I've scanned with 28 different antiviruses, and 15 of them reported it as a variant of Rbot/SDbot!
That's a bit unusually high even for the usual false alert. Usually for such keygens and cracks, only 2-5 antiviruses report it.
Another reason why I'm suspecting it is that why would the creator of the file call it "NOD32 FiX v2.1" ? That's the exact name used by the original nsane fix and this "crack" is NOT the nsane 2.1 fix! nsane is 296 KB and this one is 426 kb O.o
Guys im 99% sure that this file is a virus!
I've had a quick look inside the file using a hex editor and these are my findings:
1) The file has been packed using nBinder, which means that it contains 2 or more exe's in it! (this file has 3 exes)
2) One of the exe inside the (middle of) file is the real nsane fix
3) The other exe (at the end) is a 28 kb file made in vb. The vb file contains functions to download something
-> This file is detected as Trojan-Download.Win32.Adload.hw by kaspersky and 10 other AVs!
4) The starting exe in this file is a EXTREMLY SUSPICIOUS:
- Contains code to Disable the task manager
- And it *looks* like it's set to DELETE all files in temp, windows folder, documents and settings\username folder, programs folder and the system folder!
- Contains the info that says its been packed using nBinder
- Code to download a file!
-> This file is detected as Rbot.bbm by Kaspersky and 14 other AVs.
Ok check this out, so I removed the vb file and the real nsane fix from the "crack", so I was left with a file around 101 kb, and guess what, the *real* rbot virus which I have in my collection is almost the same size as this one!
There are *two* viruses in that file! Do not download it (use the earlier nsane fix, it works)
crazy, no company has documented the effects of these two viruses (yet). I'm currently investigating them and I'll make a removal tool or tell what changes it makes.
Meanwhile, I suggest you use Spyware Doctor or similar. Download and run Sysinternals Autoruns tool and look for any unknown or suspicious programs in startup. MSConfig isn't good enough.
Also its best you do all these in the safe mode (press f8 before windows starts) since you'll have a better chance of disabling the virus.
Informatika és tudomány
