• Log InLog In
  • Register
Liquid`
Team Liquid Liquipedia
EDT 01:08
CEST 07:08
KST 14:08
  • Home
  • Forum
  • Calendar
  • Streams
  • Liquipedia
  • Features
  • Store
  • EPT
  • TL+
  • StarCraft 2
  • Brood War
  • Smash
  • Heroes
  • Counter-Strike
  • Overwatch
  • Liquibet
  • Fantasy StarCraft
  • TLPD
  • StarCraft 2
  • Brood War
  • Blogs
Forum Sidebar
Events/Features
News
Featured News
[ASL19] Finals Recap: Standing Tall9HomeStory Cup 27 - Info & Preview18Classic wins Code S Season 2 (2025)16Code S RO4 & Finals Preview: herO, Rogue, Classic, GuMiho0TL Team Map Contest #5: Presented by Monster Energy6
Community News
Flash Announces Hiatus From ASL50Weekly Cups (June 23-29): Reynor in world title form?12FEL Cracov 2025 (July 27) - $8000 live event16Esports World Cup 2025 - Final Player Roster16Weekly Cups (June 16-22): Clem strikes back1
StarCraft 2
General
The GOAT ranking of GOAT rankings The SCII GOAT: A statistical Evaluation Statistics for vetoed/disliked maps Esports World Cup 2025 - Final Player Roster How does the number of casters affect your enjoyment of esports?
Tourneys
RSL: Revival, a new crowdfunded tournament series [GSL 2025] Code S: Season 2 - Semi Finals & Finals $5,100+ SEL Season 2 Championship (SC: Evo) FEL Cracov 2025 (July 27) - $8000 live event HomeStory Cup 27 (June 27-29)
Strategy
How did i lose this ZvP, whats the proper response Simple Questions Simple Answers
Custom Maps
[UMS] Zillion Zerglings
External Content
Mutation # 480 Moths to the Flame Mutation # 479 Worn Out Welcome Mutation # 478 Instant Karma Mutation # 477 Slow and Steady
Brood War
General
Player “Jedi” cheat on CSL Help: rep cant save Flash Announces Hiatus From ASL BGH Auto Balance -> http://bghmmr.eu/ [ASL19] Finals Recap: Standing Tall
Tourneys
[Megathread] Daily Proleagues Small VOD Thread 2.0 [BSL20] GosuLeague RO16 - Tue & Wed 20:00+CET The Casual Games of the Week Thread
Strategy
Simple Questions, Simple Answers I am doing this better than progamers do.
Other Games
General Games
Stormgate/Frost Giant Megathread Nintendo Switch Thread Path of Exile What do you want from future RTS games? Beyond All Reason
Dota 2
Official 'what is Dota anymore' discussion
League of Legends
Heroes of the Storm
Simple Questions, Simple Answers Heroes of the Storm 2.0
Hearthstone
Heroes of StarCraft mini-set
TL Mafia
TL Mafia Community Thread Vanilla Mini Mafia
Community
General
US Politics Mega-thread Things Aren’t Peaceful in Palestine Russo-Ukrainian War Thread Trading/Investing Thread The Games Industry And ATVI
Fan Clubs
SKT1 Classic Fan Club! Maru Fan Club
Media & Entertainment
Anime Discussion Thread [Manga] One Piece [\m/] Heavy Metal Thread
Sports
2024 - 2025 Football Thread NBA General Discussion Formula 1 Discussion TeamLiquid Health and Fitness Initiative For 2023 NHL Playoffs 2024
World Cup 2022
Tech Support
Computer Build, Upgrade & Buying Resource Thread
TL Community
Blogs
Culture Clash in Video Games…
TrAiDoS
from making sc maps to makin…
Husyelt
Blog #2
tankgirl
StarCraft improvement
iopq
Trip to the Zoo
micronesia
Customize Sidebar...

Website Feedback

Closed Threads



Active: 656 users

NOD antivirus and stuff

Blogs > BluzMan
Post a Reply
BluzMan
Profile Blog Joined April 2006
Russian Federation4235 Posts
February 01 2009 21:23 GMT
#1
Preface:

- Last monday, I left work somewhat early, and soon after my leave, my boss (the owner of our firm) was browsing the Internet and downloaded something that identified itself as "Windows XP 2008 Anti-Virus". Sure thing, it didn't function the way he expected and NOD (our corporate antivirus, take notice here!) threw some warning when the thing was launched.

Tuesday morning, I came to work and opened my email to send mails to several people I needed to contact. I sent the mail only to receive it back a few minutes later with a fun commentary: "Tada your mail is blacklisted by SpamCop!". Cool.

Apparently, our corporate external IP has been sending spam to some spam trap of spamcop. A quick inspection on the ISA server has shown a funny thing - random SMTP packets are being sent to all over the world from just one IP - the one the boss owns.

Well, cool, now I know we have a spambot in our system, I even know where it is exactly, so I setup an SMTP filter for that computer, delist from SpamCop to resolve the situation quickly, download CureIt and Kasper and go into his room armed and ready.

NOD, CureIt and Kaspersky find nothing. Well, no, they find some old stuff infected with some random worms, some shit that could be the bot's injector in Temporary Internet Files, but still not the bot itself. Even though three AV programs keep telling me that the machine is clean, it's definetely not as the ISA (it's a huge software firewall in case you didn't know) keeps denying a lot of spam from it.

The situation gets grim. Not that I'm an anti-virus expert, but in most cases, unless you can root the bugger out with some software, it spells doom and a need to reformat. However, there might be a slim chance to kill the virus manually unless it infects some system-critical executable you cannot replace (and even then you can sometimes resolve it just taking the HDD to another computer and copying the dead file from a healthy system). I decide to take chances and look for unknown processes. Nothing! Not a single process that is abnormal or unknown. Killing all theoretically killable processes (except the system-critical svchost and some other processes like NOD) didn't stop it.

Fearing the worst (infected svchost and some loader like winlogon), I launch CPorts (this app detects what networking ports are used by specific processes, it is very handy but often useless as processes can quite easily mask themselves to be invisible to it, being displayed as just Unknown), lookup 25 (SMTP) and... almost fall from my chair.

CPorts detected the spambot. It was in "ekrn.exe". What is ekrn? It's short for ESET Kernel, the kernel of NOD anti-virus. In short, this virus not only wasn't stopped by NOD, it has eaten NOD and sent spam using NOD itself. It was quicky apparent why DrWeb and Kasper didn't find it - as an untold convention, anti-viruses (being practically stuffed with unsafe code) generally restrain from scanning each other to prevent system damage. A masterful move by the injector writer, even though removing the spambot was exactly as easy as reinstalling NOD (unfortunately, we already paid for it, and there are no plans to switch to another, better software).

Now the morale of the story is very simple:

Don't use NOD. Ever.

****
You want 20 good men, but you need a bad pussy.
gm.tOSS
Profile Joined September 2005
Germany898 Posts
February 01 2009 21:31 GMT
#2
Nice read.
HuK HuK HuK | ¯\_(ツ)_/¯ | There is death in the hane.
paper
Profile Blog Joined September 2004
13196 Posts
February 01 2009 21:31 GMT
#3
hehe cool
Hates Fun🤔
KlaCkoN
Profile Blog Joined May 2007
Sweden1661 Posts
February 01 2009 21:40 GMT
#4
Lol nice :p
My brother downloaded the exact same virus once =p
I just forced him to reinstall the computer though.
"Voice or no voice the people can always be brought to the bidding of their leaders ... All you have to do is tell them they are being attacked and denounce the pacifists for lack of patriotism and exposing the country to danger."
jodogohoo
Profile Blog Joined March 2008
Canada2533 Posts
February 01 2009 21:41 GMT
#5
A legendary story. I shall pass this down to my children should they get their computers infected.
jimminy_kriket
Profile Blog Joined February 2007
Canada5501 Posts
February 01 2009 21:50 GMT
#6
haha fun story
life of lively to live to life of full life thx to shield battery
HeavOnEarth
Profile Blog Joined March 2008
United States7087 Posts
February 01 2009 21:58 GMT
#7
bwhaah awesome
"come korea next time... FXO house... 10 korean, 10 korean"
KizZBG
Profile Blog Joined November 2006
u gotta skate8152 Posts
February 01 2009 22:05 GMT
#8
lol nice story.
eSTRO for life | #2 Sea.Really fan! | #1 GosI[Flying] fan! | Clide - best SC2 terran!
Disregard
Profile Blog Joined March 2007
China10252 Posts
February 01 2009 22:22 GMT
#9
This rarely happens, I still use Nod32. More reliable than majority of the AVs' out there.
"If I had to take a drug in order to be free, I'm screwed. Freedom exists in the mind, otherwise it doesn't exist."
zer0das
Profile Blog Joined May 2007
United States8519 Posts
February 01 2009 22:48 GMT
#10
Or you could not download shady "virus protection" when you already have anti-virus installed...
BluzMan
Profile Blog Joined April 2006
Russian Federation4235 Posts
February 01 2009 23:23 GMT
#11
On February 02 2009 07:22 Disregard wrote:
This rarely happens, I still use Nod32. More reliable than majority of the AVs' out there.


Well, I've had some experience with it over the last half a year and I must say that I'm very unsatisfied. I still rely on it for resident protection, but when it comes to scanning, it's detection rate is not even in top 5, even though it's a huge commercial brand. I've seen stuff that even Avast roots out (being a freeware AV) that NOD doesn't, and DrWeb's CureIt and Kaspersky online are one step better. Besides, it's heuristic analysis is crap - try to compile asm code where you affect ECX register inside a loop (well, it's crap code, but not nearly a virus) and NOD will raise red alert and prompt you to send the newly-found "malware" to ESET labs for investigation.

