Author Topic: Virus found Win32/NSAnti  (Read 9531 times)

0 Members and 1 Guest are viewing this topic.

Offline Clyde

  • A Little Fuzzy Wuzzy
  • DBF Aficionado
  • ******
  • Posts: 7271
  • Karma: 71
    • View Profile
Virus found Win32/NSAnti
« on: October 13, 2007 »
Hello there,

I keep on getting the following virus warning when-ever downloading stuff:

Virus found Win32/NSAnti

I have AVG Free edition antivirus 7.5, and wondered if any people get the same, or know of a cure to this. As alot of demo stuff I can't download or use.

Many thanks,
Clyde.

Still Putting The IT Into Gravy
If Only I Knew Then What I Know Now.

Challenge Trophies Won:

Offline .:] Druid [:.

  • freebasic n00b
  • Pentium
  • *****
  • Posts: 563
  • Karma: 47
    • View Profile
    • Intro-Inferno
Re: Virus found Win32/NSAnti
« Reply #1 on: October 13, 2007 »
Hey Clide, I do have exactly the same under vista with same antivirus.  It's an heuristic alert if I'm not mistaken (it's what I red on the web).  So, basicaly I stop the resident shield protection when this happens..and turn it back on afterwards.

I know, it's not THE solution but so far it does the job. I'll be looking for a more conveniant solution (maybe it'll come from AVG directly, it could be a problem on their side, it's most likely anyway).  Of course if I do find something, I'll post it here.

Cheers,
druid
[sheep]: im sure he wants to goto prison.. they didnt get him last time.. he was promised a big cock up his arse.. and no doubt looking forward to it.. lets hope he gets his wish this year.

Offline Clyde

  • A Little Fuzzy Wuzzy
  • DBF Aficionado
  • ******
  • Posts: 7271
  • Karma: 71
    • View Profile
Re: Virus found Win32/NSAnti
« Reply #2 on: October 13, 2007 »
Cheers mate, thanks very much.
Still Putting The IT Into Gravy
If Only I Knew Then What I Know Now.

Challenge Trophies Won:

Offline mike_g

  • Amiga 1200
  • ****
  • Posts: 435
  • Karma: 34
    • View Profile
Re: Virus found Win32/NSAnti
« Reply #3 on: October 13, 2007 »
Thats the same message I got a minute ago when I tried to unzip something from this site. Until now I had never seen it before. I guess I'll try downloading some other stuff and see if it happens again.

Edit: Oh yeah, I'm running vista with AVG too.

Offline Jim

  • Founder Member
  • DBF Aficionado
  • ********
  • Posts: 5301
  • Karma: 402
    • View Profile
Re: Virus found Win32/NSAnti
« Reply #4 on: October 14, 2007 »
I have Vista with AVG.  I'm pretty sure that's not the problem - I think it's executables packed with kkrunchy that trigger the false positive, and that it's something fairly new that AVG is doing that triggers it.

<edit>
I think I've confimed that.

You can use PEID to check the exe format - it identifies over 400 different packers, apparently!http://peid.has.it/

And there's an amazing tutorial here about how to unpack kkrunchy'd EXEs.
http://azmoaore.wordpress.com/unpacking-tutorials/

This makes kkrunchy useless when you have AVG enabled which is a pain in the neck.  I might see if I can get in touch with AVG and let them know about the problem.

In the meantime, disabling AVG on Vista is tricky.

First, right click the AVG icon in the tooltray and select 'Quit AVG Control Centre'
Second, find AVG in the start menu, right click 'AVG Control Centre' and choose 'Run as Administrator'.
Choose Allow from the UAC dialog.
Third, right click the AVG icon in the tooltray and select 'Launch AVG Control Centre'
Fourth, right click 'Resident Shield' and select 'Properties'.
Finally, uncheck the 'Turn on AVG Resident Shield protection' and click 'OK'.

If you try this without 'Run as Administrator' it won't turn it off.

<edit2>
Reported to AVG under their 'false positives' programme.  We'll see if it gets fixed.

