Nutcracker family virus, operas application data

i was on opera looking at a few websites like facebook ect then i logged onto world of warcraft with opera open
went onto my account, and up pops nutcracker family virus

documents and settings\ryan\local settings\application data\opera\opera\profile\cache4\opr017Qf

its in the chest now, i read somewhere its a password cracker. maybey its trying to do that to my world of warcraft account?

Try creating a new folder, titled “suspicious” (or similar) and move it from the chest to that, then upload it from there to www.virustotal.com/ (or a similar online virus scanning site.)
Then post the url to the results page.
WOW is known to be a target for hackers attempting to steal players assets. I was surprised to find this out, but apparently there is quite a bit of money in it. The assets are sold, usually in places like China, and folk pay cash for them.

http://www.virustotal.com/analisis/62f844404ba22b9f9f11b15bda316dee

File opr0I7QF received on 05.04.2009 11:58:27 (CET)
Current status: finished
Result: 2/40 (5%)

a-squared 4.0.0.101 2009.05.04 -
AhnLab-V3 5.0.0.2 2009.05.03 -
AntiVir 7.9.0.160 2009.05.04 -
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.03 -
Avast 4.8.1335.0 2009.05.03 Nutcracker family
AVG 8.5.0.327 2009.05.04 -
BitDefender 7.2 2009.05.04 -
CAT-QuickHeal 10.00 2009.05.04 -
ClamAV 0.94.1 2009.05.04 -
Comodo 1149 2009.05.03 -
DrWeb 4.44.0.09170 2009.05.04 -
eSafe 7.0.17.0 2009.05.03 -
eTrust-Vet 31.6.6487 2009.05.02 -
F-Prot 4.4.4.56 2009.05.03 -
F-Secure 8.0.14470.0 2009.05.04 -
Fortinet 3.117.0.0 2009.05.04 -
GData 19 2009.05.04 Nutcracker family
Ikarus T3.1.1.49.0 2009.05.04 -
K7AntiVirus 7.10.722 2009.05.02 -
Kaspersky 7.0.0.125 2009.05.04 -
McAfee 5604 2009.05.03 -
McAfee+Artemis 5604 2009.05.03 -
McAfee-GW-Edition 6.7.6 2009.05.04 -
Microsoft 1.4602 2009.05.04 -
NOD32 4051 2009.05.04 -
Norman 6.01.05 2009.04.30 -
nProtect 2009.1.8.0 2009.05.04 -
Panda 10.0.0.14 2009.05.03 -
PCTools 4.4.2.0 2009.05.03 -
Prevx1 3.0 2009.05.04 -
Rising 21.28.02.00 2009.05.04 -
Sophos 4.41.0 2009.05.04 -
Sunbelt 3.2.1858.2 2009.05.03 -
Symantec 1.4.4.12 2009.05.04 -
TheHacker 6.3.4.1.318 2009.05.03 -
TrendMicro 8.950.0.1092 2009.05.04 -
VBA32 3.12.10.4 2009.05.04 -
ViRobot 2009.5.4.1718 2009.05.04 -
VirusBuster 4.6.5.0 2009.05.03 -
Additional information
File size: 450 bytes
MD5…: 0d11dfdc4f9a1dca366201429d28bbd0
SHA1…: c4ea53222973456ebe4f2a1732424ecf34738832
SHA256: 3a2b4c98610e45b21c7d29d29dbbf519391175f021903ab1945a046c88dd9219
SHA512: c690a57b93680dce7f33846cf2694846d41f4d224634d445e9e8359eca53a0d1
af82bd36bb1962dfc951e69e7c5ae13a27a771235674a837a4586759618e9b7e
ssdeep: 12:NzJlv6dqOAfpu5T3luX7wol9PZZJFR9LPWY8:96kfpeli5LPZZJFR9778
PEiD…: -
TrID…: File type identification
GIF89a Bitmap (60.0%)
GIF Bitmap (generic) (30.0%)
PrintFox (C64) bitmap (10.0%)
PEInfo: -
PDFiD.: -
RDS…: NSRL Reference Data Set

OK. Not very conclusive, is it?
Either it is a new virus and Avast is the first to detect it, or it is a false positive, or something else. (Don’t ask me what. Just covering my 6. ;))
Please select “email to Avast” from the virus chest. If you right-click on the file in there, that option should appear. It should send itself next time Avast checks for updates.
If you right click the file in the “suspicious” folder, and look under properties, does it give any indication (under any of the tabs in the properties window) as to the file size, author, program it is used by etc?

it’s curious only avast is detecting this. it looks very much like a false positive, but who knows… (just covering my 6 :))

type of file = file
location c:\suspect
size 450bytes(450 bytes)
size on disk - 4.00kb(4,096 bytes)
created 04 may 2009 10 58 03 am

sent to avast like you said

If you don’t notice anything wrong with the way any of your programs are working, it can stay in the chest. Personally I’d leave it in there at least until it is known to be a false positive (FP). To know this, scan it again periodically (say, every 2-3 days) by right clicking the file and making the appropriate selection.
If it is a FP, the detection will be corrected in a database update. After (if) that happens, it will scan clean and can then be restored.
If not, it can be left there indefinitely, or deleted.

If something stops working as it should, possibly as a result of this file being absent, please post back.
Google doesn’t return any hits for the file name, so it’s rare or random.

ok :slight_smile: and what about the one in my suspect folder? how do i get rid of that now
cause if i delete it to my recycle bin it will alert me of a virus

im sure when you extract something from your chest it adds code to it to stop it running, but id still like it gone :stuck_out_tongue:

If you have a file shredder or eraser program you could use that on it. Or try deleting the entire folder rather than just the file.

ok just deleted to recycle bin instead then used avasts delete permenantly,anyway back to the one in my chest i think i got it from the gamespy website… im sure i was on that when i got it and i did a search and a guy also got his from there

hxxp://media.gamespy.com/spy/imgs/bg-tab-lft-0.gif

its mentioned
in the topic http://forum.avast.com/index.php?topic=44678.0

You put it there (and excluded the suspect folder from scans) so that you could upload it to virustotal to scan it at some point (previous detection), remember ?

It doesn’t add anything when you extract/restore it from the chest, if you try to run it again avast will alert, stopping it from running. Exclusion as you previously did allows it to run, however, the only way to resolve this is to submit the file (the one in the VT results) to avast as a false positive.

If it is indeed a false positive and it looks that way, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Nutcracker is a boot sector virus.

The virus rewrites hard disk and floppy drives and the sectors cannot be readable. It can also corrupt or encrypt files and drive sectors. A format + reinstall is the only way to clean the Nutcracker virus and repair damages.