What's that kind of infection

Hello,

I've got a computer running windows 2000 probably infected.

Symptoms are :

A process named systems.exe is running and can't be killed.
I can launch Nod32.exe or regedit.exe but those apps are immediatly killed.

If i rename Nod32.exe, i can run it without problem and it doesn't detect anything (virus definition are daily updated version 1.707).

How to find witch file is involved ?

Niko

 

I would suggest an online virus scan tool...

 

Hi Niko!

At first... boot into safe mode (press F8 during bootup and choose safe mode)

Most baddies do not run in safe mode....

Now scan with NOD32 and nail that sucker

If that does not work I'd suggest to try an online scanner, as mentioned
by FluxGFX, for example Trendmicro House Call:

http://housecall.trendmicro.com/

If all that fails, you might have some trojan baddie...

In this case you could download a trial version of TDS-3 and the most recent radius-database (you will have to copy it into TDS-Install Directory manually in the trial version) and then do a full scan with all options on, including full heuristics

If TDS-3 gets killed also, just rename the TDS-3.exe to something else and retry!

To do a full scan in TDS-3 go to "System Testing" and choose "Scan Control" and make sure every option is tagged (save "scan for clients/edit servers") and on the generic detection tab make sure both options are tagged and the sensitivity is cranked up to maximum...

If all is set, choose "System Testing" and "Full System" scan... and make yourself some coffee, cause this could take a long time

Good luck and good hunting!

Storm

 

There are some utilities available on the web (e.g Process viewer) which will help you determine the application which ran a particular process.

 

I have isolated the file in an archive file

How can i seend it to Eset for analyse ?

Niko

 

This virus is detected by micro trend online antivirus as WORK.AGOBOT.SB

I've send it to support@nod32.com for updating virus definitions

Niko

 

All variants of Agobot are detected using advanced heuristsics. If you find a new one, please submit it to Eset for analysis as Paul advised.

 

That's done, I found this address in the archive. No respons for the moment

Niko

 

It could be pleasant that Eset at least send and email to tell if the post was usefull, what kind of infection it was and when the definition signatures have been updated.

If Eset don't encourage users to send suspect files, Nod32 won't stay for a long time at the top of antiviral solutions.

Of course this supposed that the reaction delay should be respectable. In my case I send the file yesterday and live in a little bit of anxiety waiting that the definition is updated because i'm responsible for more than 150 PCs protected by NOD32. I've spended more than 3 hours to manualy desinfect one of them. I dont want to have to repeat this operation on all the others.

Niko

 

Hi Niko,

Your wish is my command! I've just been and had a word with my Techno-Geeza-Chums (in their padded cell...!) and they are on the case. Such nice lads.... best not to give them too much raw meat though. An update will be sent out this afternoon... all being well.... and you can then relax in the knowledge that NOD32 is protecting your network.

Thanks very much for sending the nasty critter to our samples dept.

All the best,
Bandicoot

 

It should be a joke. I anderstand that you are busy if you are looking for new virus in that kind of archive. It's like to look for a needle in a haystack.

I'm not sure that an extra employee is needed to send emails. I uppose that you have an internal database program that store submitions and wich is updated each time a job is done. It's certainly not very difficult to add a procedure that automatically send a response email at this time.

I've done and my definition file is now numbered 1.710 but NOD32 does'nt find anything in my suspect file. I wait for the next update keeping my anxiety .

Same
Niko

 

... errrrrr...... did you miss my post? You won't have too long to wait mate.

Bandicoot.

 

This astounds me. When I first did a trial of NOD32, it did not detect several viruses that NAV, KAV, F-Secure, Dr.Web, Trend Micro, all detected. So I submitted the samples to Eset. I never heard anything back. This non-response from Eset became part of a very heated discussion over at DSLreports and Rodzilla got involved and actually this board here at Wilders was born partly because I never got any of kind of response when I submitted those samples and this made Eset look bad. Rod called Anton in New Orleans about why I never got a response. Anton called home and it turned out that human error was responsible. The samples were checked but the report was inadvertently not given to the employee who was responsible for notifying those who submit samples and that is why I never got a response until Rod got Anton to look into it. Then I got an email apology from Jan and a very tardy posting at the board that Eset was using before this one here was created. The response that I got from Jan stated that it was Eset's policy to promptly reply by email and on the official board (if the user had posted there about it) anytime samples were submitted.

This incident was a catalyst to get this board up and running as soon as possible Rod told me. I have not had any cause to submit any viruses since that time but all this time I have been under the mistaken impression, according to you, that Eset would respond very promptly with a report on my submission.

If this not true, this is quite upsetting to learn. I had a bad impression of NOD32 when I was trialling it because of this lack of response and had Rod not intervened I would have stopped my trial and agreed with all the NOD bashers over at my home site. I think it is essential that an AV company respond with a report to all submissions. I cannot understand how Eset could justify such a caviler attitude especially after the incident I have referred to. I don't know of another av vendor which does not respond very quickly. In fact, when I was helping WCB test our security forum's new submission method to all av vendors simultaneously at dlsr, I sent emails with no attachment to most of the vendors and I got a response from all of them (some within a couple of hours). There was a problem with the address for Eset and few others so these few vendors were not included in the test email. Thus, I don't know what Eset would have done, but every other vendor responded promptly. I cannot imagine a valid reason for Eset to leave a user hanging ...worrying about the submission they made nor for such discourtesy on the part of Eset.

 

Yes sorry, I was sending my post and didn't saw your.

Thanks.

Niko

 

Hi Niko,

No worries buddy. The lads are on the case right now.... I'll just go and crack the whip behind their ears again....... ha!!!

Bandicoot

 

Bandicoot,

Just a private conversation that i whoult have send directly if I had your address.
You seem to write in a funny style but you probably forget that it very difficult for someone who just learn english in accademic books and who rarely hear real personn speaking to understand what you whant to say. Your post make me spend a long time reading my english/french dictionnary. It very intructive but not very fast.

This is not a critic, don't be hurt.

Niko

 

Right !

Eset has updated the definitions and the version 1.711 his now recognizing this malicious file as a Win32/Agobot.3.NZ trojan.

Thanks to All Eset Team for there reaction.

It should be said.

I'm now quiet an happy. :

Niko

 

Wow! What a coincidence! I was reading your reply at the very moment I got a pop up asking if wanted to update NOD32 (second up date in three hours) and it was to this very update. That is neat.