Win32/Brontok.U

Discussion in 'NOD32 version 2 Forum' started by pykko, Jun 3, 2006.

Thread Status:
Not open for further replies.
  1. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    These days I've run just for fun Win32/Brontok.U to see how does NOD react.. (don't do this at home :D )

    The .exe unpacked and 5 files were extracted to my Documents and settings folder. AMON prompted me for each of them to take an action. I've choosen to delete 3 of them and to rename 2.

    Then I went to system startup (Run-> msconfig) and I was bewildered to see smss.exe checked there. The path was D:\Documents and settings\Local settings... the exact folder and the exact file extracted by the infected exe file.

    The file was already deleted by AMON but who could it reached the startup, if AMON blocked it ? Is it working properly or what ? o_O
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Again, you changed the default setting for AMON to prompt for action. By default, files detected by Advanced heuristics are moved to quarantine to prevent their execution.
     
  3. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    thx, Marcos. I had only "Move newly created files to Quarantine" option checked, under AMON Setup-> Actions.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    What about Options - Additional options on create - Move to quarantine ?
     
  5. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I've checked it now. :D ;)
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Could you try it again and let us know if it worked fine? :D
     
  7. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    of course...I'll test it in a minute. :D
     
  8. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    unfortunately, the smss.exe still appears at startup even if AMON prompts me it has moved the file automatically to quarantine. :(
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Could you send that file to samples so that I can check it myself?
     
  10. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I've sent the file both to samples[AT]nod32.com and sample[AT]nod32.com with subject: "Win32/Brontok.U - Wilders Froum"

    Anyway I've noticed something else also.... before running the malware I had the option to show extensions of known file types enabled. Now, it's not anymore, but I've managed to fix it.
    Also, now I don't have the Folder Options under Tools when entering a folder, and I can't set it for example to show me the hidden files or not, or how to click a file to open (single-click, double-click, etc).
    I'm waiting for the analyse.....
     
Thread Status:
Not open for further replies.