These days I've run just for fun Win32/Brontok.U to see how does NOD react.. (don't do this at home ) The .exe unpacked and 5 files were extracted to my Documents and settings folder. AMON prompted me for each of them to take an action. I've choosen to delete 3 of them and to rename 2. Then I went to system startup (Run-> msconfig) and I was bewildered to see smss.exe checked there. The path was D:\Documents and settings\Local settings... the exact folder and the exact file extracted by the infected exe file. The file was already deleted by AMON but who could it reached the startup, if AMON blocked it ? Is it working properly or what ?
Again, you changed the default setting for AMON to prompt for action. By default, files detected by Advanced heuristics are moved to quarantine to prevent their execution.
thx, Marcos. I had only "Move newly created files to Quarantine" option checked, under AMON Setup-> Actions.
unfortunately, the smss.exe still appears at startup even if AMON prompts me it has moved the file automatically to quarantine.
I've sent the file both to samples[AT]nod32.com and sample[AT]nod32.com with subject: "Win32/Brontok.U - Wilders Froum" Anyway I've noticed something else also.... before running the malware I had the option to show extensions of known file types enabled. Now, it's not anymore, but I've managed to fix it. Also, now I don't have the Folder Options under Tools when entering a folder, and I can't set it for example to show me the hidden files or not, or how to click a file to open (single-click, double-click, etc). I'm waiting for the analyse.....