Norton (NAV 2002) does not detect hotfix.exe as a threat even afterupdate

Discussion in 'Anti-Virus' started by Virus Guy, Dec 5, 2010.

  1. Virus Guy

    Virus Guy Guest

    To re-cap: A co-worker brought in her home XP machine on Nov 29 because
    it was non-functional after a recent web-browsing session earlier that
    day. It was infected with the fraud AV known as "ThinkPoint".

    The malware was 100% contained within the file "hotfix.exe" which was
    launched from an auto-run startup key. Removal of the file from the
    system's hard drive was the only action needed to restore the system,
    but one or two registry entries were also deleted just to keep things
    clean.

    A scan by Virustotal of the file soon after it was removed from the
    system resulted in 3 positive hits out of a possible 43.

    On Dec 3, a submission of the same file to VT resulted in 37 hits.

    However, even after updating Norton Antivirus 2002 (NAV) with the Dec 3
    version of the intelligent updater daily update package:

    http://definitions.symantec.com/defs/20101204-002-i32.exe

    and then this:

    http://definitions.symantec.com/defs/20101204-002-x86.exe

    Note: I'm not quite sure what the difference is between those two
    files. They can be found linked from here:

    http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

    So even after downloading and running each file separately, my
    installation of NAV 2002 did not detect the file "hotfix.exe" as a
    threat. Even though NAV was telling me that it's definitions were
    dated as DEC 2, 2010.

    So I fired off an e-mail to symantec, asking them why my NAV product
    (which I did not identify as NAV 2002) was not detecting hotfix.exe even
    after the definition update. The response is copied below.

    Basically, the response is that I should be using the "rapid response"
    update package, located here:

    http://definitions.symantec.com/defs/rapidrelease/symrapidreleasedefsi32.exe

    So I downloaded and ran it, but still NAV does not recognize hotfix.exe
    as a threat.

    I'd like to know if anyone else, particularly those running some version
    of NAV or any other Symantec AV product, would or does detect this file
    as a threat.

    The file hotfix.exe can be found here:

    http://www.fileden.com/files/2008/7/19/2010382//HOTFIX.ZIP

    That is a password-protected zip file. The password is "a" (no
    quotes). This will unzip to hotfix.xex. Feel free to upload that file
    to virustotal for your own curiosity or verification. If your AV
    program is working, it should quarantine the file immediately after it
    is unzipped.

    =========== Begin symantec support response ============

    This message is an automatically generated reply -- do not reply to this
    message.

    This system is designed to analyze and process suspicious file
    submissions into Symantec Security Response and cannot accept
    correspondence or inquiries.

    ---------------------------------------------------------------------
    Submission Summary
    ---------------------------------------------------------------------

    We have processed your submission (Tracking #184126xx) and your
    submission is now closed. The following is a report of our findings for
    the files in your submission:

    File: HOTFIX.EXE
    Machine: Machine
    Determination: This file is detected as 'SecurityEssentialFraud, ' with
    our existing Rapid Release definition set.

    ---------------------------------------------------------------------
    Customer Notes
    ---------------------------------------------------------------------

    The file hotfix.exe is a fake-AV malware and is detected as
    SecurityEssentialFraud by the Symantec scanner on VirusTotal.com.
    However it is not detected by my Norton Antivirus product even though I
    have
    updated NAV with the SARC intelligent updater package dated Dec 2.
    Please explain why the Intelligent Updater package is not detecting this
    threat.

    ---------------------------------------------------------------------
    Developer Notes
    ---------------------------------------------------------------------

    HOTFIX.EXE known exploit or attack code which can be delivered by a
    number of channels to compromise a system


    ---------------------------------------------------------------------
    Remediation
    ---------------------------------------------------------------------

    Existing Rapid Release definitions contain the necessary updates for the
    files in your submission.

    Downloading and Installing Rapid Release Definitions:

    1. Open your Web browser. If you are using a dial-up connection, connect
    to any Web site, such as http://www.symantec.com

    2.
    Click on the following link to open our Rapid Release FTP Site. If it
    does not go to the FTP Site (this could take a minute or so if you have
    a slow connection,) copy and paste the link into the address bar of your
    Web browser, and then press Enter.

    Current Symantec Rapid Release Definitions
    ftp://ftp.symantec.com/AVDEFS/norton_antivirus/rapidrelease/

    3.
    Download the appropriate file to update your product. To identify the
    correct definition file format for your product, please review the
    information here:

    Symantec Rapid Release Virus Definitions
    http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

    4. When a download dialog box appears, save the file to the Windows
    desktop. Either double-click the downloaded file and follow the prompts,
    or refer to your product documentation.

    This message was generated by Symantec Security Response automation.

    Should you have any questions about your submission, please contact our
    regional technical support from the Symantec Web site, and give them the
    tracking number included in this message.

    Symantec Technical Support
    http://www.symantec.com/techsupp/
     
    Virus Guy, Dec 5, 2010
    #1
    1. Advertisements

  2. Virus Guy

    RayLopez99 Guest

    Good catch. To get rid of registry keys automatically in XP, and I've
    not had a problem yet even with the 'aggressive' option set, is Revo
    Uninstaller Pro. Works like a charm to find and get rid of all
    registry entries, though I'm sure as a professional you probably like
    using RegEdit manually.

    RL
     
    RayLopez99, Dec 5, 2010
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.