Absoblogginlutely! » Virus

Symantec have a time machine!

Andy — Wed, 04 Jun 2008 01:39:43 +0000

I logged a ticket with Symantec today as I needed to download Maintenance Release 7 for their corporate edition 10.1 yet their fileconnect website only gave me version 11 (which is so unstable we refuse to install it). 2 hours later I got an email from their support site that started “We have been trying to reach you in the last few days to assist you with the issue regarding Symantec Antivirus but unfortunately we have not been able to do so.”
I guess they’ve invented a time machine in order to try and beat their really long wait times on hold for support…..either that or I forgot that I logged a ticket several days ago and they’ve finally got round to dealing with it!
Anyway, they’ve given me a new serial number to log into the website with so I can download the older version. I’m not sure if it’s an inplace upgrade (I hope so) rather than a removal and reinstall again – if its the removal and reinstall that means *another* 3 or 4 hours to remove, reboot, install and then fix the issues of the client software breaking other software again.
I guess I *really* need to get some time to investigate nod32 network deployments – anyone had any experience with this?

Symantec have a time machine! was originally posted at Absoblogginlutely!

Valentines day warning.

Andy — Wed, 13 Feb 2008 19:38:40 +0000

I sent this around to a couple of my user sites today. I was glad to see that some of the users did actually read the notice as I got several replies back saying it made them laugh.

Please note that there are several hoax valentine day cards going around the internet that links to malicious software. If you received a valentines day ecard please do not open it and tell your loved one not to be a cheapskate and buy a real card.

Valentines day warning. was originally posted at Absoblogginlutely!

STUPID Symantec antivirus – Autoit is not a virus.

Andy — Fri, 01 Jun 2007 15:16:23 +0000

It’s going to be a long day for sysadmins who use AutoIT on their production Lan as symantec has detected the product as MSN.flooder in their dat files – the last time this happened was Jan 2006. Fortunately I only have it on a couple of pc’s but it is going to be a real pain for someone who uses it on every desktop or in login scripts. This follows about a week after they crippled thousands of chinese pc’s by detecting windows files as virus’s. I sure wouldn’t want to be a chinese sysadmin running autoit! Home users can log a report at the symantec false positive report site but enterprise gold or platinum users need to contact support or submit a false positive report after updating the dats. To report using the antivirus application – right click the file in quarantine and choose submit to symantec security response. Unfortunately on my work pc I don’t have rights to do this!
Update Downloading the latest updates to May 31st defs, releasing the files from quarantine and then scanning did not quarantine the files again.
Update 2 It looks like the same definition patterns also got a false positive in Search & Destroy according to SANS.
Update 3 Html corrected to ensure the updates appear properly.

STUPID Symantec antivirus – Autoit is not a virus. was originally posted at Absoblogginlutely!

Adobe Flash player install triggers virus alerts

Andy — Thu, 10 May 2007 04:54:40 +0000

I installed Adobe’s flash player 6 on my pc tonight and was surprised to see Comodo Antivirus kick in with a “Not-a-virus:RiskTool.Win32.PsKill.q” for the nsprocess.dll file included as part of the install – presumably to kill any previous installs currently running. I’ve seen things like this with Symantec Antivirus and pskill from sysinternals before but not with Flash Player!
I submitted the file to virustotal.com and got the following results.

Antivirus	Version	Update	Result
AhnLab-V3	2007.5.10.0	05.09.2007	Win-Trojan/ProcKill.4096.B
AntiVir	7.4.0.15	05.09.2007	no virus found
Authentium	4.93.8	05.08.2007	no virus found
Avast	4.7.997.0	05.09.2007	no virus found
AVG	7.5.0.467	05.09.2007	no virus found
BitDefender	7.2	05.10.2007	no virus found
CAT-QuickHeal	9.00	05.09.2007	no virus found
ClamAV	devel-20070416	05.09.2007	no virus found
DrWeb	4.33	05.09.2007	no virus found
eSafe	7.0.15.0	05.08.2007	no virus found
eTrust-Vet	30.7.3622	05.09.2007	no virus found
Ewido	4.0	05.09.2007	no virus found
FileAdvisor	1	05.10.2007	No threat detected
Fortinet	2.85.0.0	05.09.2007	no virus found
F-Prot	4.3.2.48	05.09.2007	W32/Trojan.RZG
F-Secure	6.70.13030.0	05.10.2007	no virus found
Ikarus	T3.1.1.7	05.09.2007	no virus found
Kaspersky	4.0.2.24	05.10.2007	no virus found
McAfee	5027	05.09.2007	potentially unwanted program Generic PUP
Microsoft	1.2503	05.09.2007	no virus found
NOD32v2	2255	05.09.2007	no virus found
Norman	5.80.02	05.09.2007	no virus found
Panda	9.0.0.4	05.09.2007	no virus found
Prevx1	V2	05.10.2007	no virus found
Sophos	4.17.0	05.08.2007	no virus found
Sunbelt	2.2.907.0	05.05.2007	no virus found
Symantec	10	05.10.2007	no virus found
TheHacker	6.1.6.112	05.10.2007	Trojan/KillProc.p
VBA32	3.12.0	05.09.2007	no virus found
VirusBuster	4.3.7:9	05.09.2007	no virus found
Webwasher-Gateway	6.0.1	05.09.2007	no virus found

That is 5 antivirus products that presumably block or intefere with Flash from being installed.

