• Log InLog In
  • Register
Liquid`
Team Liquid Liquipedia
EDT 14:16
CEST 20:16
KST 03:16
  • Home
  • Forum
  • Calendar
  • Streams
  • Liquipedia
  • Features
  • Store
  • EPT
  • TL+
  • StarCraft 2
  • Brood War
  • Smash
  • Heroes
  • Counter-Strike
  • Overwatch
  • Liquibet
  • Fantasy StarCraft
  • TLPD
  • StarCraft 2
  • Brood War
  • Blogs
Forum Sidebar
Events/Features
News
Featured News
Classic Games #3: Rogue vs Serral at BlizzCon9[ASL20] Ro16 Preview Pt1: Ascent10Maestros of the Game: Week 1/Play-in Preview12[ASL20] Ro24 Preview Pt2: Take-Off7[ASL20] Ro24 Preview Pt1: Runway13
Community News
SC4ALL $6,000 Open LAN in Philadelphia7Weekly Cups (Sept 1-7): MaxPax rebounds & Clem saga continues25LiuLi Cup - September 2025 Tournaments3Weekly Cups (August 25-31): Clem's Last Straw?39Weekly Cups (Aug 18-24): herO dethrones MaxPax6
StarCraft 2
General
Weekly Cups (Sept 1-7): MaxPax rebounds & Clem saga continues #1: Maru - Greatest Players of All Time Team Liquid Map Contest #21 - Presented by Monster Energy Classic Games #3: Rogue vs Serral at BlizzCon What happened to Singapore/Brazil servers?
Tourneys
Maestros of The Game—$20k event w/ live finals in Paris RSL: Revival, a new crowdfunded tournament series Sparkling Tuna Cup - Weekly Open Tournament SC4ALL $6,000 Open LAN in Philadelphia LANified! 37: Groundswell, BYOC LAN, Nov 28-30 2025
Strategy
Custom Maps
External Content
Mutation # 490 Masters of Midnight Mutation # 489 Bannable Offense Mutation # 488 What Goes Around Mutation # 487 Think Fast
Brood War
General
ASL20 General Discussion BW General Discussion BGH Auto Balance -> http://bghmmr.eu/ BSL Team Wars - Bonyth, Dewalt, Hawk & Sziky teams alas... i aint gon' lie to u bruh...
Tourneys
[Megathread] Daily Proleagues [ASL20] Ro16 Group B SC4ALL $1,500 Open Bracket LAN CPL12 SIGN UP are open!!!
Strategy
Simple Questions, Simple Answers Muta micro map competition Fighting Spirit mining rates [G] Mineral Boosting
Other Games
General Games
Nintendo Switch Thread Stormgate/Frost Giant Megathread Path of Exile General RTS Discussion Thread Borderlands 3
Dota 2
Official 'what is Dota anymore' discussion
League of Legends
Heroes of the Storm
Simple Questions, Simple Answers Heroes of the Storm 2.0
Hearthstone
Heroes of StarCraft mini-set
TL Mafia
TL Mafia Community Thread
Community
General
US Politics Mega-thread Things Aren’t Peaceful in Palestine Russo-Ukrainian War Thread The Games Industry And ATVI UK Politics Mega-thread
Fan Clubs
The Happy Fan Club!
Media & Entertainment
Movie Discussion! [Manga] One Piece Anime Discussion Thread
Sports
2024 - 2026 Football Thread Formula 1 Discussion MLB/Baseball 2023
World Cup 2022
Tech Support
Linksys AE2500 USB WIFI keeps disconnecting Computer Build, Upgrade & Buying Resource Thread High temperatures on bridge(s)
TL Community
BarCraft in Tokyo Japan for ASL Season5 Final The Automated Ban List
Blogs
The Personality of a Spender…
TrAiDoS
A very expensive lesson on ma…
Garnet
hello world
radishsoup
Lemme tell you a thing o…
JoinTheRain
RTS Design in Hypercoven
a11
Evil Gacha Games and the…
ffswowsucks
Customize Sidebar...

