What's that kind of infection

Discussion in 'NOD32 version 2 Forum' started by Niko, Apr 6, 2004.

Thread Status:
Not open for further replies.
  1. Niko

    Niko Guest

    Hello,

    I've got a computer running windows 2000 probably infected.

    Symptoms are :

    A process named systems.exe is running and can't be killed.
    I can launch Nod32.exe or regedit.exe but those apps are immediatly killed.

    If i rename Nod32.exe, i can run it without problem and it doesn't detect anything (virus definition are daily updated version 1.707).

    How to find witch file is involved ?

    Niko
     
  2. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    I would suggest an online virus scan tool...
     
  3. Storm

    Storm Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    46
    Hi Niko!

    At first... boot into safe mode (press F8 during bootup and choose safe mode)

    Most baddies do not run in safe mode....

    Now scan with NOD32 and nail that sucker :D

    If that does not work I'd suggest to try an online scanner, as mentioned
    by FluxGFX, for example Trendmicro House Call:

    http://housecall.trendmicro.com/

    If all that fails, you might have some trojan baddie...

    In this case you could download a trial version of TDS-3 and the most recent radius-database (you will have to copy it into TDS-Install Directory manually in the trial version) and then do a full scan with all options on, including full heuristics

    If TDS-3 gets killed also, just rename the TDS-3.exe to something else and retry!

    To do a full scan in TDS-3 go to "System Testing" and choose "Scan Control" and make sure every option is tagged (save "scan for clients/edit servers") and on the generic detection tab make sure both options are tagged and the sensitivity is cranked up to maximum...

    If all is set, choose "System Testing" and "Full System" scan... and make yourself some coffee, cause this could take a long time :D

    Good luck and good hunting!

    Storm
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    There are some utilities available on the web (e.g Process viewer) which will help you determine the application which ran a particular process.
     
  5. Niko

    Niko Guest

    I have isolated the file in an archive file

    How can i seend it to Eset for analyse ?

    Niko
     
  6. Niko

    Niko Guest

    This virus is detected by micro trend online antivirus as WORK.AGOBOT.SB

    I've send it to support@nod32.com for updating virus definitions

    Niko
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Niko,

    Please send one to the common submit address as well: samples@nod32.com ;)

    regards.

    paul
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    All variants of Agobot are detected using advanced heuristsics. If you find a new one, please submit it to Eset for analysis as Paul advised.
     
  9. Niko

    Niko Guest

    That's done, I found this address in the archive. No respons for the moment

    Niko
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Niko,

    Commonly, the only response will be a database update in case necessary ;)

    regards.

    paul
     
  11. Niko

    Niko Guest

    It could be pleasant that Eset at least send and email to tell if the post was usefull, what kind of infection it was and when the definition signatures have been updated.

    If Eset don't encourage users to send suspect files, Nod32 won't stay for a long time at the top of antiviral solutions.

    Of course this supposed that the reaction delay should be respectable. In my case I send the file yesterday and live in a little bit of anxiety waiting that the definition is updated because i'm responsible for more than 150 PCs protected by NOD32. I've spended more than 3 hours to manualy desinfect one of them. I dont want to have to repeat this operation on all the others.

    Niko
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    niko,

    IMO it's a matter of priority; doing so will need at least one full time employee merely emailing submitters. We've submitted a 75 GB .RAR file once (and that's a lot of nasties...) only to find out the needed ones had been databased.

    Eset does encourage users to send suspect files not employing an extra administrative employee merely to answer to submissions in no way discourages that ;)
    As it is now - without a reply as a standard - Eset has managed very well to stay at the top.

    A new database update just has been released; you might check it out.

    That's quite a responsibility indeed, and I for one can see it's no fun at all to desinfect the way you described. New nasties coming in usually ends up in a rather fast database update.

    regards.

    paul
     
  13. Bandicoot

    Bandicoot Eset Staff

    Joined:
    Mar 23, 2004
    Posts:
    297
    Location:
    California
    Hi Niko,

    Your wish is my command! I've just been and had a word with my Techno-Geeza-Chums (in their padded cell...!) and they are on the case. Such nice lads.... best not to give them too much raw meat though. An update will be sent out this afternoon... all being well.... and you can then relax in the knowledge that NOD32 is protecting your network.

    Thanks very much for sending the nasty critter to our samples dept.

    All the best,
    Bandicoot :D
     
  14. Niko

    Niko Guest

    It should be a joke. I anderstand that you are busy if you are looking for new virus in that kind of archive. It's like to look for a needle in a haystack.


