virus found but no action taken ?!?

Discussion in 'NOD32 version 2 Forum' started by pbb, Jun 5, 2004.

Thread Status:
Not open for further replies.
  1. pbb

    pbb Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    4
    I recently got infected by a virus that Avast (my current AV) didn't catch, which made me look around for other AV programs. McAfee's Stinger identified the virus as W32/Sdbot.worm.gen.o. I moved the virus to C:\VIRUS\ to prevent further automatic execution, and started looking for alternative AV software.

    I'd heard a lot of good things about NOD32, so I decided to give it a try. Initial scanning of the virus folder with NOD32 discovered nothing at all. After some fidgetting I discovered that setting "Runtime Packers" on made it notice the virus. NOD32 identified the virus as FSG v1.31 - Win32/IRCBot.gen trojan.
    However, no matter what I do, NOD32 won't go any further than just list it in the log, I can't make NOD32 delete the virus no matter what I do. Even EXECUTING the virus causes no action from NOD32 or AMON (the resident module).

    I am at a totall loss here. What am I doing wrong? Is it a restriction of the trial version, that it cannot remove virusses o_O

    Hope anybody can help me any further,
    Peter
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Have you tried running Nod32 in Windows Safe Mode?

    Are you running a "Clean" instead of a "scan" with Nod32?

    Let us know how you go...

    Cheers :D
     
  3. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well there is always at least one malware that is not covered by one or another antvirus so you might be looking for other AV forever :p
    Anyway the file might be corrupted and thats why avast! and AMON didn't detect it. Try testing with unpacked eicar.com file if AMON intercepts it. Just to be sure. You can also submit the sample to avast! or NOD32 virus team for inspection.
     
  4. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    The trial version is fully functional except for being a limited time evaluation software.

    McAfee's Stinger ID'd a file as malware and you moved it to a holding directory and then scanned with NOD? Why didn't you delete it when Stinger found it? Were no such options provided in Stinger? Could you not delete the file manually? Did Stinger provide any other info regarding what to be done with the file? I've never used it but my impression is that Stinger has a clean/delete function. What's the name of the file? Is it in a zip or some other archive format? Or simply an .exe?

    I don't understand why you didn't delete the file while or after using Stinger and why you're using NOD to try to deal with the file. Presumably it would be included in McAfee's virus enclyopedia with information and any special removal procedures that might be required. You don't mention what your NOD settings are for what action to take when finding malware such as clean and delete or what. It's not clear if NOD is giving you a message that it found malware but cannot delete it (which would be a typical sort of alert if what it found was a running process.) Or if it's not giving any info other thn the name.

    You should try booting the PC into safe mode and then scanning with NOD (or Stinger for that matter). Sometimes a running process that cannot be deleted in regular PC operation can be deleted in safe mode since the process is no longer running. That is often a typical issue when AV's find a trojan that is actually running. The AV cannot terminate the process and then delete the malware but can delete it if the user terminates the process manually or boots into safe mode and then runs the AV scanner. I'm not clear if that is the situation in this case.

    (Just an aside, if an AV ID's a file as malware I wouldn't be particularly inclined to execute it just to see what happens. ;) )
     
  5. pbb

    pbb Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    4
    Blackspear thank you very much!! I've been going through the NOD interface dozens of times trying to figure out what I did wrong, and I never even noticed the "Clean" button next to the "Scan" button! I've been so used to other AV programs who always incorporate those two in one action calling it "scanning", that it never occured to me they would be seperated in NOD. Hint to developers of NOD: make the Clean button more obvious!

    Reading up on this virus a bit more on internet, I now discover this must be a very recent variant of Sdbot. This one drops an "csrsss.exe" file and an "_data_.dat" file, which have only very few references on internet...

    As for the other remarks:
    Why did this make me look for another AV program? Because I've also been having some other problems with Avast (especially in the integration with Outlook 2003), because this virus had been known since late 2003 accoring to McAfee (which is a very long time for a virus in my opinion) and because Avast failed the most recent Virus Bulletin test on Windows XP.
    Why didn't I remove the virus straigh away? Because I wanted to test other AV software on this particular virus.
    Why did I execute the virus knowing it is a virus? Because from what I had read on internet, this was not a "damaging" virus, and I wished to test NOD a bit more. (I've been having it for some weeks now, not really noticing it was a virus, thinking my Windows was just up to a fresh reinstall again...)
    Why don't I use McAfee if that is able to detect the virus? Because McAfee has been growing way to big (byte-wise) for an AV program in my opinion. I like Avast and NOD because they are lean...
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Glad I could be of help :D and agreed, the Clean button should be on on the left, and the scan button should be renamed to something like "Scan ONLY (no action taken)".

    Cheers :D
     
  7. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    pbb check the avast! forums and you'll get answer why avast! failed. I would say VB100% testers are incompetent sometimes... Hope you will find a better one that will suit your needs :)
    Yeah NOD32 has a bit funny On-Demand scanning interface. You set that it should ask you what to do when it founds a malware,but it just lists it in the log and nothing happens heh
     
  8. pbb

    pbb Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    4
    Thanks a lot guys.
    I have posted the question on the Avast board, and they asked me to send them copy of the virus. Glad I didn't delete the virus straight away when detected ;-)

    This does however still leave the question why NOD's AMON didn't say a thing when I actually executed the virus. Anybody has any suggestions?
     
  9. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well i ran into certain cases when viral code is there but its harmless due to corrupted file (bad code cannot be executed because file header is missing or corrupted) so antivirus ignores it automatically. Wait for avast! team to reply and you'll see whats up with that file :)
     
  10. pbb

    pbb Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    4
    Yeah we'll see what they make off it... The virus works however, which I can notice on not being able to run Regedit when it is actived.
     
  11. Smitty

    Smitty Guest

    NOD32 has issues with cleaning, I found that out a long time ago.. Dissappointed with NOD32 lately, thats for sure.
     
  12. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,751
    Location:
    Texas

    Interesting. Examples?
     
  13. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Not anymore - and I surely regret the need for this action.

    regards,

    paul
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Unfortunately, unlike the NOD32 on-demand scanner, AMON currently does not scan runtime-packed archives internally. If the scanner detects a virus with the runtime archives option enabled it handles the file as an archive so the only available option is Leave. If that's the case please send the infected file to samples@nod32.com and Eset will pick a signature from the upx-packed file. Then delete the file.
     
  15. Sandish

    Sandish Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    51
    Maybe i´m wrong - but if you select runtime-packers in the Setup-tab and "delete" and "Quarantine" in the Actions-tab - it should be possible to delete the file using the "Clean" button. Or did i miss something?

    This works with archives too if i remember right - only emails and email databases are excluded from this option.
     
  16. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    if i admit that NOD32 failed to clean NACHI infection will you clobber me Ronjor? i'm having enough headache and i forgot which strain it was but my NOD32 was updated.
     
  17. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,751
    Location:
    Texas

    AMRX

    Sorry to hear you caught nachi. With all your computing experience, you should know to keep your operating system patched and up to date and use a firewall, etc.

    Nachi appears to be difficult to clean by any standard. Did you contact NOD and let them know you had a problem at the time it happened?

    Prevention is the best cure.
     
  18. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear Ronjor, i'm using my folk's system for some months and it happened just when i was downloading and installing the necessary things. it couldn't infect my system though as NOD32 detected it when adequate portion of it was downloaded. i used AntiVir PE to clean it up. otherwise my other system is filled with *other* stuffs but its as healthy as my thumb.
     
Thread Status:
Not open for further replies.