NOD32 finds a virus on latest article

[taltamir]

This is really odd, and I don't know where in the forum to bring this up (since nowhere is appropriate for this)...

But NOD32 is saying there is a virus in the latest article: DO NOT CLICK THE LINK!
http://www.anandtech.com/video/showdoc.aspx?i=3122

Specifically in:
http://www.anandtech.com/video/showdoc.aspx?i=3122 >> GZ >> file.htm
It wasn't even saying it is a heuristic match (no option to submit it) but an exact match with an existing virus... an IRC worm julie something...

---

Moved to Software -> Security

AnandTech Moderator John

 

[taltamir]

ok... I just tried it again (for the 6th and 7th time) and now it no longer sees a virus there...
Did it get cought and removed real quick? could it have been the ad which was running at the time?

It does make sense for it to have 5 false positives in a row about the SAME file and then stop having it completely... so the file had to have changed... seeing as NOD32 last updated 24 hours ago (23 hours, 58 minutes to be exact)

If the moderators didn't change anything then it has to have been the ads... which means either it was found and removed by the advertiser, or it just switched to another ad which is virus / false positive free...

I never saw NOD32 make a false positive before though... and false positives tend to be a heuristics thing.

 

[NXIL]

Dear Tal,

I also use Nod32: it can give false positives, though like you said, I have never seen one myself.

http://www.eset.com/company/ar...547.php?contentID=3547

Here's a nice bitchfest:

http://www.pctools.com/forum/a...index.php/t-44997.html

http://www.av-test.org/down/pa...05-11_vb_falsepos2.pdf

http://www.betterantivirus.com...archives/635-guid.html

http://www.pcworld.com/article/id,130869/article.html

I still like NOD32 the best of other AV programs, uses the least amount of resources, fast updates, and keeps the bad guys out--I think.

NXIL

 

[taltamir]

I am sure it can but...

The article changed so it stopped detecting a virus... So what happened? Was the virus cleaned or did it just switch to a different ad? Nothing changed on my side... it just found a virus every time I tried to view a specific article, and then it stopped giving that warning... what changed?

 

[NXIL]

Whatever it was--some sort of "malware" instead of the old classic style virus--viruses generally tended to be destructive or disruptive, whereas malware now seems to be designed to hijack PCs to form botnets, keylog to get passwords/info, etc--more malicious, and less obvious.

You can get infected by malware in several ways. Malware often comes bundled with other programs (Kazaa, iMesh, and other file sharing programs seem to be the biggest bundlers). These malware programs usually pop-up ads, sending revenue from the ads to the program's authors. Others are installed from websites, pretending to be software needed to view the website. Still others, most notably some of the CoolWebSearch variants, install themselves through holes in Internet Explorer like a virus would, requiring you to do nothing but visit the wrong web page to get infected.

The above is why I use Firefox--not perfect, but better than IE; NOD 32, hardware firewall, etc.

Could have been an ad link on the page was either trying to infect your machine, or, an ad was doing something that was interpreted as malicious by NOD32's heuristics.

http://www.technewsworld.com/story/53649.html

Anandtech's servers might have detected/blocked the offending link or ad.

I notice that none of these links work anymore:

For those of you interested, we are offering our demo files for download so you can compare your own systems. The demos are: hl2ep2indoor.dem, at_outland_3.dem, and at_outland_10.dem.

Not sure if that is where you had issues.

Oh, and I use Adblock: I don't see a whole bunch of flashing, blinking, annoying ads....

https://addons.mozilla.org/en-US/firefox/addon/10

NXIL

 

[mechBgon]

If anyone has the actual detected file in their Quarantine, I'd be interested in a copy of the file (email to mechbgon originpoint com in a password-protected Zip file).

Also, for Windows users who want to eliminate known vulnerabilities, may I recommend the Secunia Personal Software Inspector that I've linked in my signature. It's pretty cool, easy to use, and free for home users :thumbsup: Screenshot :camera: This can help you, no matter which browser you prefer.

