• Log InLog In
  • Register
Liquid`
Team Liquid Liquipedia
EDT 05:16
CEST 11:16
KST 18:16
  • Home
  • Forum
  • Calendar
  • Streams
  • Liquipedia
  • Features
  • Store
  • EPT
  • TL+
  • StarCraft 2
  • Brood War
  • Smash
  • Heroes
  • Counter-Strike
  • Overwatch
  • Liquibet
  • Fantasy StarCraft
  • TLPD
  • StarCraft 2
  • Brood War
  • Blogs
Forum Sidebar
Events/Features
News
Featured News
Serral wins Maestros of the Game 226ByuL, and the Limitations of Standard Play3Team Liquid Map Contest #22: Results and Winners7Code S Season 2 (2026): RO4 and Finals Preview12TL.net Map Contest #22 - Voting & Ladder Map Selection7
Community News
Weekly Cups (June 29-July 5): Solar Doubles0MC vs IdrA, Boxer vs Nal_rA to be Legacy Matches @ BlizzCon415.0.16 Hotfix (June 30) - Balance + Bug Fixes40Weekly Cups (June 22-28): Zergs thrive in new patch5[TLMC] Summer 2026 Ladder Map Rotation0
StarCraft 2
General
5.0.16 patch for SC2 goes live (8 worker start) 5.0.16 Hotfix (June 30) - Balance + Bug Fixes Weekly Cups (June 29-July 5): Solar Doubles MC vs IdrA, Boxer vs Nal_rA to be Legacy Matches @ BlizzCon Is the larve respawn broken?
Tourneys
HomeStory Cup 29 GSL CK #5 Race War RSL Revival: Season 6 - Qualifiers and Main Event Vespene Cup #1 — $300+ USD, July 10 Douyu Cup 2026: $20,000 Legends Event (June 26-28)
Strategy
[G] Having the right mentality to improve
Custom Maps
New Map Maker - Looking for Advice - Love or Hate Work In Progress Melee Maps [D]RTS in all its shapes and glory <3
External Content
Mutation # 533 Die Together The PondCast: SC2 News & Results Mutation # 532 Nuclear Family Mutation # 531 Experimental Artillery
Brood War
General
Starcraft vs Retro Category on Twitch Data needed Snow On New ASL S22 Map, Zerg Nerf BGH Auto Balance -> http://bghmmr.eu/ ASL 22 Proposed Map Pool
Tourneys
CSLAN 4 is Coming! Escore Tournament StarCraft Season 2 The Casual Games of the Week Thread [Megathread] Daily Proleagues
Strategy
Simple Questions, Simple Answers Creating a full chart of Zerg builds Relatively freeroll strategies Why doesn't anyone use restoration?
Other Games
General Games
Nintendo Switch Thread Stormgate/Frost Giant Megathread Dawn of War IV Summer Games Done Quick 2026! ZeroSpace at Steam NextFest - Last free demo
Dota 2
Looking for a Dota Mentor Official 'what is Dota anymore' discussion
League of Legends
Heroes of the Storm
Simple Questions, Simple Answers Heroes of the Storm 2.0
Hearthstone
Deck construction bug
TL Mafia
NeO.D_StephenKing vs This Guy From 1 Million Dance TL Mafia Community Thread TL Mafia Power Rank Vanilla Mini Mafia
Community
General
US Politics Mega-thread UK Politics Mega-thread Russo-Ukrainian War Thread YouTube Thread Canadian Politics Mega-thread
Fan Clubs
The HerO Fan Club!
Media & Entertainment
Anime Discussion Thread Movie Discussion! Series you have seen recently... [Req][Books] Good Fantasy/SciFi books [TV/BOOK] *SPOILERS* Game of Thrones Discussion
Sports
2024 - 2026 Football Thread Formula 1 Discussion McBoner: A hockey love story TeamLiquid Health and Fitness Initiative For 2023 Cricket [SPORT]
World Cup 2022
Tech Support
FPS when play League Of Legend on laptop How to clean a TTe Thermaltake keyboard? Computer Build, Upgrade & Buying Resource Thread
TL Community
The Automated Ban List
Blogs
Major Shifts in the Gaming I…
TrAiDoS
An Exploration of th…
waywardstrategy
I'm an arrogant trash talke…
FlaShFTW
Gauntlet SC2: A Retrospectiv…
Ctone23
ramps on octagon
StaticNine
Funny Nicknames
LUCKY_NOOB
Customize Sidebar...