At home I use Avast for resident protection, scanning the disks with CureIt about every month. Nothing so far, besides Avast is very gentle about "unsafe code" and has almost zero false alarms.
You want 20 good men, but you need a bad pussy.
Viledica
Profile Joined May 2008
Canada361 Posts
February 01 2009 23:40 GMT
#12
I use NOD32 myself and so far so good, not that I use my home PCs often enough to base whether it's a good Anti-Virus or not though.

Good read, but it won't veer me from sticking with NOD.
Thanks for the heads up.
TonyL2
Profile Blog Joined August 2007
England1953 Posts
February 02 2009 00:00 GMT
#13
Damn I have NOD...
ramen247
Profile Blog Joined June 2008
United States1256 Posts
February 02 2009 00:37 GMT
#14
wat are you talking about... NOD32 is the best AV there can be...
i hate this ugly firebat. i want a marine.
vnlegend
Profile Blog Joined December 2006
United States1389 Posts
February 02 2009 09:07 GMT
#15
On February 02 2009 09:37 ramen247 wrote:
wat are you talking about... NOD32 is the best AV there can be...

He's talking about exactly what he wrote in his blog post, which you just replied to w/o reading.

On another note..

Why did your boss download an anti-virus that calls itself "Windows XP 2008 Anti-Virus"? This is such an obvious fake name. Secondly, the company already has an anti-virus that it has paid for. Seems to me like he was doing something else.
Marines > everything
Please log in or register to reply.
Live Events Refresh
Next event in 4h 52m
[ Submit Event ]
Live Streams
Refresh
StarCraft 2
Nina 275
ProTech57
StarCraft: Brood War
Aegong 59
Zeus 58
Noble 53
LuMiX 1
Dota 2
monkeys_forever480
NeuroSwarm242
League of Legends
JimRising 834
Other Games
summit1g8760
shahzam1204
Organizations
Other Games
BasetradeTV65
StarCraft: Brood War
UltimateBattle 18
StarCraft 2
Blizzard YouTube
StarCraft: Brood War
BSLTrovo
sctven
[ Show 17 non-featured ]
StarCraft 2
• Berry_CruncH148
• practicex 43
• Sammyuel 27
• Kozan
• AfreecaTV YouTube
• sooper7s
• intothetv
• IndyKCrew
• LaughNgamezSOOP
• Migwel
StarCraft: Brood War
• Diggity29
• STPLYoutube
• ZZZeroYoutube
• BSLYoutube
League of Legends
• Lourlo1212
• Rush891
• Stunt444
Upcoming Events
RSL Revival
4h 52m
herO vs SHIN
Reynor vs Cure
OSC
7h 52m
WardiTV European League
10h 52m
Scarlett vs Percival
Jumy vs ArT
YoungYakov vs Shameless
uThermal vs Fjant
Nicoract vs goblin
Harstem vs Gerald
FEL
10h 52m
Big Brain Bouts
10h 52m
Korean StarCraft League
21h 52m
CranKy Ducklings
1d 4h
RSL Revival
1d 4h
FEL
1d 10h
RSL Revival
2 days
[ Show More ]
FEL
2 days
BSL: ProLeague
2 days
Dewalt vs Bonyth
Replay Cast
3 days
Sparkling Tuna Cup
4 days
The PondCast
5 days
Replay Cast
5 days
RSL Revival
6 days
Replay Cast
6 days
Liquipedia Results

Completed

Proleague 2025-06-28
HSC XXVII
Heroes 10 EU

Ongoing

JPL Season 2
BSL 2v2 Season 3
BSL Season 20
Acropolis #3
KCM Race Survival 2025 Season 2
CSL 17: 2025 SUMMER
Copa Latinoamericana 4
Championship of Russia 2025
RSL Revival: Season 1
Murky Cup #2
BLAST.tv Austin Major 2025
ESL Impact League Season 7
IEM Dallas 2025
PGL Astana 2025
Asian Champions League '25
BLAST Rivals Spring 2025
MESA Nomadic Masters
CCT Season 2 Global Finals
IEM Melbourne 2025

Upcoming

2025 ACS Season 2: Qualifier
CSLPRO Last Chance 2025
2025 ACS Season 2
CSLPRO Chat StarLAN 3
K-Championship
uThermal 2v2 Main Event
SEL Season 2 Championship
FEL Cracov 2025
Esports World Cup 2025
StarSeries Fall 2025
FISSURE Playground #2
BLAST Open Fall 2025
BLAST Open Fall Qual
Esports World Cup 2025
BLAST Bounty Fall 2025
BLAST Bounty Fall Qual
IEM Cologne 2025
FISSURE Playground #1
TLPD

1. ByuN
2. TY
3. Dark
4. Solar
5. Stats
6. Nerchio
7. sOs
8. soO
9. INnoVation
10. Elazer
1. Rain
2. Flash
3. EffOrt
4. Last
5. Bisu
6. Soulkey
7. Mini
8. Sharp
Sidebar Settings...

Advertising | Privacy Policy | Terms Of Use | Contact Us

Original banner artwork: Jim Warren
The contents of this webpage are copyright © 2025 TLnet. All Rights Reserved.