warning not detected by NOD32 !!!

Discussion in 'NOD32 version 2 Forum' started by thecrow, May 8, 2004.

Thread Status:
Not open for further replies.
  1. thecrow

    thecrow Registered Member

    Joined:
    May 8, 2004
    Posts:
    23
    had my system tottaly trashed by this nasty little bugger
    http://securityresponse.symantec.com/avcenter/venc/data/w32.axon.html

    Also Known As: W32/Riaz [McAfee], Win32.HLLP.Xenon [Kaspersky]

    i had my nod with recent upgrade scan the file before i opened it
    it said it was clean
    and i trusted that cause nod has saved my ass several times also against new undefined viruses

    it infected all exe files and totally screwed my entire system

    reinstalled windows 7 times now¨
    each time with power off min 5 min and a total format of c: drive

    but it hides somewhere and stays resident somewhere ?

    had to abonden my main 80gn hd and put and old 6gb in which im using right now

    since nod doesnt upgrade virus database in weekend new viruses are just released late friday night and will infect and spread the whole weekend without a cure from nod

    nod has been my favorite for a long time
    but if this behavior continues i might find a better AV

    Kaspersky upgraded against this bugger friday
    symantic and mcfee saturday
    nod32 ?? whenever it suits them ?
     
  2. Madsen DK

    Madsen DK Registered Member

    Joined:
    Nov 23, 2002
    Posts:
    324
    Location:
    Denmark
    Sorry I have to correct you here.
    Nod does indeed update over weekends, if need be.
    The virus you mentioned is a cat 1 threat and will not cause an emergency update, and as far as i can see, Symantec has not made an update for this threat.
    There will be an IU later today, and this virus will be covered by LU on may 12. :) ( Probably before with this worm invasion at late :eek: )
     
  3. thecrow

    thecrow Registered Member

    Joined:
    May 8, 2004
    Posts:
    23
    hmm

    i wait in anger then :mad:
    cause this bugger totally ****ed up my hardrive

    i had to find an old 6gb drive and install xp on it

    cause i coulndt remove that nasty bugger

    it attacks all exe files and also ntoskrnl.exe until theres no uninfected exe files left

    btw i downloaded the virus of P2P prog emule
    it was camuflaced as an interesting file
    i scanned it with NOD32 and it said the file was clean so i clicked it
    and my nightmare began
    the archive i downloaded was a zip 82 kb in size
    ï maybe had the "honour" of being one of the first infected on the emule network
    cause when i downloaded that archive from that guy he was the only one who had it
    when i checked back later
    apr 1 hour
    over 200 ppl had downloaded it
    unfortunatly that guy had a standard emule username and since i wasnt suspicius i dint write his ip adr down :oops:

    i did online scan with bitdefender but it coundt find it, my Nod32 coundt find it
    i downloaded kasperspy demo which was suppose to find it but i wasnt able do do an virus database update with it and the build in db was dated late 2003

    i dunno where that virus is hidden
    but i shut computer off for 5 min and formatted c:
    and reinstalled xp many times
    but i was somehow still infected o_O

    looking forward to a working upgrade soon
    cause i want my old system back
    but im not putting my old infected hd back until im 100% sure theres a working cure
    and that it wont trash my backup hd also ?

    btw in also danish

    btw what UI and LU means ?
    on the other hand i just wanna know when NOD will be able to remove this bugger ?
     
    Last edited: May 8, 2004
  4. Madsen DK

    Madsen DK Registered Member

    Joined:
    Nov 23, 2002
    Posts:
    324
    Location:
    Denmark
    Hi Crow or should i say "Hej" :D
    Sorry you are having problems.
    IU means intelligent update and are released daily(or almost) and you have to manually download them. LU means Liveupdate and is NAVs autoupdater.
    Normally out on Wedensdays, but there has been several LUs weekly at late, due to the increased virus/worm activity.
    Hope some of the otheres here can help you.
    Strange that you cant get rid of the virus, even with a format c o_O
     
  5. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Hello Madsen DK

    This concerns me. I'm not familar with the techy lingo here, but if it's crashing TheCrow's system, it sounds pretty bad to me. I get the impression your saying this threat is minimal (cat 1)? You also state that Symantec (Norton AV?) has not made an update yet for this threat. I hope this is NOT how NOD32 determines if a threat warrants an update (based on what Symantec does)! I used to run Norton, and it stinks. If NOD wants to lead the industry in AV technology, they certainly don't want to base their decisions on what other companies (and in this case an inferior one, in my opinion) are doing.

