W32.virut. "varaint" missed by NOD

Discussion in 'NOD32 version 2 Forum' started by Tiny400, Sep 11, 2007.

Thread Status:
Not open for further replies.
  1. Tiny400

    Tiny400 Registered Member

    Joined:
    Sep 11, 2007
    Posts:
    2
    Hi Guys.

    Have been using NOD32 for 2 and a bit years now, And it's been fantastic.

    Just last week i downloaded a file that was infected with a trojan. Pasted below is the information that NOD showed me.

    More info can be found at this forum that helped me out:

    http://www.spywareinfoforum.com/index.php?showtopic=105027&st=0


    Time Module Object Name Threat Action User Information
    30/08/2007 21:37:00 PM AMON file C:\WINDOWS\TEMP\VRR3244.tmp probably a variant of Win32/TrojanDownloader.Small.EQN trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.


    I ran a NOD32 scan, which came back clean, however upon reboot when the internet is connected ( Modem switched on) it reports:


    Time Module Object Name Threat Action User Information
    31/08/2007 17:29:35 PM IMON file hxxp://85.114.140.107/~grander/dl.exe probably a variant of Win32/TrojanDownloader.Small.EQN trojan NT AUTHORITY\SYSTEM


    Time Module Object Name Threat Action User Information
    31/08/2007 17:29:40 PM IMON file hxxp://85.114.140.107/~grander/adv735.exe a variant of Win32/TrojanDownloader.Small.NRS trojan NT AUTHORITY\SYSTEM





    Basically NOD allowed through the trojan, and that seemed to download the w32.virut. Variant virus, for which i could find no fix other than to nuke my computer.

    I Cannot find any mention of the virut vorus in the threat centre and so i do not feel safe using NOD at the moment. Even though ive paid for it, i'm currently using AVG free!!!!!

    Can anyone maybe let me know if i am secure using NOD, why the trojan worked and how i got infected even though NOD was perfectly working?

    Any help would be great, I really want to put NOD back on but i'm not sure yet!

    Regards
    Tiny.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    Even if the file slipped through IMON due to the way your browser works, AMON would have moved it to quarantine upon creation in order to prevent it from running. I assume you must have got Virut by other means. NOD32 detects a lot of Virut variants, but if you come across an undetected sample please submit it to samples[at]eset.com so that we can analyse it and add detection.
     
  3. Tiny400

    Tiny400 Registered Member

    Joined:
    Sep 11, 2007
    Posts:
    2
    Hi Marcos.

    NOD did immediately warn me of infection when i executed the dodgey file. The thing was that the file downloaded and reported by NOD32 was the two trojan variants. Those trojans seemed to still be able to execute as they infiltrated the winlogon process as well as other files. After this had occured, the virut. virus seemed to be the trojan's payload by download.

    The only way i could find of removing it was to completely nuke the computer which caused a fair bit of grief!

    I'm using Firefox browser, and i used a P2P Program to download the infected file. Only upon executing the infected file locally did NOD intercept the trojans, but then as i mentioned above they seemed to have already done their damage. When NOD did warn me, I did submit all files that i could for analysis by NOD's automated submission tools.

    Even though NOD put them in quarantine, Each time i logged on to the computer with an internet connection active, NOD32 would again warn me of the same two trojans trying to access 2 web sites. This showed that the virus was active.

    When i went to do a manual scan, i found NOD32 failed the CRC check which tells me that the virut virus had attacked the NOD32.exe file which is apparently what the virus does. Nod32 did not ever report to me anything about Virut, i had to use other scanners to tell me about it.

    What can i do to restore faith in NOD's capabilities!? I dont feel that i did anything wrong ( Other than being a fool by downloading and running the infected file!!).

    Thanks for your time
    Tiny.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    If that Virut was actually detected by AMON and you DID HAVE moving newly created/modified files to quarantine enabled (by default), AMON would have moved it to quarantine to prevent its execution. I can understand that after disabling this option (or AMON as such) you'd be able to execute the file and infect other files on the disk.
     
  5. binatang_gila

    binatang_gila Registered Member

    Joined:
    Oct 5, 2007
    Posts:
    1
    Location:
    Salatiga, Central Java, Indonesia
    There is a difference between On Demand Scanner and Resident Scanner (AMON) in the way they work.

    On Demand Scanner scans files using a collection of virus signatures AND heuristic (generic signatures).

    Resident Scanner scans files before they got opened (using signatures and heuristic) AND monitor system changes as the files being run.

    That is why NOD32's AMON detects "possible virus" and NOD32's On Demand Scanner don't detect it, even on the same files. Because... AMON detects dangerous activities or changes that the virus does, real time, as the virus runs.

    Conclusion on this case would be:
    1. Your infected files is a new variant of virus/trojan and NOD32's signature collection didn't recognize it yet. Running an On Demand Scanner will not detect it.
    2. Your infected files were "caught in the act" by NOD32's AMON, based on the changes they make, or their dangerous activies (not by virus signatures), which proves that NOD32's Resident Scanner AMON still works well.

    The solution would be to send virus sample to samples@eset.com (or scan@virustotal.com), and temporarily black-list your suspicious files.

    Note: Try to activate NOD32's heuristic AND advanced heuristic in ALL modules (AMON, DMON, EMON, IMON).
     
  6. cupez80

    cupez80 Registered Member

    Joined:
    Jun 28, 2005
    Posts:
    605
    Location:
    Surabaya Indonesia
    AMON and On-Demand scanner will always have the same result IF YOU SET THE SAME OPTION FOR BOTH(eg. ThreatSense engine, Runtime packer,etc) so if you get different result maybe you dont set both AMON and On-demand scanner with similar option
     
Thread Status:
Not open for further replies.