Author Topic: Infected with WORM/ NACHI  (Read 10651 times)

0 Members and 1 Guest are viewing this topic.

kernel_spy

  • Guest
Infected with WORM/ NACHI
« on: December 09, 2003, 03:46:38 PM »
 ??? I was using AVG Free Anti Virus software before and it didn't removed or healed that WORM Virus! It won't even "Move to virus vault" The infected file was c:\windows\system32\dllhost.exe.. Anyway, what I did was I uninstalled that AVG and installed yours. Well, still the same result, it was not removed but the good news is it was moved to the "VAULT".  ;) My question is, what will be the effect of just moving an infected file in a vault? By the way, can I completely remove dllhost.exe in my XP? Thanks in advance! Nice product you have here!

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Infected with WORM/ NACHI
« Reply #1 on: December 09, 2003, 06:51:30 PM »
Be aware: c:\windows\system32\dllhost.exe is a systemfile not a Virus/Worm!

The Nachi Worm would be located in  c:windows\system32\Wins\Dllhost.exe

MfG Ralf

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re:Infected with WORM/ NACHI
« Reply #2 on: December 09, 2003, 09:40:23 PM »
this is (as raman said  ;) ) a system file. please scan your computer with housecall and let us know the results ( the new trend engine is great!!! )
http://housecall.trendmicro.com
"People who are really serious about software should make their own hardware." - Alan Kay

Godzilla

  • Guest
Re:Infected with WORM/ NACHI
« Reply #3 on: December 09, 2003, 09:42:25 PM »
>> (the new trend engine is great!!! )


huh ?  :o

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re:Infected with WORM/ NACHI
« Reply #4 on: December 09, 2003, 09:45:17 PM »
Godzilla trend has a new engine 6.810. This is a huge update as the old scan engine was over 11 months old.
BTW nice name Im a big Godzilla fan too  8)
"People who are really serious about software should make their own hardware." - Alan Kay

kernel_spy

  • Guest
Re:Infected with WORM/ NACHI
« Reply #5 on: December 10, 2003, 07:34:34 AM »
To Raman: the location (c:\windows\system32\dllhost.exe) that I posted is actually the infected file... I was NOT referring that it it was the virus!

Thanks for the response, I'll do the "housecall" right now.

Godzilla

  • Guest
Re:Infected with WORM/ NACHI
« Reply #6 on: December 10, 2003, 06:13:21 PM »
Godzilla trend has a new engine 6.810. This is a huge update as the old scan engine was over 11 months old.
BTW nice name Im a big Godzilla fan too  8)

yes i know that of course, but what should be new on this engine ?
It lacks the same old issues - for instance polymorph viruses.

Waldo

  • Guest
Re:Infected with WORM/ NACHI
« Reply #7 on: December 10, 2003, 06:34:00 PM »
Godzilla, i believe there not many real polymorphic virusses and trojans.

Most of the time the dropper is polymorphic but not the payload.

(just like with the nasty Russian Donald Dick tojan).

So when the trojan drops his pakket, the resident scanner (or on-demand like in Trends housecall) of the AV will catch it.

Tell me if i'm wrong  ;)

Kind regards,

Waldo
« Last Edit: December 10, 2003, 06:34:29 PM by Waldo »

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re:Infected with WORM/ NACHI
« Reply #8 on: December 10, 2003, 09:22:13 PM »
no youre right waldo  ;)
"People who are really serious about software should make their own hardware." - Alan Kay

Godzilla

  • Guest
Re:Infected with WORM/ NACHI
« Reply #9 on: December 10, 2003, 10:48:43 PM »
Godzilla, i believe there not many real polymorphic virusses and trojans.

Most of the time the dropper is polymorphic but not the payload.

(just like with the nasty Russian Donald Dick tojan).

So when the trojan drops his pakket, the resident scanner (or on-demand like in Trends housecall) of the AV will catch it.

Tell me if i'm wrong  ;)

Kind regards,

Waldo

You did learn this from me in the wilders forum right ? Maybe you know me under the name xor  ;D
This Dropper is the SMorph Dropper and this Dropper isn't even polymorph. He has a bug inside so that you have always the same pattern of bytes in the first 2 k of each file  ;)

This means you need just to look for 2 different short scan strings combined with some other bytes to avoid false positives.
This would not be possible if it was a real polymorphic type.

I did wrote some kind of tutorial on wilders how to detect this "polymorphic" Dropper if i remember right it was in the TDS section.
« Last Edit: December 10, 2003, 10:54:09 PM by Godzilla »

kernel_spy

  • Guest
Re:Infected with WORM/ NACHI
« Reply #10 on: December 11, 2003, 05:40:32 AM »
Hi! I just finished scanning for viruses in Trend Micro's housecall and it found ZERO traces of any viruses... Did AVAST solved the problem? I am confused, I have a copy here of Norton 2003, should I install this and get rid of Avast?  ::)

Thanks for the replies!  ;)

Waldo

  • Guest
Re:Infected with WORM/ NACHI
« Reply #11 on: December 11, 2003, 05:14:31 PM »
[
You did learn this from me in the wilders forum right ? Maybe you know me under the name xor  ;D

I do remember reading it somewere, could be indeed at Wilders.org.

Knowledge has to come from somewere isn't it ?  ;D

btw : Welcome Xor ! (i know your a regular at Wilders)

Kind regards,

Waldo

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re:Infected with WORM/ NACHI
« Reply #12 on: December 11, 2003, 09:54:07 PM »
Quote
Hi! I just finished scanning for viruses in Trend Micro's housecall and it found ZERO traces of any viruses... Did AVAST solved the problem? I am confused, I have a copy here of Norton 2003, should I install this and get rid of Avast?  


no im sure A update will be made IF its a virus and not a false positive
"People who are really serious about software should make their own hardware." - Alan Kay

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Infected with WORM/ NACHI
« Reply #13 on: December 11, 2003, 11:23:19 PM »
What makes you think that you are infected? That dllhost.exe (in system32)is a Systemfile.
MfG Ralf