Adobe Flash player install triggers virus alerts was originally posted at Absoblogginlutely!

Plesk worm on windows servers

Andy — Tue, 27 Feb 2007 17:04:04 +0000

There has been a worm infecting Windows servers running the popular plesk package (that provides shared windows hosting) due to a vulnerability in mailenable. My host has provided details on available fix, but first they disabled pop3 access to prevent the worm spreading. An interesting method of propagation and a pretty drastic measure to stop it – hopefully everyone signs up for the forum notifications or their helpdesk is going to be very busy.

Plesk worm on windows servers was originally posted at Absoblogginlutely!

More wmf stuff

Andy — Tue, 03 Jan 2006 20:27:06 +0000

There is now an unofficial patch out for the wmf flaw but it is currently unavailable. More details at F-Secure’s blog. SANS has a mirrored link of the patch as the original authors website is unavailable, probably because everyone is hitting his site. However, google’s cache of the page that talks about the flaw is available and worth looking at. I’m posting the details into my extended entry in case the google page gets wiped.

About IDA Pro, decompilation, programming, binary program analysis, information security. By Ilfak Guilfanov.

« The longest arithmetic operation | Main
Windows WMF Metafile Vulnerability HotFix

This week a new vulnerability was found in Windows:

http://www.microsoft.com/technet/security/advisory/912840.mspx

Browsing the web was not safe anymore, regardless of the browser. Microsoft will certainly come up with a thouroughly tested fix for it in the future, but meanwhile I developed a temporary fix – I badly needed it.

The fix does not remove any functionality from the system, all pictures will continue to be visible. You can download it here:

http://www.hexblog.com/security/files/wmffix_hexblog12.exe

It should work for Windows 2000, XP SP2 and XP 64-bit. It might also work for XP SP1 or XP without any service packs applied.

Technical details: this is a DLL which gets injected to all processes loading user32.dll.
It patches the Escape() function in gdi32.dll. The result of the patch is that the SETABORT escape sequence is not accepted anymore.

I can imagine situations when this sequence is useful. My patch completely disables this escape sequence, so please be careful. However, with the fix installed, I can browse files, print them and do other things.

If for some reason the patch does not work for you, please uninstall it. It will be in the list of installed programs as “Windows WMF Metafile Vulnerability HotFix”. I’d like to know what programs are crippled by the fix, please tell me.

I recommend you to uninstall this fix and use the official patch from Microsoft as soon as it is available.

The usual software disclaimer applies…

File: wmffix_hexblog12.exe (the source code is included)

UPD: more error checking
UPD2: Version 1.1 with Win2000 support
UPD3: Version 1.2: if the hotfix has already been applied to the system, inform the user at the second installation attempt.
There is no need to reinstall anything! Old hotfixes are perfectly ok.

Posted by Ilfak Guilfanov on December 31, 2005 06:53 AM | Permalink

More wmf stuff was originally posted at Absoblogginlutely!

Snort Vulnerability

Andy — Thu, 20 Oct 2005 15:16:10 +0000

Although I am not aware of any customers running snort, this may be of use to other people reading this, but snort 2.4, with the Back Orifice processor enabled is vulnerable to attack as per the details at Sans

Snort Vulnerability was originally posted at Absoblogginlutely!

Low scammers

Andy — Sat, 03 Sep 2005 20:26:34 +0000

I’ve just had a scam email pretending to be from Bank Of The West (who I’ve never even heard of) saying that there has been fraudulent activity on my bank account. A DNS lookup on the domain that they’ve registered (on Tuesday) has an address in New Orleans – probably as they know that it is going to be impossible to trace that for the forseeable future.
As usual the website is actually hosted in the far east – Vietnam in this case.

Low scammers was originally posted at Absoblogginlutely!

Virus out for Vista

Andy — Sat, 06 Aug 2005 17:35:20 +0000

8 days after Vista was released to beta, the first virus appears. So an obviously secure platform then At least this virus is not likely to spread very far as there are unlikely to be many vista machines in deployment

Virus out for Vista was originally posted at Absoblogginlutely!

Stopping zombies?

Andy — Tue, 31 May 2005 14:33:50 +0000

Interesting to see that it looks like the police are getting involved with contacting isps to ask them to do something about pc’s that are infected with viruses and acting as zombies according to net4nowt.
Wish they would do something about the french isp hosting phishing accounts. I received an email on Friday asking me to verify my ebay information and checking the website it is hosted on Amen’s servers. There was no email contact information on the website, their “online chat guide” is permanently engaged and the only way to contact the support department is to register with them or be an existing customer (I wonder if an EX customer like me is included in that latter category). An email to abuse@amen.fr has so far only come back with a (autoreply) statement saying they will take immediate action to stop spammers and to forward them the headers – which I did on the initial posting.

Stopping zombies? was originally posted at Absoblogginlutely!