Ransomware using ESET graphics (was: Government backdoor in NOD32?)

[Guest DustWolf]

Hello,

 

Is it true that NOD32 contains a backdoor for the government to install rootkits on the computer?

 

I have a computer in for repair that displays a government webpage on bootup (full screen), which has a NOD32 logo and "supported and enabled by"  written next to it. As I check the computer, it clearly has a rootkit installed. NOD32 was functioning normally and detected nothing the whole time.

 

Say what?

Edited September 5, 2013 by Aryeh Goretsky
adjusted topic to match thread

[Marcos 5,074]

Of course the official installers signed by ESET do not contain any malware. If you've come across a suspicious installer or application purporting to have been made by ESET, please submit it to us as per the instructions here for further analysis.

[Guest Guest]

The installer was downloaded off of your website and has been working fine for years (as well as on all the other computers we have).

[Arakasi 549]

Good day DustWolf,

 

As a long time loyal customer; i just wanted to drop in and add an extra bit of encouragement to submit pictures and samples please.

Let ESET take down and trace who ever is purporting to be them, and also attaching their logo to malware.

This could have grave consequences on stocks and business.

 

It makes me grind my teeth someone has possibly created what you speak of.

 

Thank you Dustwolf, and a big thanks to reporting and sharing.

 

 

*** Also if that is a FBI / Moneypak virus. updated VSD of ESET will remove. Sit at desktop for 10 minutes with internet LAN cable connected, so ESET can obtain any new updates, then try restarting the machine.

Edited September 4, 2013 by Arakasi

[Guest Guest]

Hello,

 

Not sure how to post an image here, so here's a link:

hxxp://pritisni.ctrl-alt-del.si/slikce/nod32%20malware.jpg

 

I have masked out the personally identifiable information, but sufficive to say the page contains everything down to a shot of the user trough the webcam.

 

 

Good day DustWolf,

 

As a long time loyal customer; i just wanted to drop in and add an extra bit of encouragement to submit pictures and samples please.

Let ESET take down and trace who ever is purporting to be them, and also attaching their logo to malware.

This could have grave consequences on stocks and business.

 

It makes me grind my teeth someone has possibly created what you speak of.

 

Thank you Dustwolf, and a big thanks to reporting and sharing.

 

 

*** Also if that is a FBI / Moneypak virus. updated VSD of ESET will remove. Sit at desktop for 10 minutes with internet LAN cable connected, so ESET can obtain any new updates, then try restarting the machine.

 

[Guest Guest]

Am currently runnin the good ol russian rootkit-unhooker. When I gather more information about what exactly the rootkit is made of, I'll let you know.

[Arakasi 549]

That is definitely a modified or fake virus / picture / or similar; as you can see " NO ESET LOGO "

as i have attached the " real " genuine picture of what that virus looks like.

 

Its a very simple virus to clean.

 

Boot to safemode, show hidden files and folders, and you will find the executables and javascript files on C:\ - C:\programdata - and even in %userprofile%\ appdata\local & roaming

etc.

Should be able to reboot after manual deletion.

 

Some variants will block safemode, at that point pull the drive.

 

See attached:

Edited September 4, 2013 by Arakasi

[Arakasi 549]

If possible, before cleanup.

Could you submit samples to ESET as Marcos requested ?

[Guest Guest]

Hello,

 

Where is that image from? I will try this cleanup procedure, but rather than deleting I will try to use the ESET quarantine so that I can upload the files. It is also possible the rootkit is obscuring them. Will see. Worst case scenario I will try to move the files and note their original locations.

 

This computer uses windows XP.

 

 

That is definitely a modified or fake virus / picture / or similar; as you can see " NO ESET LOGO "

as i have attached the " real " genuine picture of what that virus looks like.

 

Its a very simple virus to clean.

 

Boot to safemode, show hidden files and folders, and you will find the executables and javascript files on C:\ - C:\programdata - and even in %userprofile%\ appdata\local & roaming

etc.

Should be able to reboot after manual deletion.

 

Some variants will block safemode, at that point pull the drive.

 

See attached:

 

[Aryeh Goretsky 378]

Hello,

 

That is a screenshot from a computer infected by some kind of "lock screen" malware (also known as ransomware). 

 

From the screenshot you provided, it could be Win32/TrojanDownloader.Nymain, which uses the same web page template.  Or, at least, it was using it when ESET's researchers wrote this blog article on it last week. 

 

If you scroll down to the bottom, you will see a screenshot with a similar message, except it is in English and referencing the FBI since it was done on a computer in the US, instead of wherever the one from that screenshot is (Slovenia, maybe?).  At the bottom, you will notice over a dozen images from anti-malware companies, including a few that are no longer in business.

 

So, to sum up.  No ESET rootkit, just a piece of ransomware that appears to have stolen some of ESET's graphics.

 

Regards,

 

Aryeh Goretsky

[Guest Guest]

Okay, however it still seems to be a new variant. I haven't found anything useful in any existing resources, but will keep this thread updated.

[SweX 871]

I feel this thread title should be changed to something less scary/misleading for both old and new members coming here. 

Edited September 4, 2013 by SweX

[Marcos 5,074]

It is apparently ransomware displaying a fake warning to scare the user and to get him or her to pay money to remove the screen lock. If ESET was updating properly before you encountered this infection, the following procedure should clean it out completely:

- restart the computer

- wait at least 5 minutes after the system starts up and the screen locks

- restart the computer

The ransomware should be cleaned then. I'd also recommend installing the latest v7 beta which turned out to be very stable and provides superior protection against new born malware especially thanks to the advanced memory scanner and exploit blocker.

[Aryeh Goretsky 378]

Hello,

Done.

Regards,

Aryeh Goretsky

 

I feel this thread title should be changed to something less scary/misleading for both old and new members coming here. 

[SweX 871]

 

Hello,

Done.

Regards,

Aryeh Goretsky

 

I feel this thread title should be changed to something less scary/misleading for both old and new members coming here. 

 

Great, Thanks Aryeh

[rockshox 5]

Hello,

 

Is it true that NOD32 contains a backdoor for the government to install rootkits on the computer?

 

Can we get an official reply from ESET that ESET products do not contain governmental backdoors (for any government)? While I can see several moderator responses, nobody actually answered the question and said that there was definitely not a backdoor for governmental use. Saying that it does not contain malware is great and expected, but if a backdoor existed, it would not be considered "malware" by the people who wrote it.

 

With all the "governmental spying" issues in the news these days. It would be good to have some peace of mind with ESET products.  

Edited September 20, 2013 by rockshox

[Marcos 5,074]

Of course, no prestigious antivirus vendor includes malicious files in their products. Doing so would badly damage their reputation and it would be the end of business for such a company.

[Driver8 4]

Hi.  I think the concept you are asking about was generally addressed in the thread below from March of 2012 on the old ESET forums at Wilders Security.

 

hxxp://www.wilderssecurity.com/showthread.php?t=319731