Jim
« Last Edit: October 14, 2007 by Jim »
Challenge Trophies Won:

Offline Shockwave

  • good/evil
  • Founder Member
  • DBF Aficionado
  • ********
  • Posts: 17414
  • Karma: 498
  • evil/good
    • View Profile
    • My Homepage
Re: Virus found Win32/NSAnti
« Reply #5 on: October 14, 2007 »
I also checked things out with this product;

http://dbfinteractive.com/index.php?topic=2511.0

It triggered the same alert, please see the steps that I took in the post I linked to, which included loading into memory, finding the entry point, complete decrunch, full virus scan with avg and kaspersky (which now show the file as clean), then re-compilation with kkrunchy which then show the file as infected.

It is not demoscene productions, it's AVG.
Shockwave ^ Codigos
Challenge Trophies Won:

Offline Clyde

  • A Little Fuzzy Wuzzy
  • DBF Aficionado
  • ******
  • Posts: 7271
  • Karma: 71
    • View Profile
Re: Virus found Win32/NSAnti
« Reply #6 on: October 14, 2007 »
Many thanks Jim & Shockwave.
Still Putting The IT Into Gravy
If Only I Knew Then What I Know Now.

Challenge Trophies Won:

Offline taj

  • Bytes hurt
  • DBF Aficionado
  • ******
  • Posts: 4810
  • Karma: 189
  • Scene there, done that.
    • View Profile
Re: Virus found Win32/NSAnti
« Reply #7 on: October 14, 2007 »

And there's an amazing tutorial here about how to unpack kkrunchy'd EXEs.
http://azmoaore.wordpress.com/unpacking-tutorials/


After watching that I just downgraded how I see my programming skills. Awesome skillz.
Challenge Trophies Won:

Offline Shockwave

  • good/evil
  • Founder Member
  • DBF Aficionado
  • ********
  • Posts: 17414
  • Karma: 498
  • evil/good
    • View Profile
    • My Homepage
Re: Virus found Win32/NSAnti
« Reply #8 on: October 14, 2007 »
I was lucky, Alpha One taught me how to do all that stuff :)

For any would be reverse-engineers I would reccommend to look at the PORTABLE EXECUTABLE format in great depth, and then when you understand that your coding skills will be more elite than 99 % of all so-called coders in the scene.

It is also really interesting to read up on it to see how windows treats your programs.
Shockwave ^ Codigos
Challenge Trophies Won:

Offline Paul

  • Pentium
  • *****
  • Posts: 1490
  • Karma: 47
    • View Profile
Re: Virus found Win32/NSAnti
« Reply #9 on: October 14, 2007 »
Same problem here, also vista and avg free 7.5
Something similar happened before, but avg got i fixed after a day or two.
I will bite you - http://s5.bitefight.se/c.php?uid=31059
Challenge Trophies Won:

Offline Jim

  • Founder Member
  • DBF Aficionado
  • ********
  • Posts: 5301
  • Karma: 402
    • View Profile
Re: Virus found Win32/NSAnti
« Reply #10 on: October 14, 2007 »
Here's my response from AVG
Quote
Dear Sir/Madam,

Thank you for your email.

According to our virus lab, the virus is detected properly, because it is packed with packer, which is used very often by some virus/malware etc. We will fix the detection on this file in next virus base update.
Thank you for sending us the file and for your cooperation.

Best regards,

Marek Mikula
AVG Technical Support

I don't know whether that means they'll just keep a hash of kkrunchy.exe which is what I sent them, or whether they'll try to fix it more comprehensively.  Anyway, full marks to AVG/GriSoft for a sub-24hr response time.  nVidia and ATI should take note!

Jim
Challenge Trophies Won:

Offline Shockwave

  • good/evil
  • Founder Member
  • DBF Aficionado
  • ********
  • Posts: 17414
  • Karma: 498
  • evil/good
    • View Profile
    • My Homepage
Re: Virus found Win32/NSAnti
« Reply #11 on: October 14, 2007 »
It wasa fast response but that email is ambiguous.
Shockwave ^ Codigos
Challenge Trophies Won:

Offline Jim

  • Founder Member
  • DBF Aficionado
  • ********
  • Posts: 5301
  • Karma: 402
    • View Profile
Re: Virus found Win32/NSAnti
« Reply #12 on: October 15, 2007 »
Quote
don't know whether that means they'll just keep a hash of kkrunchy.exe which is what I sent them
That's exactly what they've done.  Today's patch no longer detects kkrunchy_k7.exe as a virus, but all kkrunchy packed apps are still triggering AVG. Bah!

