• Log InLog In
  • Register
Liquid`
Team Liquid Liquipedia
EDT 12:02
CEST 18:02
KST 01:02
  • Home
  • Forum
  • Calendar
  • Streams
  • Liquipedia
  • Features
  • Store
  • EPT
  • TL+
  • StarCraft 2
  • Brood War
  • Smash
  • Heroes
  • Counter-Strike
  • Overwatch
  • Liquibet
  • Fantasy StarCraft
  • TLPD
  • StarCraft 2
  • Brood War
  • Blogs
Forum Sidebar
Events/Features
News
Featured News
Team TLMC #5 - Finalists & Open Tournaments0[ASL20] Ro16 Preview Pt2: Turbulence10Classic Games #3: Rogue vs Serral at BlizzCon9[ASL20] Ro16 Preview Pt1: Ascent10Maestros of the Game: Week 1/Play-in Preview12
Community News
BSL 2025 Warsaw LAN + Legends Showmatch0Weekly Cups (Sept 8-14): herO & MaxPax split cups4WardiTV TL Team Map Contest #5 Tournaments1SC4ALL $6,000 Open LAN in Philadelphia8Weekly Cups (Sept 1-7): MaxPax rebounds & Clem saga continues29
StarCraft 2
General
#1: Maru - Greatest Players of All Time Weekly Cups (Sept 8-14): herO & MaxPax split cups Team Liquid Map Contest #21 - Presented by Monster Energy SpeCial on The Tasteless Podcast Team TLMC #5 - Finalists & Open Tournaments
Tourneys
RSL: Revival, a new crowdfunded tournament series Maestros of The Game—$20k event w/ live finals in Paris Sparkling Tuna Cup - Weekly Open Tournament SC4ALL $6,000 Open LAN in Philadelphia WardiTV TL Team Map Contest #5 Tournaments
Strategy
Custom Maps
External Content
Mutation # 491 Night Drive Mutation # 490 Masters of Midnight Mutation # 489 Bannable Offense Mutation # 488 What Goes Around
Brood War
General
Soulkey on ASL S20 BW General Discussion ASL20 General Discussion ASL TICKET LIVE help! :D NaDa's Body
Tourneys
[ASL20] Ro16 Group D [Megathread] Daily Proleagues [ASL20] Ro16 Group C BSL 2025 Warsaw LAN + Legends Showmatch
Strategy
Simple Questions, Simple Answers Muta micro map competition Fighting Spirit mining rates [G] Mineral Boosting
Other Games
General Games
Stormgate/Frost Giant Megathread Borderlands 3 Path of Exile Nintendo Switch Thread General RTS Discussion Thread
Dota 2
Official 'what is Dota anymore' discussion LiquidDota to reintegrate into TL.net
League of Legends
Heroes of the Storm
Simple Questions, Simple Answers Heroes of the Storm 2.0
Hearthstone
Heroes of StarCraft mini-set
TL Mafia
TL Mafia Community Thread
Community
General
US Politics Mega-thread Things Aren’t Peaceful in Palestine UK Politics Mega-thread Canadian Politics Mega-thread Russo-Ukrainian War Thread
Fan Clubs
The Happy Fan Club!
Media & Entertainment
Movie Discussion! [Manga] One Piece Anime Discussion Thread
Sports
2024 - 2026 Football Thread Formula 1 Discussion MLB/Baseball 2023
World Cup 2022
Tech Support
Linksys AE2500 USB WIFI keeps disconnecting Computer Build, Upgrade & Buying Resource Thread High temperatures on bridge(s)
TL Community
BarCraft in Tokyo Japan for ASL Season5 Final The Automated Ban List
Blogs
i'm really bored guys
Peanutsc
I <=> 9
KrillinFromwales
The Personality of a Spender…
TrAiDoS
A very expensive lesson on ma…
Garnet
hello world
radishsoup
Lemme tell you a thing o…
JoinTheRain
RTS Design in Hypercoven
a11
Customize Sidebar...

Website Feedback

Closed Threads



Active: 2016 users

NOD antivirus and stuff

Blogs > BluzMan
Post a Reply
BluzMan
Profile Blog Joined April 2006
Russian Federation4235 Posts
February 01 2009 21:23 GMT
#1
Preface:

- Last monday, I left work somewhat early, and soon after my leave, my boss (the owner of our firm) was browsing the Internet and downloaded something that identified itself as "Windows XP 2008 Anti-Virus". Sure thing, it didn't function the way he expected and NOD (our corporate antivirus, take notice here!) threw some warning when the thing was launched.

Tuesday morning, I came to work and opened my email to send mails to several people I needed to contact. I sent the mail only to receive it back a few minutes later with a fun commentary: "Tada your mail is blacklisted by SpamCop!". Cool.

Apparently, our corporate external IP has been sending spam to some spam trap of spamcop. A quick inspection on the ISA server has shown a funny thing - random SMTP packets are being sent to all over the world from just one IP - the one the boss owns.

Well, cool, now I know we have a spambot in our system, I even know where it is exactly, so I setup an SMTP filter for that computer, delist from SpamCop to resolve the situation quickly, download CureIt and Kasper and go into his room armed and ready.

NOD, CureIt and Kaspersky find nothing. Well, no, they find some old stuff infected with some random worms, some shit that could be the bot's injector in Temporary Internet Files, but still not the bot itself. Even though three AV programs keep telling me that the machine is clean, it's definetely not as the ISA (it's a huge software firewall in case you didn't know) keeps denying a lot of spam from it.

The situation gets grim. Not that I'm an anti-virus expert, but in most cases, unless you can root the bugger out with some software, it spells doom and a need to reformat. However, there might be a slim chance to kill the virus manually unless it infects some system-critical executable you cannot replace (and even then you can sometimes resolve it just taking the HDD to another computer and copying the dead file from a healthy system). I decide to take chances and look for unknown processes. Nothing! Not a single process that is abnormal or unknown. Killing all theoretically killable processes (except the system-critical svchost and some other processes like NOD) didn't stop it.

Fearing the worst (infected svchost and some loader like winlogon), I launch CPorts (this app detects what networking ports are used by specific processes, it is very handy but often useless as processes can quite easily mask themselves to be invisible to it, being displayed as just Unknown), lookup 25 (SMTP) and... almost fall from my chair.

CPorts detected the spambot. It was in "ekrn.exe". What is ekrn? It's short for ESET Kernel, the kernel of NOD anti-virus. In short, this virus not only wasn't stopped by NOD, it has eaten NOD and sent spam using NOD itself. It was quicky apparent why DrWeb and Kasper didn't find it - as an untold convention, anti-viruses (being practically stuffed with unsafe code) generally restrain from scanning each other to prevent system damage. A masterful move by the injector writer, even though removing the spambot was exactly as easy as reinstalling NOD (unfortunately, we already paid for it, and there are no plans to switch to another, better software).

Now the morale of the story is very simple:

Don't use NOD. Ever.

****
You want 20 good men, but you need a bad pussy.
gm.tOSS
Profile Joined September 2005
Germany898 Posts
February 01 2009 21:31 GMT
#2
Nice read.
HuK HuK HuK | ¯\_(ツ)_/¯ | There is death in the hane.
paper
Profile Blog Joined September 2004
13196 Posts
February 01 2009 21:31 GMT
#3
hehe cool
Hates Fun🤔
KlaCkoN
Profile Blog Joined May 2007
Sweden1661 Posts
February 01 2009 21:40 GMT
#4
Lol nice :p
My brother downloaded the exact same virus once =p
I just forced him to reinstall the computer though.
"Voice or no voice the people can always be brought to the bidding of their leaders ... All you have to do is tell them they are being attacked and denounce the pacifists for lack of patriotism and exposing the country to danger."
jodogohoo
Profile Blog Joined March 2008
Canada2533 Posts
February 01 2009 21:41 GMT
#5
A legendary story. I shall pass this down to my children should they get their computers infected.
jimminy_kriket
Profile Blog Joined February 2007
Canada5509 Posts
February 01 2009 21:50 GMT
#6
haha fun story
life of lively to live to life of full life thx to shield battery
HeavOnEarth
Profile Blog Joined March 2008
United States7087 Posts
February 01 2009 21:58 GMT
#7
bwhaah awesome
"come korea next time... FXO house... 10 korean, 10 korean"
KizZBG
Profile Blog Joined November 2006
u gotta skate8152 Posts
February 01 2009 22:05 GMT
#8
lol nice story.
eSTRO for life | #2 Sea.Really fan! | #1 GosI[Flying] fan! | Clide - best SC2 terran!
Disregard
Profile Blog Joined March 2007
China10252 Posts
February 01 2009 22:22 GMT
#9
This rarely happens, I still use Nod32. More reliable than majority of the AVs' out there.
"If I had to take a drug in order to be free, I'm screwed. Freedom exists in the mind, otherwise it doesn't exist."
zer0das
Profile Blog Joined May 2007
United States8519 Posts
February 01 2009 22:48 GMT
#10
Or you could not download shady "virus protection" when you already have anti-virus installed...
BluzMan
Profile Blog Joined April 2006
Russian Federation4235 Posts
February 01 2009 23:23 GMT
#11
On February 02 2009 07:22 Disregard wrote:
This rarely happens, I still use Nod32. More reliable than majority of the AVs' out there.


Well, I've had some experience with it over the last half a year and I must say that I'm very unsatisfied. I still rely on it for resident protection, but when it comes to scanning, it's detection rate is not even in top 5, even though it's a huge commercial brand. I've seen stuff that even Avast roots out (being a freeware AV) that NOD doesn't, and DrWeb's CureIt and Kaspersky online are one step better. Besides, it's heuristic analysis is crap - try to compile asm code where you affect ECX register inside a loop (well, it's crap code, but not nearly a virus) and NOD will raise red alert and prompt you to send the newly-found "malware" to ESET labs for investigation.

At home I use Avast for resident protection, scanning the disks with CureIt about every month. Nothing so far, besides Avast is very gentle about "unsafe code" and has almost zero false alarms.
You want 20 good men, but you need a bad pussy.
Viledica
Profile Joined May 2008
Canada361 Posts
February 01 2009 23:40 GMT
#12
I use NOD32 myself and so far so good, not that I use my home PCs often enough to base whether it's a good Anti-Virus or not though.

Good read, but it won't veer me from sticking with NOD.
Thanks for the heads up.
TonyL2
Profile Blog Joined August 2007
England1953 Posts
February 02 2009 00:00 GMT
#13
Damn I have NOD...
ramen247
Profile Blog Joined June 2008
United States1256 Posts
February 02 2009 00:37 GMT
#14
wat are you talking about... NOD32 is the best AV there can be...
i hate this ugly firebat. i want a marine.
vnlegend
Profile Blog Joined December 2006
United States1389 Posts
February 02 2009 09:07 GMT
#15
On February 02 2009 09:37 ramen247 wrote:
wat are you talking about... NOD32 is the best AV there can be...

He's talking about exactly what he wrote in his blog post, which you just replied to w/o reading.

On another note..

Why did your boss download an anti-virus that calls itself "Windows XP 2008 Anti-Virus"? This is such an obvious fake name. Secondly, the company already has an anti-virus that it has paid for. Seems to me like he was doing something else.
Marines > everything
Please log in or register to reply.
Live Events Refresh
Next event in 17h 58m
[ Submit Event ]
Live Streams
Refresh
StarCraft 2
SpeCial 138
mcanning 121
ProTech78
JuggernautJason54
Codebar 3
UpATreeSC 2
StarCraft: Brood War
Britney 34387
Bisu 3340
Horang2 3189
EffOrt 863
Light 496
Mini 479
Hyuk 436
ZerO 423
Soulkey 225
actioN 211
[ Show more ]
Soma 151
hero 143
Rush 127
Snow 100
ggaemo 87
Hyun 74
Mind 60
Sea.KH 51
Aegong 43
Free 36
PianO 33
sorry 28
ToSsGirL 28
Terrorterran 27
JYJ22
Yoon 21
scan(afreeca) 16
IntoTheRainbow 12
Sexy 11
HiyA 9
Dota 2
Gorgc7050
qojqva3030
Dendi1263
Fuzer 252
XcaliburYe179
League of Legends
Trikslyr47
Counter-Strike
ScreaM837
markeloff160
oskar156
Other Games
gofns25583
tarik_tv20967
B2W.Neo799
FrodaN453
Mlord424
Lowko380
Hui .347
RotterdaM235
byalli222
ArmadaUGS117
QueenE78
NeuroSwarm40
ZerO(Twitch)18
Organizations
StarCraft 2
Blizzard YouTube
StarCraft: Brood War
BSLTrovo
sctven
[ Show 17 non-featured ]
StarCraft 2
• poizon28 14
• Kozan
• sooper7s
• AfreecaTV YouTube
• intothetv
• Migwel
• IndyKCrew
• LaughNgamezSOOP
StarCraft: Brood War
• FirePhoenix9
• Michael_bg 8
• STPLYoutube
• ZZZeroYoutube
• BSLYoutube
Dota 2
• WagamamaTV359
League of Legends
• Nemesis5426
• TFBlade423
Other Games
• Shiphtur221
Upcoming Events
RSL Revival
17h 58m
Zoun vs Classic
Map Test Tournament
18h 58m
Korean StarCraft League
1d 10h
BSL Open LAN 2025 - War…
1d 15h
RSL Revival
1d 17h
Reynor vs Cure
BSL Open LAN 2025 - War…
2 days
RSL Revival
2 days
Online Event
2 days
Wardi Open
3 days
Monday Night Weeklies
3 days
[ Show More ]
Sparkling Tuna Cup
4 days
LiuLi Cup
5 days
The PondCast
6 days
Liquipedia Results

Completed

Proleague 2025-09-10
Chzzk MurlocKing SC1 vs SC2 Cup #2
HCC Europe

Ongoing

BSL 20 Team Wars
KCM Race Survival 2025 Season 3
BSL 21 Points
ASL Season 20
CSL 2025 AUTUMN (S18)
LASL Season 20
RSL Revival: Season 2
Maestros of the Game
StarSeries Fall 2025
FISSURE Playground #2
BLAST Open Fall 2025
BLAST Open Fall Qual
Esports World Cup 2025
BLAST Bounty Fall 2025
BLAST Bounty Fall Qual
IEM Cologne 2025
FISSURE Playground #1

Upcoming

2025 Chongqing Offline CUP
BSL World Championship of Poland 2025
IPSL Winter 2025-26
BSL Season 21
SC4ALL: Brood War
BSL 21 Team A
Stellar Fest
SC4ALL: StarCraft II
EC S1
ESL Impact League Season 8
SL Budapest Major 2025
BLAST Rivals Fall 2025
IEM Chengdu 2025
PGL Masters Bucharest 2025
Thunderpick World Champ.
CS Asia Championships 2025
ESL Pro League S22
TLPD

1. ByuN
2. TY
3. Dark
4. Solar
5. Stats
6. Nerchio
7. sOs
8. soO
9. INnoVation
10. Elazer
1. Rain
2. Flash
3. EffOrt
4. Last
5. Bisu
6. Soulkey
7. Mini
8. Sharp
Sidebar Settings...

Advertising | Privacy Policy | Terms Of Use | Contact Us

Original banner artwork: Jim Warren
The contents of this webpage are copyright © 2025 TLnet. All Rights Reserved.