    I'm not sure that an extra employee is needed to send emails. I uppose that you have an internal database program that store submitions and wich is updated each time a job is done. It's certainly not very difficult to add a procedure that automatically send a response email at this time.

    I've done and my definition file is now numbered 1.710 but NOD32 does'nt find anything in my suspect file. I wait for the next update keeping my anxiety :).


    Same
    Niko
     
  15. Bandicoot

    Bandicoot Eset Staff

    Joined:
    Mar 23, 2004
    Posts:
    297
    Location:
    California
    ... errrrrr...... did you miss my post? You won't have too long to wait mate.

    Bandicoot.
     
  16. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    This astounds me. When I first did a trial of NOD32, it did not detect several viruses that NAV, KAV, F-Secure, Dr.Web, Trend Micro, all detected. So I submitted the samples to Eset. I never heard anything back. This non-response from Eset became part of a very heated discussion over at DSLreports and Rodzilla got involved and actually this board here at Wilders was born partly because I never got any of kind of response when I submitted those samples and this made Eset look bad. Rod called Anton in New Orleans about why I never got a response. Anton called home and it turned out that human error was responsible. The samples were checked but the report was inadvertently not given to the employee who was responsible for notifying those who submit samples and that is why I never got a response until Rod got Anton to look into it. Then I got an email apology from Jan and a very tardy posting at the board that Eset was using before this one here was created. The response that I got from Jan stated that it was Eset's policy to promptly reply by email and on the official board (if the user had posted there about it) anytime samples were submitted.

    This incident was a catalyst to get this board up and running as soon as possible Rod told me. I have not had any cause to submit any viruses since that time but all this time I have been under the mistaken impression, according to you, that Eset would respond very promptly with a report on my submission.

    If this not true, this is quite upsetting to learn. I had a bad impression of NOD32 when I was trialling it because of this lack of response and had Rod not intervened I would have stopped my trial and agreed with all the NOD bashers over at my home site. I think it is essential that an AV company respond with a report to all submissions. I cannot understand how Eset could justify such a caviler attitude especially after the incident I have referred to. I don't know of another av vendor which does not respond very quickly. In fact, when I was helping WCB test our security forum's new submission method to all av vendors simultaneously at dlsr, I sent emails with no attachment to most of the vendors and I got a response from all of them (some within a couple of hours). There was a problem with the address for Eset and few others so these few vendors were not included in the test email. Thus, I don't know what Eset would have done, but every other vendor responded promptly. I cannot imagine a valid reason for Eset to leave a user hanging ...worrying about the submission they made nor for such discourtesy on the part of Eset.
     
  17. Niko

    Niko Guest

    Yes sorry, I was sending my post and didn't saw your.

    Thanks.

    Niko
     
  18. Bandicoot

    Bandicoot Eset Staff

    Joined:
    Mar 23, 2004
    Posts:
    297
    Location:
    California
    Hi Niko,

    No worries buddy. The lads are on the case right now.... I'll just go and crack the whip behind their ears again....... ha!!!

    Bandicoot :D
     
  19. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Mele,

    That's quite a story ;). Let me only comment on the fact, we have (and still do) submit files, and only expect an answer in case we insist - which os hardly ever the case.

    This forum is a support forum first and foremost. In case Eset feels the need to address to those who have submitted malware, that's up to Eset no doubt.

    regards.

    paul
     
  20. Niko

    Niko Guest

    Bandicoot,

    Just a private conversation that i whoult have send directly if I had your address.
    You seem to write in a funny style but you probably forget that it very difficult for someone who just learn english in accademic books and who rarely hear real personn speaking to understand what you whant to say. Your post make me spend a long time reading my english/french dictionnary. It very intructive but not very fast.

    This is not a critic, don't be hurt.

    Niko
     
  21. Niko

    Niko Registered Member

    Joined:
    Apr 8, 2004
    Posts:
    23
    Location:
    France
    Right !

    Eset has updated the definitions and the version 1.711 his now recognizing this malicious file as a Win32/Agobot.3.NZ trojan.

    Thanks to All Eset Team for there reaction.

    It should be said.

    I'm now quiet an happy. : :D

    Niko
     
  22. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Wow! What a coincidence! I was reading your reply at the very moment I got a pop up asking if wanted to update NOD32 (second up date in three hours) and it was to this very update. That is neat. :D
     
Thread Status:
Not open for further replies.