Trojan??Virus??

Discussion in 'NOD32 version 2 Forum' started by manOFpeace, Jan 31, 2004.

Thread Status:
Not open for further replies.
  1. manOFpeace

    manOFpeace Registered Member

    Joined:
    Feb 1, 2003
    Posts:
    716
    Location:
    Ireland
    Hello, I had a problem running Ad-aware the other day. Anyway this is from Nod32 log. Do I need to send to ESET? Does this mean Nod32 stopped a Trojan.
    Double slash is where my name was. :eek:

    Time Module Object Name Virus Action User Info
    28/01/2004 10:46:02 AMON file C:\Program Files\\gibsontools\DCOMbob.exe Win32/Exploit.DComRpc.A trojan deleted
    28/01/2004 08:53:19 AMON file C:\Program Files\ gibsontools\DCOMbob.exe Win32/Exploit.DComRpc.A trojan COMPYNO2\
    28/01/2004 08:44:58 AMON file C:\Program Files\\gibsontools\dcombob.exe Win32/Exploit.DComRpc.A trojan COMPYNO2\
    28/01/2004 01:21:54 AMON file C:\Program Files\\gibsontools\dcombob.exe Win32/Exploit.DComRpc.A trojan COMPYNO2\
     
  2. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    The files show that you have installed DCOMbobulator from Steve Gibson. This is a tool to test for "RPC exploits" and disabling of the rpc service. NOD32 picks up the exploit code inside this program.

    So this file is not a trojan. You can add the file to the exclusion list within AMON to avoid further detection of the file.

    wizard
     
  3. manOFpeace

    manOFpeace Registered Member

    Joined:
    Feb 1, 2003
    Posts:
    716
    Location:
    Ireland
    Hello wizard, glad its something simple. Thanks. ;)
     
  4. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    hmmm,

    Also running Nod32 here and DCOMbobulator(ver2.0). Just ran it again and not a peep out of Nod. Also right-click scan with advanced heuristics of the file says all clear. Now you have my full attention. Something wrong with my copy of Nod32, or something wrong with manOFpeace's copy of DCOMbobulator? Running 98SE here, if that matters. Thanks for any clarification.
     
  5. manOFpeace

    manOFpeace Registered Member

    Joined:
    Feb 1, 2003
    Posts:
    716
    Location:
    Ireland
    Hello VIETNAM_VET, I went to file where tools stored and carried out the two scans you speak of and nothing showed. This was about one hour ago.
    XP Home SP1 here. :)

    Although I do have some of Steve Gibsons stuff I done a search for DCOMbobulator in Programme Files and then My Computer and nothing came up.
     
  6. manOFpeace

    manOFpeace Registered Member

    Joined:
    Feb 1, 2003
    Posts:
    716
    Location:
    Ireland
    This is all the SG stuff I am aware of on my computer;
     

    Attached Files:

  7. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Well, if it were me, and I just had a trojan identified on my system in a program which is not even in existence on said system, I would be awfully curious as to just what exactly Nod32 is(or was) seeing....
     
  8. manOFpeace

    manOFpeace Registered Member

    Joined:
    Feb 1, 2003
    Posts:
    716
    Location:
    Ireland
    Hi V_V, according to wizard above there is an explanation for it.

    From Trojan people;
    Greetings and apologies for the delay - that's GRC's DCOMBOBULATOR tool and is QUITE legit ... might want to send a copy of that file to NOD32's folks so they can fix their definitions. Definitely NOT a trojan ...

    Nobody seems too concerned about it, I am trying to get an explanation but its not easy.
     
  9. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    manOFpeace,

    According to wizard's explanation, what was detected was your copy of DCOMBOBULATOR due to the exploit code inside of that program. You just told me that you do not have that program. Perhaps you meant that you don't have it now, but did have it at the time of the scan?

    If that is the case, it begs the question again as to why it is not detected on my system as I definitely do have the program and ran it again to see if I received a warning of any kind. I do NOT get any alert!