    By the way, I also get the impression that McAffee and Kaspersky already know about this one. o_O
     
    Last edited: May 8, 2004
  6. Madsen DK

    Madsen DK Registered Member

    Joined:
    Nov 23, 2002
    Posts:
    324
    Location:
    Denmark
    Hi D & C.
    I was only pointing to Symantecs writeup cos Crow had linked to them, and no i dont think that the Nod staff are relying at Symantec in when to issue an update ;) :D
    But fact remains that at present this virus is a low threat and not fast spreading.
    I think that Crow has been one of the unlucky ones to get this virus.
     
  7. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Hi
    formatting your drive will not always remove all "nasties" from it,a "quick format" only overwrites existing data to make it appear empty(data can still be recovered using various software:-so obviously it is still there!)if you want to remove all data from a hd the best way to do so is to "write test" using one of the hd installation discs which can be downloaded from most hd manufacturers web sites
     
  8. thecrow

    thecrow Registered Member

    Joined:
    May 8, 2004
    Posts:
    23
    what i did was first turn my power of for 5 min
    (should erase the bugger from memory)
    then i booted from windows xp cd and installed xp again doing a FULL format

    i did that many times but still the virus infection was in ?

    maybe cause it hiddes somewhere else ?
    (i have 5 partitions on that hd and it might be able to infect the newly installed windows from another partition or hide in bootblock or what ever ?)

    this is what it said when i submitted the file to kasperspy online scanner

    Current object: Alcohol 120% v1.9.2.1705.zip

    Alcohol 120% v1.9.2.1705.zip Archive: ZIP
    Alcohol 120% v1.9.2.1705.zip/Alcohol 120% v1.9.2.1705.txt Ok
    Alcohol 120% v1.9.2.1705.zip/Keygen.exe Packed: FSG
    Alcohol 120% v1.9.2.1705.zip/Keygen.exe Infected: Win32.HLLP.Xenon

    i was the first to download the file of this guy (probably the coder himself)
    the guy who spread it was smart i think
    cause that alcohol update was just released a few hours before that
    and many would be looking for a keygen
    i bet he has spread that virus
    and many other files with difrent names aswell
    so i surely wont say this virus is not a treat

    i surely doesnt see this virus as an not impotant one
    damn it trashed my system and was impossibel to get rid off

    thats why i had to remove my main hd and is now on some old crappy 6gb hardrive

    and the virus is spreading fast on P2P now
    when i found out it was a virus about one hour after download i went to emule network again and saw 200 ppl now had it and its was friday
    before i could issue a warning text my system crashed
    i guess its very very well spread be now!


    ps
    dont gimme that
    ohh u downloade warez u asked for it crap
    doesnt go anyone any good anyway
     
  9. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    a full format is only a quick format in reality:- a write test will take about 7hrs on a drive of the capacity of yours,but it does destroy all info and viruses etc on the drive it will also tell you if there is any other prob with the drive(it should in theory put the drive back to its "just bought" condition:-you have to then "format it" to use it:-its back in its raw state)
     
  10. thecrow

    thecrow Registered Member

    Joined:
    May 8, 2004
    Posts:
    23
    *lol*
    i might have had the doubfull honuor of being the first to download this bugger of the coder himself probably

    but he used a very interesting file to spread it in
    and
    within one hour 200 already had it
    and mind u this was friday!
    i wonder how many has this file by now ?
    cause files get spread wafully fast on P2P
    and those users who have either NOD32 and also Avast (im told it doesnt find it also)
    will get infected and have their system trashed

    i might installe emule on this hd and go see how will its spread be now

    and im afraid the virus will be submitted to other files and spread via them

    dont treat this virus as a low risk
    casue its surely not
    well ofcourse its not spreading like the agobot or sasser or similar
    but once u have it in
    and if ur AV doesnt know it
    ur totally screwed

    take my word for that !!!
     
  11. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    If kaspersky detects it download the trial of kav(not demo)install on your 6gb hd update to current defs,set scanner to strongest options,install your 80gb drive as slave drive and scan it with kav:this should disinfect your new drive!
     