Website Feedback

Closed Threads



Active: 1303 users

NOD antivirus and stuff

Blogs > BluzMan
Post a Reply
BluzMan
Profile Blog Joined April 2006
Russian Federation4235 Posts
February 01 2009 21:23 GMT
#1
Preface:

- Last monday, I left work somewhat early, and soon after my leave, my boss (the owner of our firm) was browsing the Internet and downloaded something that identified itself as "Windows XP 2008 Anti-Virus". Sure thing, it didn't function the way he expected and NOD (our corporate antivirus, take notice here!) threw some warning when the thing was launched.

Tuesday morning, I came to work and opened my email to send mails to several people I needed to contact. I sent the mail only to receive it back a few minutes later with a fun commentary: "Tada your mail is blacklisted by SpamCop!". Cool.

Apparently, our corporate external IP has been sending spam to some spam trap of spamcop. A quick inspection on the ISA server has shown a funny thing - random SMTP packets are being sent to all over the world from just one IP - the one the boss owns.

Well, cool, now I know we have a spambot in our system, I even know where it is exactly, so I setup an SMTP filter for that computer, delist from SpamCop to resolve the situation quickly, download CureIt and Kasper and go into his room armed and ready.

NOD, CureIt and Kaspersky find nothing. Well, no, they find some old stuff infected with some random worms, some shit that could be the bot's injector in Temporary Internet Files, but still not the bot itself. Even though three AV programs keep telling me that the machine is clean, it's definetely not as the ISA (it's a huge software firewall in case you didn't know) keeps denying a lot of spam from it.

The situation gets grim. Not that I'm an anti-virus expert, but in most cases, unless you can root the bugger out with some software, it spells doom and a need to reformat. However, there might be a slim chance to kill the virus manually unless it infects some system-critical executable you cannot replace (and even then you can sometimes resolve it just taking the HDD to another computer and copying the dead file from a healthy system). I decide to take chances and look for unknown processes. Nothing! Not a single process that is abnormal or unknown. Killing all theoretically killable processes (except the system-critical svchost and some other processes like NOD) didn't stop it.

Fearing the worst (infected svchost and some loader like winlogon), I launch CPorts (this app detects what networking ports are used by specific processes, it is very handy but often useless as processes can quite easily mask themselves to be invisible to it, being displayed as just Unknown), lookup 25 (SMTP) and... almost fall from my chair.

CPorts detected the spambot. It was in "ekrn.exe". What is ekrn? It's short for ESET Kernel, the kernel of NOD anti-virus. In short, this virus not only wasn't stopped by NOD, it has eaten NOD and sent spam using NOD itself. It was quicky apparent why DrWeb and Kasper didn't find it - as an untold convention, anti-viruses (being practically stuffed with unsafe code) generally restrain from scanning each other to prevent system damage. A masterful move by the injector writer, even though removing the spambot was exactly as easy as reinstalling NOD (unfortunately, we already paid for it, and there are no plans to switch to another, better software).

Now the morale of the story is very simple:

Don't use NOD. Ever.