    That is the point of my first post. Nothing to submit for a fix of the definitions in my case as there was no false alert.

    If there is a false alert, why am I not seeing it? How did you get a false alert on something you didn't have to start with?
     
  10. manOFpeace

    manOFpeace Registered Member

    Joined:
    Feb 1, 2003
    Posts:
    716
    Location:
    Ireland
    I would be 99.99% sure DCOMBOBULATOR was not on my computer before this incident. As you mention it may have been removed but again I'm almost certain this was not on my computer. Looking into the file from memory I do not recall DCOMBOBULATOR in my files. I am not familiar with the name. When I got over this I cleared all restore
    points so I can't go down that road. I done a reg. search just in case but not there either.

    I don't know what the AV people would have done but every time I tried to open it, it closed everything down and left me with a bare desktop. This was a log file inside legit. log file. Only way to get it away
    was to delete whole Ad-aware file. :)
     
  11. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    OK manOFpeace,

    I read the thread over at the Ad-aware forum as well. Since my system doesn't seem to have any issues, unless something new develops, I am just gonna keep one eye looking in the direction of the two threads and chug along as usual. Good luck.
     
  12. manOFpeace

    manOFpeace Registered Member

    Joined:
    Feb 1, 2003
    Posts:
    716
    Location:
    Ireland
    It's a complete mystery to me. Why it attacked Ad-aware I do not know. I wonder if it would be possible Ad-aware cleaned it up and then was attacked by it? I have done complete scans and selective scans and all returns clean. :)
     
  13. doug6949

    doug6949 Registered Member

    Joined:
    Nov 28, 2003
    Posts:
    110
    Weird!
    Maybe it's just coincidence, but NOD32 picked this same thing up yesterday for the first time on my machine. I've had the DCOMBobulator on my machine for several months. Admittedly, this was the first time I had clicked runtime packers, archives and email files.

    Here is what NOD found:

    C:\Documents and Settings\Administrator\My Documents\Downloads\Utilities\DCOMbob.exe - Win32/Exploit.DComRpc.A trojan

    Doug
     
  14. manOFpeace

    manOFpeace Registered Member

    Joined:
    Feb 1, 2003
    Posts:
    716
    Location:
    Ireland
    Hello Fire Permit, date of detection on mine was 28.01.04. I would still lay my head on the block and say Decombob. was not on my computer
    at time of detection. Above is an attachment showing the only stuff I ever knew I had from SG.
    Would it be possible for it to find its way through other utilities I have?
     
  15. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Definition was added on the 27th.

    NOD32 - v.1.610 (20040127)
    Virus signature database updates:
    IRC/SdBot.ND, Solaris/Exploit.Dcom.A, Win32/Afcore.Y, Win32/Afcore.Z, Win32/Beastdoor.205.B, Win32/Exploit.DCom.BF, Win32/Exploit.DComRpc.A, Win32/Hackarmy.M, Win32/Hackarmy.N, Win32/Loony.A, Win32/Nexus.B, Win32/Thredsys.51, Win32/TrojanClicker.VB.AO
     
  16. doug6949

    doug6949 Registered Member

    Joined:
    Nov 28, 2003
    Posts:
    110
    Perhaps eset added the definition without realizing it's source and purpose. Or do you suppose the code can be used by hackers for other purposes?
     
  17. MarsVenus

    MarsVenus Registered Member

    Joined:
    Jan 25, 2004
    Posts:
    8
    I had the same thing the other day.
    http://www.wilderssecurity.com/showthread.php?t=20598
     
  18. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Their virus def no doubt is based on a real exploit.

    My only issue with the detection (as I noted in Mars/Venus' thread) is that all I have to do is mouse over Gibson's app's icon or even a shorcut and AMON goes bonkers. (edited since AMON is not picking up just on the file name but evidently the test "exploit" in the file.)
     
Thread Status:
Not open for further replies.