- Last monday, I left work somewhat early, and soon after my leave, my boss (the owner of our firm) was browsing the Internet and downloaded something that identified itself as "Windows XP 2008 Anti-Virus". Sure thing, it didn't function the way he expected and NOD (our corporate antivirus, take notice here!) threw some warning when the thing was launched.
Tuesday morning, I came to work and opened my email to send mails to several people I needed to contact. I sent the mail only to receive it back a few minutes later with a fun commentary: "Tada your mail is blacklisted by SpamCop!". Cool.
Apparently, our corporate external IP has been sending spam to some spam trap of spamcop. A quick inspection on the ISA server has shown a funny thing - random SMTP packets are being sent to all over the world from just one IP - the one the boss owns.
Well, cool, now I know we have a spambot in our system, I even know where it is exactly, so I setup an SMTP filter for that computer, delist from SpamCop to resolve the situation quickly, download CureIt and Kasper and go into his room armed and ready.
NOD, CureIt and Kaspersky find nothing. Well, no, they find some old stuff infected with some random worms, some shit that could be the bot's injector in Temporary Internet Files, but still not the bot itself. Even though three AV programs keep telling me that the machine is clean, it's definetely not as the ISA (it's a huge software firewall in case you didn't know) keeps denying a lot of spam from it.
The situation gets grim. Not that I'm an anti-virus expert, but in most cases, unless you can root the bugger out with some software, it spells doom and a need to reformat. However, there might be a slim chance to kill the virus manually unless it infects some system-critical executable you cannot replace (and even then you can sometimes resolve it just taking the HDD to another computer and copying the dead file from a healthy system). I decide to take chances and look for unknown processes. Nothing! Not a single process that is abnormal or unknown. Killing all theoretically killable processes (except the system-critical svchost and some other processes like NOD) didn't stop it.
Fearing the worst (infected svchost and some loader like winlogon), I launch CPorts (this app detects what networking ports are used by specific processes, it is very handy but often useless as processes can quite easily mask themselves to be invisible to it, being displayed as just Unknown), lookup 25 (SMTP) and... almost fall from my chair.
CPorts detected the spambot. It was in "ekrn.exe". What is ekrn? It's short for ESET Kernel, the kernel of NOD anti-virus. In short, this virus not only wasn't stopped by NOD, it has eaten NOD and sent spam using NOD itself. It was quicky apparent why DrWeb and Kasper didn't find it - as an untold convention, anti-viruses (being practically stuffed with unsafe code) generally restrain from scanning each other to prevent system damage. A masterful move by the injector writer, even though removing the spambot was exactly as easy as reinstalling NOD (unfortunately, we already paid for it, and there are no plans to switch to another, better software).
Now the morale of the story is very simple:
Don't use NOD. Ever.