****
You want 20 good men, but you need a bad pussy.
gm.tOSS
Profile Joined September 2005
Germany898 Posts
February 01 2009 21:31 GMT
#2
Nice read.
HuK HuK HuK | ¯\_(ツ)_/¯ | There is death in the hane.
paper
Profile Blog Joined September 2004
13196 Posts
February 01 2009 21:31 GMT
#3
hehe cool
Hates Fun🤔
KlaCkoN
Profile Blog Joined May 2007
Sweden1661 Posts
February 01 2009 21:40 GMT
#4
Lol nice :p
My brother downloaded the exact same virus once =p
I just forced him to reinstall the computer though.
"Voice or no voice the people can always be brought to the bidding of their leaders ... All you have to do is tell them they are being attacked and denounce the pacifists for lack of patriotism and exposing the country to danger."
jodogohoo
Profile Blog Joined March 2008
Canada2533 Posts
February 01 2009 21:41 GMT
#5
A legendary story. I shall pass this down to my children should they get their computers infected.
jimminy_kriket
Profile Blog Joined February 2007
Canada5509 Posts
February 01 2009 21:50 GMT
#6
haha fun story
life of lively to live to life of full life thx to shield battery
HeavOnEarth
Profile Blog Joined March 2008
United States7087 Posts
February 01 2009 21:58 GMT
#7
bwhaah awesome
"come korea next time... FXO house... 10 korean, 10 korean"
KizZBG
Profile Blog Joined November 2006
u gotta skate8152 Posts
February 01 2009 22:05 GMT
#8
lol nice story.
eSTRO for life | #2 Sea.Really fan! | #1 GosI[Flying] fan! | Clide - best SC2 terran!
Disregard
Profile Blog Joined March 2007
China10252 Posts
February 01 2009 22:22 GMT
#9
This rarely happens, I still use Nod32. More reliable than majority of the AVs' out there.
"If I had to take a drug in order to be free, I'm screwed. Freedom exists in the mind, otherwise it doesn't exist."
zer0das
Profile Blog Joined May 2007
United States8519 Posts
February 01 2009 22:48 GMT
#10
Or you could not download shady "virus protection" when you already have anti-virus installed...
BluzMan
Profile Blog Joined April 2006
Russian Federation4235 Posts
February 01 2009 23:23 GMT
#11
On February 02 2009 07:22 Disregard wrote:
This rarely happens, I still use Nod32. More reliable than majority of the AVs' out there.


Well, I've had some experience with it over the last half a year and I must say that I'm very unsatisfied. I still rely on it for resident protection, but when it comes to scanning, it's detection rate is not even in top 5, even though it's a huge commercial brand. I've seen stuff that even Avast roots out (being a freeware AV) that NOD doesn't, and DrWeb's CureIt and Kaspersky online are one step better. Besides, it's heuristic analysis is crap - try to compile asm code where you affect ECX register inside a loop (well, it's crap code, but not nearly a virus) and NOD will raise red alert and prompt you to send the newly-found "malware" to ESET labs for investigation.

At home I use Avast for resident protection, scanning the disks with CureIt about every month. Nothing so far, besides Avast is very gentle about "unsafe code" and has almost zero false alarms.
You want 20 good men, but you need a bad pussy.
Viledica
Profile Joined May 2008
Canada361 Posts
February 01 2009 23:40 GMT
#12
I use NOD32 myself and so far so good, not that I use my home PCs often enough to base whether it's a good Anti-Virus or not though.

Good read, but it won't veer me from sticking with NOD.
Thanks for the heads up.
TonyL2
Profile Blog Joined August 2007
England1953 Posts
February 02 2009 00:00 GMT
#13
Damn I have NOD...
ramen247
Profile Blog Joined June 2008
United States1256 Posts
February 02 2009 00:37 GMT
#14
wat are you talking about... NOD32 is the best AV there can be...
i hate this ugly firebat. i want a marine.
vnlegend
Profile Blog Joined December 2006
United States1389 Posts
February 02 2009 09:07 GMT
#15
On February 02 2009 09:37 ramen247 wrote:
wat are you talking about... NOD32 is the best AV there can be...

He's talking about exactly what he wrote in his blog post, which you just replied to w/o reading.

On another note..