Website Feedback

Closed Threads



Active: 5078 users

NOD antivirus and stuff

Blogs > BluzMan
Post a Reply
BluzMan
Profile Blog Joined April 2006
Russian Federation4235 Posts
February 01 2009 21:23 GMT
#1
Preface:

- Last monday, I left work somewhat early, and soon after my leave, my boss (the owner of our firm) was browsing the Internet and downloaded something that identified itself as "Windows XP 2008 Anti-Virus". Sure thing, it didn't function the way he expected and NOD (our corporate antivirus, take notice here!) threw some warning when the thing was launched.

Tuesday morning, I came to work and opened my email to send mails to several people I needed to contact. I sent the mail only to receive it back a few minutes later with a fun commentary: "Tada your mail is blacklisted by SpamCop!". Cool.

Apparently, our corporate external IP has been sending spam to some spam trap of spamcop. A quick inspection on the ISA server has shown a funny thing - random SMTP packets are being sent to all over the world from just one IP - the one the boss owns.

Well, cool, now I know we have a spambot in our system, I even know where it is exactly, so I setup an SMTP filter for that computer, delist from SpamCop to resolve the situation quickly, download CureIt and Kasper and go into his room armed and ready.

NOD, CureIt and Kaspersky find nothing. Well, no, they find some old stuff infected with some random worms, some shit that could be the bot's injector in Temporary Internet Files, but still not the bot itself. Even though three AV programs keep telling me that the machine is clean, it's definetely not as the ISA (it's a huge software firewall in case you didn't know) keeps denying a lot of spam from it.

The situation gets grim. Not that I'm an anti-virus expert, but in most cases, unless you can root the bugger out with some software, it spells doom and a need to reformat. However, there might be a slim chance to kill the virus manually unless it infects some system-critical executable you cannot replace (and even then you can sometimes resolve it just taking the HDD to another computer and copying the dead file from a healthy system). I decide to take chances and look for unknown processes. Nothing! Not a single process that is abnormal or unknown. Killing all theoretically killable processes (except the system-critical svchost and some other processes like NOD) didn't stop it.

Fearing the worst (infected svchost and some loader like winlogon), I launch CPorts (this app detects what networking ports are used by specific processes, it is very handy but often useless as processes can quite easily mask themselves to be invisible to it, being displayed as just Unknown), lookup 25 (SMTP) and... almost fall from my chair.

CPorts detected the spambot. It was in "ekrn.exe". What is ekrn? It's short for ESET Kernel, the kernel of NOD anti-virus. In short, this virus not only wasn't stopped by NOD, it has eaten NOD and sent spam using NOD itself. It was quicky apparent why DrWeb and Kasper didn't find it - as an untold convention, anti-viruses (being practically stuffed with unsafe code) generally restrain from scanning each other to prevent system damage. A masterful move by the injector writer, even though removing the spambot was exactly as easy as reinstalling NOD (unfortunately, we already paid for it, and there are no plans to switch to another, better software).

Now the morale of the story is very simple:

Don't use NOD. Ever.

