Recently I had a Windows 10 (64 bit) PC where Windows Defender would report that it found and (apparently) removed a "threat" it calls Win32/Tnega!MSR. Unfortunately, the removal was unsuccessful, and after restarting the machine, the same message would pop up again. I then built a "Windows PE" USB stick with various antiviruses (provided by c't), booted from that and performed a complete scan with "ESET Online Scanner". It found 13 threats and removed 12, but none of them were identified as "Tnega!MSR" or any variation thereof. However after restarting, the Windows Defender message wasn't shown anymore, so it looks like ESET managed to remove the threat after all. Googling "Tnega!MSR" wasn't really helpful, it only returned the Microsoft page above, a forum thread which dealt with removing the threat, but didn't contain any additional information, and the usual deluge of keyword-stuffed fake pages. Does anyone here know the alias used for "Tnega!MSR" by other antiviruses, or can point me to a resource so I can find it out myself?
-
FWIW, the malware appears to be [NetSupport](https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat), a RAT. If i were you I'do a full format and *then* change all the password. Specially considering that you seems to have an history of infections and AVs are very easily tricked. – Margaret Bloom Feb 05 '21 at 17:14
3 Answers
Does anyone here know the alias used for "Tnega!MSR" by other antiviruses, or can point me to a resource so I can find it out myself?
Use the VirusTotal website.
They have a lot of information on all the various names for this malware here
For example, Defender calls it "Trojan:Win32/Tnega!MSR", ESET calls it "Win32/RA-based.NJV", et cetera.
- 4,910
- 17
- 32
-
1Thanks! That's exactly the page I was looking for, but was unable to find... – rob74 Feb 05 '21 at 09:16
I don't have the rep to place a comment on hft's answer, but Process Explorer (from Sysinternals, owned by Microsoft) can connect to VirusTotal to check if any running processes are malicious. To my knowledge it can be used to check any process which Process Explorer sees. HowToGeek has a relatively modern overview of it as well here
- 320
- 1
- 6
-
Thanks! This isn't a direct answer to my question, but it contains useful information for related cases, so I'll upvote it :) – rob74 Feb 05 '21 at 09:25
Short answer: "Tnega!MSR" probably has sense only for people that are actually coding the AV, some of them try to put the name of the malware in the detection, but when a file doesn't match any known malware patterns then it might be detected as malware by other heuristical internal engines of the AV and the detection can be some sort of id of what the engine found.
Longer answer: it's not that easy to determine the exact name of the malware by just looking at the file (reasons range from code sharing between the malware authors to the reuse of the same crypter) so, AVs use heuristical methods that could range from "i have seen this x bytes before in another malware sample" to things like "this file seems to have long sequences with high entropy". Some might share these heuristical methods, thus sharing the detection, others might not, other times you might see a file detected as two different malware families by two different AVs, other times you might see the same file with different detections by different versions of the same AV, long story short, detection names aren't always accurate and you shouldn't always rely on them, better keep track of the number of files detected and their location.
- 66
- 1