  12. thecrow

    thecrow Registered Member

    Joined:
    May 8, 2004
    Posts:
    23
    tnx alot

    i just hope that it havent destroyed all my files
    cause it managed to infect most of the exe files i had on it including so many windows files that the system would crash

    but how it survived the many power off's and reinstalls i did is still a riddle to me ?

    also symantic cathagorizes it as "difficult" to remove

    i know quite alot on computers and safety casue ive had computers since the Amiga 500 days

    and why i coulndt remove it is still a riddle to me

    one virus sofar i coundt remove by a powershutdown adn a windows reinsatll
     
  13. Madsen DK

    Madsen DK Registered Member

    Joined:
    Nov 23, 2002
    Posts:
    324
    Location:
    Denmark
    A soultion could be "Dont do p2p"
    S´ry couldnt resist it :D :oops: :D
     
  14. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    If you only did a soft format(not a write test)they may still be recoverable by "get data back" or something similar or failing that(depending on the value you place on the files!)there are companies that will recover the data for you,but it is quite expensive(they use similar techniques to the police to recover data from suspect pc's)
     
  15. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    I also agree with Madsen if you want to stay safe dont do p2p
     
  16. thecrow

    thecrow Registered Member

    Joined:
    May 8, 2004
    Posts:
    23
    THATS NOT AN OPTION :p :p :p :D :D

    problem was i trusted that NOD32 said the file was clean!

    but maybe i should quarantine all files a few days to be sure

    but ive tryed many AV's and until this ive considered NOD32 the safest ?
     
  17. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Hi thecrow!

    Downlod updates manual, here is address http://downloads1.kaspersky-labs.com/updates/

    izi
     
  18. Madsen DK

    Madsen DK Registered Member

    Joined:
    Nov 23, 2002
    Posts:
    324
    Location:
    Denmark
    Well Crow, sites like Kazaa are often used as a launch platform for alot of new nasties, so regardless of what AV you are using, you will never be completly safe.
     
  19. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    demo version will not disinfect his PC or update defs(no key file) needs to download trial version:-
    http://www.kaspersky.co.uk/trials?chapter=146481750
    Only prob(in my opinion) its kav5(not as good as 4.5 also my opinion!)
    Added later 4.5 still available there!
     
    Last edited: May 8, 2004
  20. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
  21. thecrow

    thecrow Registered Member

    Joined:
    May 8, 2004
    Posts:
    23
    cause i went to NOD32 website and coundt find an email addy to submit it to

    tnx ill send it to them right away
     
  22. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Downloading warez, alleged keygens and using P2P is commonly known as one of the most high risk activities on the internet. Your experience just illustrates that. As Madsen says, if you insist on engaging in that activity, you'll find relying on an AV alone (any AV although I'd give KAV the edge over the others but still would not rely on it alone) will not provide sufficient protection against everything all the time.

    If you're going to continue in that practice (which is a matter of choice and so it is an option) either learn how to tighten up your PC's security to the max or continue to be a lab rat for folks who look for (and count on) suckers willing to take their bait.
     
    Last edited: May 8, 2004
  23. Habiru

    Habiru Registered Member

    Joined:
    May 4, 2004
    Posts:
    43
    Location:
    Fredericton
    Hi,

    Sorry to hear about your experience with this little bugger. Hmmm. I'm am somewhat dismayed that NOD32 missed this virus and the next question is why?

    This just serves as more ammo for the protection I've added to my arsenal.

    Anyway, to get rid of this go here and download this beta, add the new signatures, make yourself a bootable disc, install your old hard drive and
    then scan with this bootable disc.

    http://www.networkassociates.com/us/downloads/beta/cleanboot/

    This works very nicely, I'm using the beta as I write this. :)

    Take Care,
     
  24. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Nothing personal Steve1955 and Madsen, but that's a rediculous suggestion. Even better, why not suggest we all stay completely off the net. That way we wouldn't have to spend all this $$ on security software! I think a better solution is to make better security software! That's why we're here - to learn how to safely enjoy the net. :p
     
  25. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Sig - Now that's a suggestion I agree with. Keep on truckin!:D
     
Thread Status:
Not open for further replies.