****
You want 20 good men, but you need a bad pussy.
gm.tOSS
Profile Joined September 2005
Germany898 Posts
February 01 2009 21:31 GMT
#2
Nice read.
HuK HuK HuK | ¯\_(ツ)_/¯ | There is death in the hane.
paper
Profile Blog Joined September 2004
13196 Posts
February 01 2009 21:31 GMT
#3
hehe cool
Hates Fun🤔
KlaCkoN
Profile Blog Joined May 2007
Sweden1661 Posts
February 01 2009 21:40 GMT
#4
Lol nice :p
My brother downloaded the exact same virus once =p
I just forced him to reinstall the computer though.
"Voice or no voice the people can always be brought to the bidding of their leaders ... All you have to do is tell them they are being attacked and denounce the pacifists for lack of patriotism and exposing the country to danger."
jodogohoo
Profile Blog Joined March 2008
Canada2533 Posts
February 01 2009 21:41 GMT
#5
A legendary story. I shall pass this down to my children should they get their computers infected.
jimminy_kriket
Profile Blog Joined February 2007
Canada5536 Posts
February 01 2009 21:50 GMT
#6
haha fun story
life of lively to live to life of full life thx to shield battery
HeavOnEarth
Profile Blog Joined March 2008
United States7087 Posts
February 01 2009 21:58 GMT
#7
bwhaah awesome
"come korea next time... FXO house... 10 korean, 10 korean"
KizZBG
Profile Blog Joined November 2006
u gotta skate8152 Posts
February 01 2009 22:05 GMT
#8
lol nice story.
eSTRO for life | #2 Sea.Really fan! | #1 GosI[Flying] fan! | Clide - best SC2 terran!
Disregard
Profile Blog Joined March 2007
China10252 Posts
February 01 2009 22:22 GMT
#9
This rarely happens, I still use Nod32. More reliable than majority of the AVs' out there.
"If I had to take a drug in order to be free, I'm screwed. Freedom exists in the mind, otherwise it doesn't exist."
zer0das
Profile Blog Joined May 2007
United States8519 Posts
February 01 2009 22:48 GMT
#10
Or you could not download shady "virus protection" when you already have anti-virus installed...
BluzMan
Profile Blog Joined April 2006
Russian Federation4235 Posts
February 01 2009 23:23 GMT
#11
On February 02 2009 07:22 Disregard wrote:
This rarely happens, I still use Nod32. More reliable than majority of the AVs' out there.


Well, I've had some experience with it over the last half a year and I must say that I'm very unsatisfied. I still rely on it for resident protection, but when it comes to scanning, it's detection rate is not even in top 5, even though it's a huge commercial brand. I've seen stuff that even Avast roots out (being a freeware AV) that NOD doesn't, and DrWeb's CureIt and Kaspersky online are one step better. Besides, it's heuristic analysis is crap - try to compile asm code where you affect ECX register inside a loop (well, it's crap code, but not nearly a virus) and NOD will raise red alert and prompt you to send the newly-found "malware" to ESET labs for investigation.

At home I use Avast for resident protection, scanning the disks with CureIt about every month. Nothing so far, besides Avast is very gentle about "unsafe code" and has almost zero false alarms.
You want 20 good men, but you need a bad pussy.
Viledica
Profile Joined May 2008
Canada361 Posts
February 01 2009 23:40 GMT
#12
I use NOD32 myself and so far so good, not that I use my home PCs often enough to base whether it's a good Anti-Virus or not though.

Good read, but it won't veer me from sticking with NOD.
Thanks for the heads up.
TonyL2
Profile Blog Joined August 2007
England1953 Posts
February 02 2009 00:00 GMT
#13
Damn I have NOD...
ramen247
Profile Blog Joined June 2008
United States1256 Posts
February 02 2009 00:37 GMT
#14
wat are you talking about... NOD32 is the best AV there can be...
i hate this ugly firebat. i want a marine.
vnlegend
Profile Blog Joined December 2006
United States1389 Posts
February 02 2009 09:07 GMT
#15
On February 02 2009 09:37 ramen247 wrote:
wat are you talking about... NOD32 is the best AV there can be...

He's talking about exactly what he wrote in his blog post, which you just replied to w/o reading.

On another note..

