Guest DustWolf Posted September 4, 2013 Share Posted September 4, 2013 (edited) Hello, Is it true that NOD32 contains a backdoor for the government to install rootkits on the computer? I have a computer in for repair that displays a government webpage on bootup (full screen), which has a NOD32 logo and "supported and enabled by" written next to it. As I check the computer, it clearly has a rootkit installed. NOD32 was functioning normally and detected nothing the whole time. Say what? Edited September 5, 2013 by Aryeh Goretsky adjusted topic to match thread Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted September 4, 2013 Administrators Share Posted September 4, 2013 Of course the official installers signed by ESET do not contain any malware. If you've come across a suspicious installer or application purporting to have been made by ESET, please submit it to us as per the instructions here for further analysis. Link to comment Share on other sites More sharing options...
Guest Guest Posted September 4, 2013 Share Posted September 4, 2013 The installer was downloaded off of your website and has been working fine for years (as well as on all the other computers we have). Link to comment Share on other sites More sharing options...
Arakasi 549 Posted September 4, 2013 Share Posted September 4, 2013 (edited) Good day DustWolf, As a long time loyal customer; i just wanted to drop in and add an extra bit of encouragement to submit pictures and samples please. Let ESET take down and trace who ever is purporting to be them, and also attaching their logo to malware. This could have grave consequences on stocks and business. It makes me grind my teeth someone has possibly created what you speak of. Thank you Dustwolf, and a big thanks to reporting and sharing. *** Also if that is a FBI / Moneypak virus. updated VSD of ESET will remove. Sit at desktop for 10 minutes with internet LAN cable connected, so ESET can obtain any new updates, then try restarting the machine. Edited September 4, 2013 by Arakasi Link to comment Share on other sites More sharing options...
Guest Guest Posted September 4, 2013 Share Posted September 4, 2013 Hello, Not sure how to post an image here, so here's a link: hxxp://pritisni.ctrl-alt-del.si/slikce/nod32%20malware.jpg I have masked out the personally identifiable information, but sufficive to say the page contains everything down to a shot of the user trough the webcam. Good day DustWolf, As a long time loyal customer; i just wanted to drop in and add an extra bit of encouragement to submit pictures and samples please. Let ESET take down and trace who ever is purporting to be them, and also attaching their logo to malware. This could have grave consequences on stocks and business. It makes me grind my teeth someone has possibly created what you speak of. Thank you Dustwolf, and a big thanks to reporting and sharing. *** Also if that is a FBI / Moneypak virus. updated VSD of ESET will remove. Sit at desktop for 10 minutes with internet LAN cable connected, so ESET can obtain any new updates, then try restarting the machine. Link to comment Share on other sites More sharing options...
Guest Guest Posted September 4, 2013 Share Posted September 4, 2013 Am currently runnin the good ol russian rootkit-unhooker. When I gather more information about what exactly the rootkit is made of, I'll let you know. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted September 4, 2013 Share Posted September 4, 2013 (edited) That is definitely a modified or fake virus / picture / or similar; as you can see " NO ESET LOGO " as i have attached the " real " genuine picture of what that virus looks like. Its a very simple virus to clean. Boot to safemode, show hidden files and folders, and you will find the executables and javascript files on C:\ - C:\programdata - and even in %userprofile%\ appdata\local & roaming etc. Should be able to reboot after manual deletion. Some variants will block safemode, at that point pull the drive. See attached: Edited September 4, 2013 by Arakasi Link to comment Share on other sites More sharing options...
Arakasi 549 Posted September 4, 2013 Share Posted September 4, 2013 If possible, before cleanup. Could you submit samples to ESET as Marcos requested ? Link to comment Share on other sites More sharing options...
