortable with NOD32 I went over to my other XP-SP2 pc with an identically-configured NOD32 installation, and went to the same website. All the same pop-ups started, but to my surprise on this pc NOD32 was silent. Looking at the details of my web history, cookies, etc. on the 2 pc's after visiting the site, they were identical.

    It doesn't appear any harm was done on the second pc (or the first, for that matter). Everything seems clean. (This isn't like a Fake-AV situation I had in my last days with BitDefender, where it sounded like there was some fast and furious unauthorized downloading -- installation? -- going on -- which was quickly stopped and quarantined by BitDefender).

    Again I probably shouldn't have done this, but I went back to the the site again on the second pc, but this time using IE 6 instead of Firefox to see what would happen. There was no difference, except that interestingly it shifted to my desktop for the initial fake-AV warning, instead of showing up in front of an initial download of a page-full of text (in Firefox). I do know from looking at the history that the initial warning was an rtf file made to look like a Windows message box (or whatever you call those menus with "OK," etc buttons.)

    My question (finally!) is why NOD32 would react to this on one pc, but not the other? I've never done this kind of multi-pc "comparison" with any AV. Is this kind of situation unusual or anything to be concerned about? Is it possible the site was for some reason being more aggressive on the first pc? (My reactions and timing were similar in both cases, although in the second test on pc #2 I actually gave it a few seconds more time to see if NOD would react.)

    BTW, I'm sure no malware expert, and have only an intermediate or lower (depends on the subject) technical knowledge. So I don't know if the explanation I just gave excluded important facts or makes complete sense. But I'm still a little concerned that this was identified and quarantined in one case, and not in the other.

    A few other points, but with my scrambling to kill connectivity, etc, I can't SWEAR to the accuracy of either: On the first pc the first thing I did was engage Zone Alarm's internet lock. But then ZA seemed to quietly shutdown. And I believe (again, can't swear), that in both cases the checkboxes in CCleaner for IE Cookies and IE Temp files -- the only two checked -- became unchecked. (I did notice a couple cookies placed by the site that NOD32 says the trojan came from -- download.best-click-av1.info).

    Also, even if a real threat had been quarantined, is there any guarantee some "bad" file (a dll?) wouldn't still be lurking on my pc? (That's meant as more of a general question for this kind of trojan; in this particular case I see no evidence of anything other than a couple graphics files.)

    Would appreciate any thoughts, and sorry for the over-long post.
     
  2. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    IT was prob. an ad on that site.
    The ad is in rotation in an iframe what have you.
    If you were not running FireFox with AdBlocker and NoScript (on) then the ad delivered it's payload. When you came back with another PC the ad has already pointed to a site that was non-malicious (it's an ad based Russian Roulette).

    At least that's my guess.
     
  3. Ardmore

    Ardmore Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    43
    But the address reported in NOD's quarantine showed up in the history and cookies for the other two events as well, and all the pop-ups were the same, advertising the same bogus product and doing the same bogus "scan" (which had nothing to do with the purported theme of the site as reported by Google). Doesn't that suggest all three incidents pointed to the same "ad" site?

    Or maybe I don't fully understand what you're saying (quite possible).
     
Thread Status:
Not open for further replies.