Why did your boss download an anti-virus that calls itself "Windows XP 2008 Anti-Virus"? This is such an obvious fake name. Secondly, the company already has an anti-virus that it has paid for. Seems to me like he was doing something else.
Marines > everything
Please log in or register to reply.
Live Events Refresh
Next event in 44m
[ Submit Event ]
Live Streams
Refresh
StarCraft 2
SortOf 241
ProTech110
StarCraft: Brood War
Britney 39316
PianO 1360
Hyuk 641
Tasteless 283
Stork 253
Mong 196
BeSt 170
actioN 118
Larva 88
ToSsGirL 84
[ Show more ]
Dewaltoss 81
Light 64
Mind 60
Aegong 55
Sacsri 21
NaDa 20
Bale 16
IntoTheRainbow 15
Sharp 11
sorry 8
Dota 2
Gorgc430
League of Legends
JimRising 596
Counter-Strike
olofmeister980
byalli1
Other Games
Sick238
Mew2King130
RuFF_SC223
BEARDiaguz11
Organizations
Other Games
gamesdonequick22917
StarCraft 2
Blizzard YouTube
StarCraft: Brood War
BSLTrovo
[ Show 13 non-featured ]
StarCraft 2
• LUISG 12
• AfreecaTV YouTube
• intothetv
• Kozan
• IndyKCrew
• LaughNgamezSOOP
• Migwel
• sooper7s
StarCraft: Brood War
• BSLYoutube
• STPLYoutube
• ZZZeroYoutube
Dota 2
• lizZardDota267
League of Legends
• Jankos3632
Upcoming Events
The PondCast
44m
Replay Cast
23h 44m
CrankTV Team League
1d 1h
OSC
1d 7h
Replay Cast
1d 14h
Replay Cast
1d 23h
CrankTV Team League
2 days
OSC
2 days
Replay Cast
2 days
RSL Revival
2 days
Serral vs Bunny
ByuN vs GgMaChine
[ Show More ]
CranKy Ducklings
3 days
Afreeca Starleague
3 days
Snow vs Jaedong
YSC vs hero
RSL Revival
3 days
Solar vs Rogue
Maru vs NightMare
Sparkling Tuna Cup
4 days
GSL
5 days
Replay Cast
5 days
WardiTV Weekly
6 days
Liquipedia Results

Completed

CSL Season 21: Qualifier 2
HSC XXIX
Eternal Conflict S2 E1

Ongoing

IPSL Spring 2026
Acropolis #4
YSL S3
CSL 2026 Summer (S21)
SCTL 2026 Spring
XSE Pro League 2026
IEM Cologne Major 2026
Stake Ranked Episode 2
CS Asia Championships 2026
Asian Champions League 2026
IEM Atlanta 2026
PGL Astana 2026
BLAST Rivals Spring 2026

Upcoming

Escore Tournament S3: W2
ASL Season 22: Wild Card Qualifier
CSLAN 4
Blizzard Classic Cup 2026
SC4ALL II: StarCraft II
Kung Fu Cup 2026 Grand Finals
RSL Revival: Season 6
CranK Gathers Season 4: BW vs SC2 Team League
Light Tournament 2026
Eternal Conflict S2 Finale
Eternal Conflict S2 E3
Eternal Conflict S2 E2
Heroes Pulsing #3
Logitech G Connect 2026
StarSeries Fall 2026
FISSURE Playground #5
BLAST Open Fall 2026
Esports World Cup 2026
BLAST Bounty Summer 2026
BLAST Bounty Summer Qual
Stake Ranked Episode 3
TLPD

1. ByuN
2. TY
3. Dark
4. Solar
5. Stats
6. Nerchio
7. sOs
8. soO
9. INnoVation
10. Elazer
1. Rain
2. Flash
3. EffOrt
4. Last
5. Bisu
6. Soulkey
7. Mini
8. Sharp
Sidebar Settings...

Advertising | Privacy Policy | Terms Of Use | Contact Us

Original banner artwork: Jim Warren
The contents of this webpage are copyright © 2026 TLnet. All Rights Reserved.