Guest Guest Posted September 4, 2013 Share Posted September 4, 2013 Hello, Where is that image from? I will try this cleanup procedure, but rather than deleting I will try to use the ESET quarantine so that I can upload the files. It is also possible the rootkit is obscuring them. Will see. Worst case scenario I will try to move the files and note their original locations. This computer uses windows XP. That is definitely a modified or fake virus / picture / or similar; as you can see " NO ESET LOGO " as i have attached the " real " genuine picture of what that virus looks like. Its a very simple virus to clean. Boot to safemode, show hidden files and folders, and you will find the executables and javascript files on C:\ - C:\programdata - and even in %userprofile%\ appdata\local & roaming etc. Should be able to reboot after manual deletion. Some variants will block safemode, at that point pull the drive. See attached: Link to comment Share on other sites More sharing options...
ESET Moderators Aryeh Goretsky 386 Posted September 4, 2013 ESET Moderators Share Posted September 4, 2013 Hello, That is a screenshot from a computer infected by some kind of "lock screen" malware (also known as ransomware). From the screenshot you provided, it could be Win32/TrojanDownloader.Nymain, which uses the same web page template. Or, at least, it was using it when ESET's researchers wrote this blog article on it last week. If you scroll down to the bottom, you will see a screenshot with a similar message, except it is in English and referencing the FBI since it was done on a computer in the US, instead of wherever the one from that screenshot is (Slovenia, maybe?). At the bottom, you will notice over a dozen images from anti-malware companies, including a few that are no longer in business. So, to sum up. No ESET rootkit, just a piece of ransomware that appears to have stolen some of ESET's graphics. Regards, Aryeh Goretsky Link to comment Share on other sites More sharing options...
Guest Guest Posted September 4, 2013 Share Posted September 4, 2013 Okay, however it still seems to be a new variant. I haven't found anything useful in any existing resources, but will keep this thread updated. Link to comment Share on other sites More sharing options...
SweX 871 Posted September 4, 2013 Share Posted September 4, 2013 (edited) I feel this thread title should be changed to something less scary/misleading for both old and new members coming here. Edited September 4, 2013 by SweX Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted September 4, 2013 Administrators Share Posted September 4, 2013 It is apparently ransomware displaying a fake warning to scare the user and to get him or her to pay money to remove the screen lock. If ESET was updating properly before you encountered this infection, the following procedure should clean it out completely: - restart the computer - wait at least 5 minutes after the system starts up and the screen locks - restart the computer The ransomware should be cleaned then. I'd also recommend installing the latest v7 beta which turned out to be very stable and provides superior protection against new born malware especially thanks to the advanced memory scanner and exploit blocker. Link to comment Share on other sites More sharing options...
ESET Moderators Aryeh Goretsky 386 Posted September 5, 2013 ESET Moderators Share Posted September 5, 2013 Hello,Done.Regards,Aryeh Goretsky I feel this thread title should be changed to something less scary/misleading for both old and new members coming here. Link to comment Share on other sites More sharing options...
SweX 871 Posted September 6, 2013 Share Posted September 6, 2013 Hello, Done. Regards, Aryeh Goretsky I feel this thread title should be changed to something less scary/misleading for both old and new members coming here. Great, Thanks Aryeh Link to comment Share on other sites More sharing options...
rockshox 5 Posted September 20, 2013 Share Posted September 20, 2013 (edited) Hello, Is it true that NOD32 contains a backdoor for the government to install rootkits on the computer? Can we get an official reply from ESET that ESET products do not contain governmental backdoors (for any government)? While I can see several moderator responses, nobody actually answered the question and said that there was definitely not a backdoor for governmental use. Saying that it does not contain malware is great and expected, but if a backdoor existed, it would not be considered "malware" by the people who wrote it. With all the "governmental spying" issues in the news these days. It would be good to have some peace of mind with ESET products. Edited September 20, 2013 by rockshox Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted September 20, 2013 Administrators Share Posted September 20, 2013 Of course, no prestigious antivirus vendor includes malicious files in their products. Doing so would badly damage their reputation and it would be the end of business for such a company. Link to comment Share on other sites More sharing options...
Driver8 4 Posted September 22, 2013 Share Posted September 22, 2013 Hi. I think the concept you are asking about was generally addressed in the thread below from March of 2012 on the old ESET forums at Wilders Security. hxxp://www.wilderssecurity.com/showthread.php?t=319731 Link to comment Share on other sites More sharing options...
Recommended Posts