Antivirus: December 2006 Archives

F-Secure: postcard.exe spam run

F-Secure blogged this morning about a large scale spam run underway sending messages with the attachment postcard.exe and the subject "Happy New Year!"

I saw that at my site last night. Actually, I probably wouldn't have even noticed all those detections, but I reenabled the filters on my blackberry so it doesn't get filled up with all the phishing detection notifications.

By Roger on December 29, 2006 11:07 AM | | Comments (0) | TrackBacks (0)

eEye: Big Yellow Worm Alert

eEye has sent out an email alert about a new worm they are calling Big Yellow attacking systems running versions of Symantec Antivirus and Symantec Client Security.

This is the same vulnerability that was patched by Symantec in June 2006. There were previous report of exploitation on EDU networks back in November. But according to eEye it is starting to gain some traction.

Check if you're running a vulnerable version of SAV 10 or 10.1 here. And as always practice defense in depth by running a personal firewall, particularly when not on a private network.

By Roger on December 16, 2006 1:39 PM | | Comments (0) | TrackBacks (0)

Bloodhound.Exploit.106 False Positive

On the heels of resolving the Bloodhound.Exploit.104 virus alert last night, I was greeted with a Bloodhound.Exploit.106 alert this morning When our file server was indexed by Sharepoint, the antivirus on the file server quarantined a word document. I believe this detection is a false positive.

Bloodhound.Exploit.106 is a heuristic detection for an Unspecified Vulnerability in Microsoft Word (as described in Microsoft Security Advisory 929433).

The URL I have used in the past to submit files no longer seems to be available. So I enabled the quarantine option to submit the file to Symantec. It was the first time I've used that method of submission. They say the reply time to reporting this false positive is two days. I hope it doesn't take that long.

By Roger on December 13, 2006 12:19 PM | | Comments (0) | TrackBacks (0)

Bloodhound.Exploit.104

This evening I received several virus alerts from a computer indicating a Bloodhound.Exploit.104 infection in a file in the temporary internet files folder. The filename ended in "videojs.js".

Bloodhound is Symantec Antivirus's attempt at a heuristic detection. The writeup at the Symantec website indicates that Bloodhound.Exploit.104 is a heuristic detection for Microsoft Internet Explorer DHTML Node Normalize Vulnerability (as described in Microsoft Security Bulletin MS06-072).

A quick Google revealed that videojs.js is a javascript used on the website video.google.com. A visit to that website, and soon I too had Symantec detecting the bloodhound.exploit.104. (and the video would not load) I am using the 12/12 rev 19 virus definitions.

I looked at www.symantec.com/avcenter and found that there is a newer virus definition available. I used liveupdate to update to 12/12 rev 51. This seems to have solved the problem.

By Roger on December 12, 2006 11:18 PM | | Comments (2) | TrackBacks (0)
« Antivirus: November 2006 | Main Index | Archives | Antivirus: January 2007 »

Search