Trojan Downloader.Open Stream.NAB

Discussion in 'NOD32 version 2 Forum' started by Biscuit, Jan 21, 2008.

Thread Status:
Not open for further replies.
  1. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    A customer ran a Nod32 v2.7 in depth scan & got this message:

    C:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\45\2bbf6c6d-2d8e6380 is infected with Trojan/Java/Trojan Downloader.Open Stream.NAB

    Nod32 was unable to clean the file, so I asked the customer to run Prevx CSI which found nothing. He will run a further Nod32 scan in Safe mode tonight.

    Could this be a FP?
     
  2. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Prevx CSI scans only for active threats; i.e. files loaded in memory and startup files. In this case it's an dormant cache file, hence Prevx isn't going to detect it.
     
  3. ASpace

    ASpace Guest

    Should EAV/NOD32 fail to delete the folder:

    Make him use Pocket Killbox to delete the whole folder

    C:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0

    This is cache/temporary files
     
  4. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    Thanks, I didn't realise that! :(
     
  5. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    Thanks, I've sent him a link.
     
  6. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    He used Pocket Killbox & ran a delete on reboot. After a further scan he found the same virus this time in the Pocket Killbox directory! He's now deleted the directory & running yet another scan!
     
  7. ASpace

    ASpace Guest

    Glad to know :D

    Sure , because Killbox have deleted the file/folder from its original location but have made a back-up/copy of it , just in case. Pretty normal ;)

    Recommend your client to install EAV v 3.0 for better cleaning and more automated cleaning mechanism
     
  8. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    Not sure that a backup copy of a trojan is needed? o_O

    I'm not running v3 on my own systems yet, I can't run them on customer systems until I'm happy that they are reliable. The last time I checked, the forum was full of v3 issues.
     
  9. kenniso

    kenniso Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    4

    I found it recently on my Vista Dell 531. Same thing, couldn't clean it so I took a deep breath and deleted outright and rebooted, rescanned and it wan't there.

    Question; Should I create new restore points, (1, 2 or 3?) and delete all but the last point? I'm a home user not a help desk pro. This thing might have been copied onto my partition. Can I scan that?
    I found this site by googling "trojan downloader NAB".

    Thanks in advance for any help.
     
  10. ASpace

    ASpace Guest

    You can flush the System Restore points by disabling the options and then immediately reenabling it
     
  11. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    One interesting thought... how did Nod32 let this trojan past in the first place? o_O
     
  12. ASpace

    ASpace Guest

    I guess ... Either 1 or 2 ... or both :D

    1) 2bbf6c6d-2d8e6380 is some kind of archive , it simply can't be a whole folder . AMON doesn't scan archives in real-time
    2) Detection was added after the user got the trojan inside
     
  13. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    I believe it was an archive. :doubt:
     
  14. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Threats inside archives are detected upon extraction.
     
  15. kenniso

    kenniso Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    4
    Actually, it was a cache file.

    C:\Users\\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\74018dd6-7765baaa »ZIP »OP.class - Java/TrojanDownloader.OpenStream.NAB trojan

    I removed the user name for obvious reasons.:D

    This is a copy of the log file. My buddies, who know far more about this stuff than I do told me it might be a part of my Rhapsody streamer or Comcast's Fancast streamer. I haven't had time to test the theory.
    I did eliminate it from restore by creating 1 point and getting rid of the rest, after I simply deleted the files and re-booted. (Which was probably unnecessary but, I like to thorough.)

    I thank everybody for their replies.

    Oh yeah, I also wonder how it got past NOD 32 when I have all monitors turned on and the reason I suspect the two apps is because those were the only two streamers I added the day that NOd found it. I have it scan every night while I sleep of course.
     
  16. mg1cigar

    mg1cigar Registered Member

    Joined:
    Aug 3, 2007
    Posts:
    1
    Location:
    Huntersville, NC
    Interesting, my NoD32 v2.5 found 2 as follows: 1) C:\windows\Temp\$558767A.t$m
    2) C:\windows\Temp\$3BC84D19.t$m
    I went to my temp file and it was empty, this was also a Java/TrojanDL.OpenStream.NAB Trojan.
     
  17. kevvyb2005

    kevvyb2005 Registered Member

    Joined:
    Jun 3, 2005
    Posts:
    70
    Location:
    London UK
    Can anyone say what this thing does or is it relatively harmless?

    Can't find any such description on web.

    I'm asking 'cos NOD32 just detected it for me :rolleyes:
     
  18. kenniso

    kenniso Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    4
    I have not had a problem since I deleted the file created a restore pointand used disc clean up to rid infected restore points. I had originally thought it ws actually a by-product of Rhapsody of Fancast. I hve used both since and it has not turned up.
    I am not a techie nor a guru. I'm simply a home / work user with educated friends. I decided on my own take the actions I listed. My pc runs fine and it has not shown up again. So I recommend you go to the file, delete it completely, create a new restore point, delete the rest through disc clean up and restart. On my pc it was a cache file. From my small amount of knowledge that is an odd place to direct a trojan to but what do I know?

    I believe the other folks up the string make a living at this stuff. Hopefully, they'll speak up. NOD 32 has found nothing since.
     
  19. kevvyb2005

    kevvyb2005 Registered Member

    Joined:
    Jun 3, 2005
    Posts:
    70
    Location:
    London UK
    Thanks for that.

    I'm not overly concerned as it's a cache file which I have picked up is probably 'something and nothing' when it comes to this sort of thing.

    I deleted it manually last night along with another file with an .idx extension which had the same filename.

    Not sure that was the right thing to do but again, as it's a cache file, figure that it can't do much harm deleting it.

    Sounds like more of a false positive to me. But as you said, what do I know. All I do know is that I can find no specific reference to it on any of the virus scan vendor websites!

    As you say, someone else who has more knowledge may actually post to advise. Suppose it's always possible no one really knows :)
     
  20. kenniso

    kenniso Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    4
    One thing more. When I run into this stuff I copy, paste the string into google. If no results, I incrementally shorten the string until I do.
    This is how I found this site. There is info out there. Sometimes good sometimes bad. I think the folks in this string are pros as they mention clients often. It is their job to be cautious and thorough as any nonchalant actions may shut down a client's business. While a home, (non-business), user will go through inconvenience and perturbance we still make our living,
    I suggest you get a large external drive (if you can afford the $100 U.S or less), and make occasional backups right after you make sure your system is clean. Then, disconnect the thing so that there is no way it can become infected. Google has a plethora of info on it; when you use the rule of thumb that a site is run by pros or you see it repeated several times with different syntax. Glad I can help.
    It's nice to be the helper for once instead of the helpee. In the past, I have been learning stuff the hard way. Inconvenient as heck, but it sure does stick once you go through it.
     
Thread Status:
Not open for further replies.