WIN2K WORM hiding itself

Discussion in 'NOD32 version 2 Forum' started by User_1900, Apr 23, 2008.

Thread Status:
Not open for further replies.
  1. User_1900

    User_1900 Registered Member

    Joined:
    Feb 20, 2007
    Posts:
    16
    Yesterday, while browsing the YAHOO Sports section I accidentally clicked on an advertisement and a new tab opened up with a website saying “Watch free NHL games”. I promptly closed the tab and continued browsing the same site and other sports websites…FOX, ESPN and BBC SPORTS. After a few minutes, a RED bordered NOD32 window showed up saying the following:

    This Computer may be infected(I think) with a variant of the WIN2K (000000000) worm. Please check with the NOD32 system and that the system has the latest updates. Action: The connection to the internet has been terminated.

    I said "I think" because can't remember if it said infected for certain. I checked the virus logs….the above message was there, although for the Name section, it just said “This Computer”…no file or folder location was given. This was detected by the IMON module. When I double clicked on the entry, no new details were given about folder location.

    After this, I ran:
    NOD32 scan and clean – no infected files showed up
    3 Anti-spyware scans – Windows Defender, Ad-Aware and A-Squared Free – Nothing but 4 Low Risk tracking cookies showed up…I deleted them
    Zone Alarm Firewall – no intrusions appeared as having “got through”
    NOD32 scan and clean – again, no infected files showed up

    I really hope that I do not have to re-format. So, my question is, is there some way for me to find the location of the infected files/folders? Or is the worm that good at hiding itself?

    Your help would be greatly appreciated.
    Bart
     
  2. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    If IMON detected the malware your PC is clean. It'll terminate the connection with that site so you can't get infected.
     
  3. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hi, it looks like fake alert from fake application. I have never seen name WIN2K from ESET and this announcement from NOD32 v2. I recommend to perform full scan with on-demand scanner and any other online scanner (eg. KAV).
     
  4. duijv023

    duijv023 Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    230
    Location:
    Rijnsburg, Netherlands
    That is true, but only when IMON is set to drop the connection (one of the basic questions during setup). It may be configured to ask a question as far I know. So there might be a little risk that this PC is infected.

    Perhaps you can try the sysinspector to have a second opinion, but you will need to know something about it.

    Otherwise, boot into safe mode and run a full system scan.

    Greetings from a warm Holland
     
Thread Status:
Not open for further replies.