Other effective, proactive defenses: non-Admin user accounts (highly recommended at least for risky stuff) and Software Restriction Policy.

 

[taltamir]

it wasnt quarenteened... NOD only quarentees LOCAL files... it simply terminated the connection
And I also use a hardware firewall and firefox ... firefox with script blocker.

Time Module Object Name Threat Action User Information
10/13/2007 12:39:36 PM IMON archive http://www.anandtech.com/video/showdoc.aspx?i=3122 Irc-Worm.Julie worm Connection terminated ROYTAMIR-01\User
10/13/2007 12:37:16 PM IMON archive http://www.anandtech.com/video/showdoc.aspx?i=3122 Irc-Worm.Julie worm Connection terminated ROYTAMIR-01\User
10/13/2007 12:36:15 PM IMON archive http://www.anandtech.com/video/showdoc.aspx?i=3122 Irc-Worm.Julie worm Connection terminated ROYTAMIR-01\User
10/13/2007 12:36:10 PM IMON archive http://www.anandtech.com/video/showdoc.aspx?i=3122 Irc-Worm.Julie worm Connection terminated ROYTAMIR-01\User

Those are the instances... next time I went to that article there was nothing found. Maybe they can tell which ad was loaded at that specific time period. I am on central time.

It showed up as following:
http://www.anandtech.com/video/showdoc.aspx?i=3122 >> GZ >> file.htm
whatever that means...

 

[mechBgon]

Originally posted by: taltamir
it wasnt quarenteened... NOD only quarentees LOCAL files... it simply terminated the connection
And I also use a hardware firewall and firefox ... firefox with script blocker.

Time Module Object Name Threat Action User Information
10/13/2007 12:39:36 PM IMON archive http://www.anandtech.com/video/showdoc.aspx?i=3122 Irc-Worm.Julie worm Connection terminated ROYTAMIR-01\User
10/13/2007 12:37:16 PM IMON archive http://www.anandtech.com/video/showdoc.aspx?i=3122 Irc-Worm.Julie worm Connection terminated ROYTAMIR-01\User
10/13/2007 12:36:15 PM IMON archive http://www.anandtech.com/video/showdoc.aspx?i=3122 Irc-Worm.Julie worm Connection terminated ROYTAMIR-01\User
10/13/2007 12:36:10 PM IMON archive http://www.anandtech.com/video/showdoc.aspx?i=3122 Irc-Worm.Julie worm Connection terminated ROYTAMIR-01\User

Those are the instances... next time I went to that article there was nothing found. Maybe they can tell which ad was loaded at that specific time period. I am on central time.

It showed up as following:
http://www.anandtech.com/video/showdoc.aspx?i=3122 >> GZ >> file.htm
whatever that means...

It's possible it was a false positive, but if anyone gets further alerts, I'd be interested in hearing about it. Drop me a PM and email me any captive samples you can get. In the case of a loaded web page that causes an alert, don't refresh the page. View the page's source, and save it as a text file, that's what I'm primarily after.

In this case, don't get complacent because you have a hardware firewall or your FireFox or your scriptblocker (or antivirus software, either). Go a step further and check your rig for vulnerabilities with Secunia's dealiebob, at least. Non-Admin user accounts are a very worthwhile layer of protection as well, if they don't cause too much hassle for you (Vista > WinXP in this regard).

 

[sharad]

The reason you aren't getting the alert on the same page again, could be because the false alarm was triggered by an embedded javascript that was actually loaded from one of the many ads on the page.

 

[NXIL]

Hey Tal,

do you read Bruce Schneier's Cryptogram? Highly recommended:

http://www.schneier.com/crypto-gram-0710.html

Today's has good article on Storm Worm, among others.

Schneier sort of looks like, and apparently channels Chuck Norris.

http://geekz.co.uk/schneierfac...s/bruce-schneier-3.jpg

Whitfield Diffie and Martin Hellman use only their surnames out of fear of Bruce Schneier

Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days.