Why did your boss download an anti-virus that calls itself "Windows XP 2008 Anti-Virus"? This is such an obvious fake name. Secondly, the company already has an anti-virus that it has paid for. Seems to me like he was doing something else.
Marines > everything
Please log in or register to reply.
Live Events Refresh
[BSL 2025] Weekly
18:00
#14
ZZZero.O15
LiquipediaDiscussion
Maestros of the Game
14:00
Playoffs - Round of 12
Classic vs ClemLIVE!
Serral vs Reynor
ComeBackTV 1885
RotterdaM970
PiGStarcraft480
WardiTV415
IndyStarCraft 318
SteadfastSC219
BRAT_OK 165
Rex145
CranKy Ducklings133
EnkiAlexander 81
LiquipediaDiscussion
[ Submit Event ]
Live Streams
Refresh
StarCraft 2
RotterdaM 970
PiGStarcraft480
IndyStarCraft 318
SteadfastSC 219
BRAT_OK 165
Rex 145
Codebar 15
StarCraft: Brood War
Britney 22955
Sea 2105
sSak 291
firebathero 276
Hyun 48
Movie 43
Rock 40
sas.Sziky 36
Dewaltoss 17
ZZZero.O 15
[ Show more ]
yabsab 14
Shine 11
Dota 2
The International156945
Gorgc16057
Dendi709
PGG 39
Counter-Strike
pashabiceps991
Foxcn465
Other Games
FrodaN1236
Grubby1077
Beastyqt562
B2W.Neo442
Hui .208
KnowMe168
ArmadaUGS92
mouzStarbuck74
SortOf42
rGuardiaN29
MindelVK14
SC2_NightMare2
Organizations
Other Games
gamesdonequick1680
EGCTV680
BasetradeTV29
StarCraft 2
Blizzard YouTube
StarCraft: Brood War
BSLTrovo
sctven
[ Show 19 non-featured ]
StarCraft 2
• printf 33
• OhrlRock 1
• IndyKCrew
• AfreecaTV YouTube
• sooper7s
• intothetv
• Kozan
• LaughNgamezSOOP
• Migwel
StarCraft: Brood War
• Airneanach11
• Michael_bg 4
• STPLYoutube
• ZZZeroYoutube
• BSLYoutube
Dota 2
• C_a_k_e 1229
• Ler88
League of Legends
• Nemesis1916
• Jankos1518
Other Games
• Shiphtur242
Upcoming Events
RSL Revival
15h 44m
Maestros of the Game
22h 44m
BSL Team Wars
1d
Afreeca Starleague
1d 15h
Snow vs Sharp
Jaedong vs Mini
Wardi Open
1d 16h
Sparkling Tuna Cup
2 days
Afreeca Starleague
2 days
Light vs Speed
Larva vs Soma
LiuLi Cup
3 days
The PondCast
4 days
Korean StarCraft League
6 days
[ Show More ]
[BSL 2025] Weekly
6 days
Liquipedia Results

Completed

Proleague 2025-09-10
SEL Season 2 Championship
HCC Europe

Ongoing

BSL 20 Team Wars
KCM Race Survival 2025 Season 3
BSL 21 Points
ASL Season 20
CSL 2025 AUTUMN (S18)
LASL Season 20
RSL Revival: Season 2
Maestros of the Game
Chzzk MurlocKing SC1 vs SC2 Cup #2
FISSURE Playground #2
BLAST Open Fall 2025
BLAST Open Fall Qual
Esports World Cup 2025
BLAST Bounty Fall 2025
BLAST Bounty Fall Qual
IEM Cologne 2025
FISSURE Playground #1

Upcoming

2025 Chongqing Offline CUP
BSL Polish World Championship 2025
BSL Season 21
SC4ALL: Brood War
BSL 21 Team A
SC4ALL: StarCraft II
EC S1
SL Budapest Major 2025
BLAST Rivals Fall 2025
IEM Chengdu 2025
PGL Masters Bucharest 2025
MESA Nomadic Masters Fall
Thunderpick World Champ.
CS Asia Championships 2025
ESL Pro League S22
StarSeries Fall 2025
TLPD

1. ByuN
2. TY
3. Dark
4. Solar
5. Stats
6. Nerchio
7. sOs
8. soO
9. INnoVation
10. Elazer
1. Rain
2. Flash
3. EffOrt
4. Last
5. Bisu
6. Soulkey
7. Mini
8. Sharp
Sidebar Settings...

Advertising | Privacy Policy | Terms Of Use | Contact Us

Original banner artwork: Jim Warren
The contents of this webpage are copyright © 2025 TLnet. All Rights Reserved.