Win32/Wigon.BL trojan

Discussion in 'ESET NOD32 Antivirus' started by bdmc, Apr 11, 2008.

Thread Status:
Not open for further replies.
  1. bdmc

    bdmc Registered Member

    Joined:
    May 11, 2006
    Posts:
    55
    Hi All,

    Recently I have started getting a whole lot of alerts on our Exchange server about Win32/Wigon.

    Question is, why is it being picked up by AMON and not XMON?

    Is the threat coming in attached to an email? Or is the threat already on the server?



    --------------
    Date Received 2008-04-11 07:01:22
    Date Occurred 2008-04-11 07:00:58
    Level Critical Warning
    Scanner NOD32 AMON
    Object file
    Name C:\WINDOWS\TEMP\NOD9E4F.tmp
    Threat Win32/TrojanDownloader.Wigon.E trojan
    Action quarantined - deleted - error while Cleaning - operation unavailable f

    --------------
    Date Received 2008-04-11 07:01:22
    Date Occurred 2008-04-11 07:00:58
    Level Critical Warning
    Scanner NOD32 AMON
    Object file
    Name C:\WINDOWS\TEMP\NOD9E50.tmp
    Threat Win32/Wigon.BL trojan
    Action quarantined - deleted - error while Cleaning - operation unavailable f
     
  2. bdmc

    bdmc Registered Member

    Joined:
    May 11, 2006
    Posts:
    55
    I'm getting these alerts on a few clients now too. Coming back from "Email filter - Outlook"

    How come XMON is missing these emails?



    Date Received 2008-04-11 07:56:13
    Date Occurred 2008-04-11 07:55:59
    Level Warning
    Scanner Email filter - Outlook
    Object email message
    Name from: Tanner Oakes to: Info with subject Angelina Jolie nude
    Threat Win32/Wigon.BL trojan
    Action contained infected files
     
  3. ASpace

    ASpace Guest

    XMON cannot detect them because they are not in the mails . Most likely the server itself is getting infected (file on the disk -> Name C:\WINDOWS\TEMP\NOD9E50.tmp) or there is a false positive .

    NOD329E50.tmp should be ESET NOD32 own file . The file and the server needs further investigation .

    Contact your local ESET Support by email:
    http://www.eset.com/partners/worldwide.php

    As they have advised some times , you can also send ESET log file from their ESET SysInspector
    http://www.eset.com/esibeta/
     
  4. bdmc

    bdmc Registered Member

    Joined:
    May 11, 2006
    Posts:
    55
    Eset support came back to me, this turned out to be a configuration issue.

    In the XMON manual, in chapter "4. Recommended settings", it says

    "To avoid the collision make sure that the AMON module is not set to scan .EDB, .TMP and .EML file types."

    I had AMON set to "Scan All files", so I am guessing AMON was picking up the virus, before XMON got to see it.

    Now XMON is detecting the emails and deleting them.

    It feels a bit counter intuitive to configure AMON to allow a virus through, so that XMON can detect it though.

    The advantage now, is that I see the subject of the email, and who it was to, rather than just a *.tmp file.
     
  5. ASpace

    ASpace Guest

    Thanks for updating the case
     
Thread Status:
Not open for further replies.