What's wrong w/ my Norton Antivirus? Does this virus trigger your NAV?

[MDesigner]

I don't get it. This virus (sdbot backdoor) got past me somehow. And this is just plain stupid.. I can actually right click syscfg32.exe and say "Scan with Norton Antivirus", and Norton says it's OK! Mindboggling....

So, I was hoping someone could try this out. Grab the file at http://www.jorsm.com/~bears/syscfg32.zip and unzip that, and right click the file & scan it and see what Norton says.

KEEP IN MIND, THIS IS A VIRUS. What sdbot will do is connect to an IRC server and then hackers have access to your hard drives. So do NOT RUN IT. Just scan it to confirm that Symantec really goofed up on this one.

Thanks!

 

[MDesigner]

I had a friend try this out.. same result. Norton said it was OK.

Looks like Symantec had better put their foot in their mouth. They said if I had the latest defs, it would detect it. NOT! This must be a recompiled sdbot that doesn't exactly match the one Symantec caught.

 

[crisp82]

I would E-mail Symantec and let them know. In the mean time, download the removal to from their website and use it.

 

[bsobel]

Originally posted by: MDesigner
I had a friend try this out.. same result. Norton said it was OK. Looks like Symantec had better put their foot in their mouth. They said if I had the latest defs, it would detect it. NOT! This must be a recompiled sdbot that doesn't exactly match the one Symantec caught.

I sent it to the response team to see whats up, I'll followup when I know more.
Bill

 

[MDesigner]

My guess is that someone recompiled the sdbot code (changing a couple things) and thus a different .exe resulted, one that won't be detected by Norton.

 

[OZEE]

hmmmm... AVG said it's ok, too...

 

[sean2002]

nod 32 missed it to,. I even ran the program, with traffic to ports not in my rule set to block, the program did try to connect, so I let it connect once and low and behold O got someone from ip 213.25.146.11 trying to connect to it.

 

[sechs]

This is why you need a firewall. It should block this.

 

[MDesigner]

Originally posted by: sechs
This is why you need a firewall. It should block this.

Why would a firewall help? I don't even know how this got in in the first place...but I probably (like a fool) downloaded something shady and this came along with it.. somehow undetected. A firewall wouldn't have prevented this.

 

[bsobel]

Why would a firewall help? I don't even know how this got in in the first place...but I probably (like a fool) downloaded something shady and this came along with it.. somehow undetected. A firewall wouldn't have prevented this.

I believe he was refering to a personal firewall such as Norton Internet Security, which wouldn't have stopped you downloading and running the trojan (NAV should have done that, I'm looking into it), but would have prevented it from connecting out to the internet and to irc without your permission.

Bill

 

[MDesigner]

Originally posted by: bsobel

Why would a firewall help? I don't even know how this got in in the first place...but I probably (like a fool) downloaded something shady and this came along with it.. somehow undetected. A firewall wouldn't have prevented this.

I believe he was refering to a personal firewall such as Norton Internet Security, which wouldn't have stopped you downloading and running the trojan (NAV should have done that, I'm looking into it), but would have prevented it from connecting out to the internet and to irc without your permission.

Bill

Hmm... well, I do have a LinkSys wireless router w/ a firewall built in. Maybe there's some sort of option I should've turned on since I don't connect to IRC ever

 

[bsobel]

Hmm... well, I do have a LinkSys wireless router w/ a firewall built in. Maybe there's some sort of option I should've turned on since I don't connect to IRC ever

That type of router is designed to protect you from external threats, an attacker trying to connect to your machine's file sharing (for example). The personal firewalls (NIS, ZoneAlarm, Tiny, etc) run on box and additionally can provide control of which running programs can connect outbound (they deal with internal threats [and external if you didn't have the linksys]).

Bill

 

[mcveigh]

I just downloaded it and scanned it. norton found it

my virus defs are from 10/30.
hope this helps

 

[MDesigner]

Originally posted by: mcveigh
I just downloaded it and scanned it. norton found it

my virus defs are from 10/30.
hope this helps

This is VERY strange. I wonder this didnt' work for the rest of us.

 

[mcveigh]

SOLVED IT!

you need to set the bloodhound heuristics to highest, by default they are set to default.

you need to do this in two places, under autoprotect and manual scan.

I also always set AV scans to run everynight , and virus upadtes to be done automatically.

 

[CTho9305]

Originally posted by: mcveigh
SOLVED IT!

you need to set the bloodhound heuristics to highest, by default they are set to default.

you need to do this in two places, under autoprotect and manual scan.

I also always set AV scans to run everynight , and virus upadtes to be done automatically.

that sucks.... will a future liveupdate update make it detectable with default settings?

 

[mcveigh]

Originally posted by: CTho9305

Originally posted by: mcveigh
SOLVED IT!

you need to set the bloodhound heuristics to highest, by default they are set to default.

you need to do this in two places, under autoprotect and manual scan.

I also always set AV scans to run everynight , and virus upadtes to be done automatically.

that sucks.... will a future liveupdate update make it detectable with default settings?

why does that suck? I agree it should catch it but I have never had a false positive using highest settings.

 

[bsobel]

that sucks.... will a future liveupdate update make it detectable with default settings?

Yes

 

[CTho9305]

Originally posted by: mcveigh

Originally posted by: CTho9305

Originally posted by: mcveigh
SOLVED IT!

you need to set the bloodhound heuristics to highest, by default they are set to default.

you need to do this in two places, under autoprotect and manual scan.

I also always set AV scans to run everynight , and virus upadtes to be done automatically.

that sucks.... will a future liveupdate update make it detectable with default settings?

why does that suck? I agree it should catch it but I have never had a false positive using highest settings.

Does it affect performance?

 

[mcveigh]

Originally posted by: CTho9305

Originally posted by: mcveigh

Originally posted by: CTho9305

Originally posted by: mcveigh
SOLVED IT!

you need to set the bloodhound heuristics to highest, by default they are set to default.

you need to do this in two places, under autoprotect and manual scan.

I also always set AV scans to run everynight , and virus upadtes to be done automatically.

that sucks.... will a future liveupdate update make it detectable with default settings?

why does that suck? I agree it should catch it but I have never had a false positive using highest settings.

Does it affect performance?

not that I have noticed

 

[bsobel]

Does it affect performance?

It can slightly, with higher settings more of the file is ran thru the heuristics. But this only occurs once per session (unless the file is written to), so your not likely to actually notice any difference.
Bill