Antivirus: May 2007 Archives

Symantec Antivirus (SAV) is detecting a component of Spybot Search and Destroy as a Trojan Horse. This detection seems to have occurred in the latest AV definition updates (5/30). The file in blindman.exe.

According to the Safer Networking site, this file does nothing. It is used to prevent boot delay caused by their method of disabling unwanted autorrun items.

**update** - Symantec has announced that they will be releasing an update to fix this false positive this evening. Its already available in Rapid Release if you need that now.

The antivirus gateway detected an interesting email this evening.

Envelope From: nobody@[edited]
From: cmplntscentercase[at]bbb.org
Originating IP 207.210.105.78 which is an IP address in Canada according to ARIN.
Subject: Complaint Case Number: 363619942 Joe User
(It contained the name of the recipient.)
File: Embedded inside the attachment complaint.doc in an exe 'MicrosoftWordhasencounteredaproblemandthedocumentwasnotfullyloaded.Pleasedouble-clickontheicontoreloadmsword.exe'

There were multiple detections on this file:
W32/Heur-Dropper.gen.a-5e19-3e29
W32/Generic
Exploit/RTFEmbeddedExe

This email is similar to http://orwwa.bbb.org/release.html?value=61 from earlier this year. In that instance the users were tricked into clicking on a malicious link rather than conned into opening a viral attachment. According to this SANS diary entry, the link was to a EXE inside of a RTF document. So while the style of attack isn't new, this email could indicate a new spam run of this virus.

Here's a sunbelt blog entry on the same virus. In that blog entry Alex Eckelberry reports that the file downloads more malware, tightvnc and winrar. He also has the body of the message which confirms my suspicious based on the message subject that this is highly targeted.

PC Mag has an article with the results of the latest av-test.org Antivirus bakeoff.

I'm kind of surprised Symantec did so well. It seems like just a few years ago they were days behind other vendors in releasing updates. They even beat McAfee who only had a 87.28% detection rate.

The HTTP gateway detected the Delf.aki virus in a file profilewatcher_setup.exe which one of my users tried to download. Just for kicks I uploaded it to the virustotal site and here's the result.

File size: 985897 bytes
MD5: 837c3036adf45c11a45c8a2f356c060e
SHA1: ef7311d94a80962d886befefb6bc08f03941f3e4
packers: BINARYRES

Antivirus Version Update Result
AhnLab-V3 2007.5.21.1 05.22.2007 no virus found
AntiVir 7.4.0.27 05.22.2007 DR/Delf.aki
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.22.2007 no virus found
AVG 7.5.0.467 05.22.2007 no virus found
BitDefender 7.2 05.23.2007 no virus found
CAT-QuickHeal 9.00 05.22.2007 no virus found
ClamAV devel-20070416 05.23.2007 no virus found
DrWeb 4.33 05.22.2007 no virus found
eSafe 7.0.15.0 05.21.2007 Win32.Delf.aki
eTrust-Vet 30.7.3654 05.23.2007 no virus found
Ewido 4.0 05.22.2007 no virus found
FileAdvisor 1 05.23.2007 no virus found
Fortinet 2.85.0.0 05.22.2007 W32/Delf.AKI!tr.bdr
F-Prot 4.3.2.48 05.22.2007 no virus found
F-Secure 6.70.13030.0 05.23.2007 Backdoor.Win32.Delf.aki
Ikarus T3.1.1.8 05.22.2007 Backdoor.Win32.Delf.aki
Kaspersky 4.0.2.24 05.23.2007 Backdoor.Win32.Delf.aki
McAfee 5036 05.22.2007 no virus found
Microsoft 1.2503 05.22.2007 no virus found
NOD32v2 2285 05.22.2007 no virus found
Norman 5.80.02 05.22.2007 no virus found
Panda 9.0.0.4 05.22.2007 no virus found
Prevx1 V2 05.23.2007 no virus found
Sophos 4.17.0 05.21.2007 no virus found
Sunbelt 2.2.907.0 05.17.2007 no virus found
Symantec 10 05.23.2007 no virus found
TheHacker 6.1.6.120 05.21.2007 no virus found
VBA32 3.12.0 05.22.2007 Backdoor.Win32.Delf.aki
VirusBuster 4.3.23:9 05.22.2007 no virus found
Webwasher-Gateway 6.0.1 05.22.2007 Trojan.Delf.aki

As Steve Spurrior would say while coaching the Redskins,"6 and 10, not too good." Virustotal will pass on this file to the vendors who didn't detect it and they'll "coach 'em up."

A posting on the MyITForum.com SMS discussion list reports that Symantec Antivirus 10.x and above may include a capicom.dll.

MS07-028 says that third party applications that distribute the Software Development Kit version of capicom will need to be updated.

It is not know yet whether we can just replace the vulnerable version of capicom ourselves, or if we need to wait for a SAV update. If its the latter can this be a liveupdate fix or will a MSP be issued.

Regular readers of my blog know that one of my many duties at work is to administrate what was once known as IMLogic (now known as Symantec IM Manager). I've complained loudly and frequently here ever since Symantec bought IMLogic . This post is more of the same. ;)

IMLogic would keep me up to date about new releases. Symantec released version 8.2 without letting me know.

IMLogic worked hard to stay on top of new developments in the IM industry and let me know what actions I should take. Yahoo announced their web IM a few days ago. I still haven't heard from Symantec about the best way to make sure that Yahoo Web IM is either blocked or monitored.

When Symantec bought IMLogic and Microsoft bought Sybari, I predicted that the Sybari - IMLogic integration was not long for this world. As I read the Symantec IMManager release notes for version 8.2, I see that Antigen for IM is no longer integrated. Here's a support article about that.

Fortunately, it seems this version doesn't have a lot new that I care about.

Real-time Enterprise Vault export capability
Groups and Group policies based on IP address ranges
File transfer control by type
Internationalization And Localization Changes
VMWare Support
Oracle 10g Support