what are those updated from nod32?

Discussion in 'NOD32 version 2 Forum' started by Verrys, Jan 12, 2006.

Thread Status:
Not open for further replies.
  1. Verrys

    Verrys Guest

    Nod32 has started to update some wired updates that calles: HLLC/Bizarr.17000, HLLC/Dosinfo.52480, HLLO/13112.A, HLLO/4317.B, HLLO/9504, HLLO/Aids.13952, HLLO/Death.8816,
    and they have started with this for some days ago, what are those wired names ?
    and why dont they updated as usual like example win32.backdoor. or Trojan/Downloader and so an?
     
  2. ctrlaltdelete

    ctrlaltdelete Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    318
    Location:
    NL
    With Google's help:


    HLL Viruses
    These viruses are written in a High Level Language such as Pascal, BASIC or C. Since they consist mostly of "canned code", it is much harder to select a "signature" that won't cause false alarms.
    HLLC or HLL.cmp
    HLLC or HLL.cmp both mean a High Level Language Companion virus. A companion virus is a virus that takes advantage of a quirk in DOS.
    If there is a file called PROGRAM.COM and a file called PROGRAM.EXE in the same directory and you type PROGRAM at the DOS prompt, then PROGRAM.COM will be the file that DOS runs.

    Once the virus in PROGRAM.COM runs, then the virus runs PROGRAM.EXE so you don't notice anything.

    The file being infected, PROGRAM.EXE, doesn't change, but PROGRAM.COM did not exist until the virus created it. The solution is to simply delete the COM file.

    If there really is a companion virus, then the antivirus program will find it in a COM file and there will be an EXE file by the same name in the same directory. Otherwise, it's a false alarm.

    HLLO or HLL.ow
    HLLO or HLL.ow both mean a High Level Language Overwriting virus. A overwriting virus replaces the host file with itself and doesn't store the original file anywhere. These viruses are very obvious and unlikely to be a threat. If the file the antivirus program says is infected still works, then it is a false alarm. Some antiviruses call Dmsetup worms HLLO.DM_Setup even though they aren't really HLLO viruses.
    HLLP
    These are High Level Language Parasitic viruses. They modify but don't destroy the original file. HLLP viruses known to be "in the wild" are the HLLP.Krile family, the HLLP.Weed family, and the Win32.HLLP.Detroie(a.k.a Cheval De Troie or Sockets de Troie) family.
     
  3. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    To get the information complette - number after the dot is virus size in bytes.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.