Jim
Challenge Trophies Won:

Offline Shockwave

  • good/evil
  • Founder Member
  • DBF Aficionado
  • ********
  • Posts: 17414
  • Karma: 498
  • evil/good
    • View Profile
    • My Homepage
Re: Virus found Win32/NSAnti
« Reply #13 on: October 15, 2007 »
Time to get a better virus checker like Kaspersky.
Shockwave ^ Codigos
Challenge Trophies Won:

Offline Jim

  • Founder Member
  • DBF Aficionado
  • ********
  • Posts: 5301
  • Karma: 402
    • View Profile
Re: Virus found Win32/NSAnti
« Reply #14 on: October 15, 2007 »
I've sent them a follow-up email, but I suspect I'm pissing in the wind now.  Shame - I've used AVG for nearly 10 years now, and I don't want to change.  Is Kaspersky any good?  Is it free?  Does it work on Vista?  AVG answers yes to all those questions, and apart from this new kkrunchy problem, it's been flawless for me.

Jim
Challenge Trophies Won:

Offline Shockwave

  • good/evil
  • Founder Member
  • DBF Aficionado
  • ********
  • Posts: 17414
  • Karma: 498
  • evil/good
    • View Profile
    • My Homepage
Re: Virus found Win32/NSAnti
« Reply #15 on: October 15, 2007 »
Hmm, Well Kaspersky is not free but I believe it to be the best, it will work on vista.

In fact when I used to do scambaiting Kaspersky was the only virus checker I knew that could detect my "tools" even though they had not been added to any database.

I have full confindence in Kaspersky but I guess it's up to you what you feel comfortable with.
Shockwave ^ Codigos
Challenge Trophies Won:

Offline taj

  • Bytes hurt
  • DBF Aficionado
  • ******
  • Posts: 4810
  • Karma: 189
  • Scene there, done that.
    • View Profile
Re: Virus found Win32/NSAnti
« Reply #16 on: October 15, 2007 »
Quote

According to our virus lab, the virus is detected properly, because it is packed with packer, which is used very often by some virus/malware etc.


Oh great so AVG labs is now saying that any exe packed with a packer is a potential virus. Sigh. Time to remove AVG...idiots. OK in the mean tmie until I find another virus checker, yuo can do this:

Click on the AVG icon in your toolbar. Click on resident shield and then properties. Deselect resident shield.
Tada - of course things complain but it works.

« Last Edit: October 15, 2007 by chris »
Challenge Trophies Won:

Offline Shockwave

  • good/evil
  • Founder Member
  • DBF Aficionado
  • ********
  • Posts: 17414
  • Karma: 498
  • evil/good
    • View Profile
    • My Homepage
Re: Virus found Win32/NSAnti
« Reply #17 on: October 15, 2007 »
I hate free virus scanners...
We are coders our hds are imperative and we use free scanners?
Shockwave ^ Codigos
Challenge Trophies Won:

Offline Yaloopy

  • Death From Above
  • DBF Aficionado
  • ******
  • Posts: 2876
  • Karma: 35
    • View Profile
    • UltraPaste
Re: Virus found Win32/NSAnti
« Reply #18 on: October 15, 2007 »
NOD32, folks.
Fuck L. Ron Hubbard and fuck all his clones.
Challenge Trophies Won:

Offline rain_storm

  • Here comes the Rain
  • DBF Aficionado
  • ******
  • Posts: 3088
  • Karma: 182
  • Rain never hurt nobody
    • View Profile
    • org_100h
Re: Virus found Win32/NSAnti
« Reply #19 on: October 15, 2007 »
I did use NOD32 for awhile its very good and doesnt usually give false positives however I had to uninstall NOD32 when it started to interfere with my assembler it just would not let me assemble code that used fileio in dos but NOD didnt have any problem with win32 fileio

Challenge Trophies Won: