Win32.trojandownloader.small.rr trojan

Discussion in 'NOD32 version 2 Forum' started by Samaritan, Aug 27, 2004.

Thread Status:
Not open for further replies.
  1. Samaritan

    Samaritan Registered Member

    Joined:
    Dec 27, 2002
    Posts:
    15
    Location:
    New Zealand
    Information for anyone who has struggled to get rid of this trojan which came out on Aug.4th 2004.

    Problem:
    Amon constantly reports an infection of Win32.trojandownloader.small.rr trojan, it can neither delete or rename, and shows an error message.
    On Demand with deep heuristics (on) and all objects ticked, gives a clean bill of health both in safemode and normal.
    These warnings come as soon as you close out of the first.
    There is nothing suspect in msconfig start list, or Task Manager.
    Temp folders were emptied, but still the infection warnings were without pause.
    I tried the trial version of Trojanhunter with a manual update installed - nothing detected.plus Ad-aware and Bulletproof anti-spyware prgms.

    Answer:
    I tried another On-Demand scan but this time in the Extentions Editor I ticked Scan All Files.
    One infected file was found and deleted.
    Since the reboot there has been no further occurances of the Amon warnings for small.RR.
    Please note that is was a file with the extention .tlb that carried the nasty. This is not one normally scanned by default.

    It also pays to turn the System Restore off while you get rid of any virus, and then when you have a clean bill of health after a reboot, turn it back on. This prevents the virus being reinstalled if a restore point is applied at a later date.

    Good luck.
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Did you try running a scan while in "Safe Mode"?

    Nod32 can not delete a file while it is being used (in memory)

    Cheers :D
     
  3. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
  4. Samaritan

    Samaritan Registered Member

    Joined:
    Dec 27, 2002
    Posts:
    15
    Location:
    New Zealand
    As I had mentioned in the original brief,
    >On Demand with deep heuristics (on) and all objects ticked, gives a clean bill of health both in safemode and normal.<

    My main reason for listing was ;
    1) There was very little about it on the Net and no removal tool or instructions,
    2) No anti-trojan, anti-spyware, anti-adware, and Nod could not detect it in safe mode or Dos!,
    3) The On-Demand scan is not set to scan All Files by default, and it is the default settings that the novice will trust. It is up to you to learn from my mistake in order to help them.

    So if you try this scan all files thing, you may save yourself 2 hours of fiddling.

    Unfortunately Nod is geared for speed rather than being thorough. I have used it for two years and have installed it on over 40 clients, I know it is the best. It is just a shame you have to alter so many default settings to provide a better coverage. Newbies do not know about forums and must rely on the installation setup to do everything that is needed.
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Do you have a quarantined copy to send to sample@eset.com ?

    The new, now available, version 2.12.1 will be a lot better at protecting the average PC.

    I and others such as Rod from www.nod32.com.au have argued many-a-time that Nod32 should be set up out of the box (so to speak) at its maximum strength, and if the customer wants to weaken this by adjusting settings then so be it...

    Out of over 500+ copies that I have sold and installed, there would only be 1/2 a dozen that chose to install themselves, we set everything to maximum on installation, better to be safe than sorry ;)

    Cheers :D
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    It would be interesting to know the exact location of the file. I assume you have an older version of NOD32 installed which didn't come with the HTTP scanner. I suggest you send a log created by HijackThis (please google for exact link) to support@nod32.com and install the latest version 2.12.1.
     
  7. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
    Isn't that what the In-depth analysis button does?
     
  8. Samaritan

    Samaritan Registered Member

    Joined:
    Dec 27, 2002
    Posts:
    15
    Location:
    New Zealand
    It was a new installation using the then beta version, and it was scanned with the latest files using the desktop icon, but was never found until the settings were changed to scan all files. Setup tab>Extentions.

    The infected file was found here C:\WINDOWS\system32\r2glhcsl15a.tlb - Win32/TrojanDownloader.Small.RR trojan - deleted (after the next restart) [2]
    .. and tlb is not a file scanned on default settings.

    Before that, Nod would find an infected exe with a different name every second. It offered to delete, rename, or quarantine, each resulted in an error.
    It could not be quarantined.
    I absolutely aggree with blackspear, the install configuration should be set to the max.


    28/08/2004 11:24:57 a.m. AMON file C:\WINDOWS\System32\p2wamyvsh9.exe Win32/TrojanDownloader.Small.RR trojan

    28/08/2004 11:24:54 a.m. AMON file C:\WINDOWS\System32\syirkaorhnbn.exe Win32/TrojanDownloader.Small.RR trojan

    28/08/2004 11:15:11 a.m. AMON file C:\WINDOWS\System32\7e51rr0891mm.exe Win32/TrojanDownloader.Small.RR trojan

    28/08/2004 11:15:09 a.m. AMON file C:\WINDOWS\System32\07mi1335z7jf.exe Win32/TrojanDownloader.Small.RR trojan

    28/08/2004 11:15:07 a.m. AMON file C:\WINDOWS\System32\jyszr9jo4w.exe Win32/TrojanDownloader.Small.RR trojan

    28/08/2004 11:15:05 a.m. AMON file C:\WINDOWS\System32\6g4ujn1s3arbu0.exe Win32/TrojanDownloader.Small.RR trojan error while deleting - error while renaming

    A similar experience was recorded here by someone else on another forum, http://amazingtechs.com/index.php?showtopic=16193 . I read about Trojanhunter and its success against Process injection trojans, the ones that have no files of their own and just infect system files making deletion avoidable, but even that couldn't fine it.

    I thank you all for your interest, you are all well prepare. The computer I visited was using AVG which was having fitts about the trojan too.
    I installed Nod but initially it failled to do anything else but alert to infection like AVG.

    It's a tricky one, and I just thought I might have stumbled onto an answer that was not apparent on the Net beforehand.
     
Thread Status:
Not open for further replies.