Bloodhound.Exploit.45

[CJM]

Our Symantec AV scanner have been going beserk overnight reporting that
loads of files are infected with this exploit. AFAIK Bloodhound is the name
given to heuristic-identified threats, so it's saying that this MAY be a
threat.

We're fairly sure that this isn't the case, and that these are false
positives. We're getting the rapid-release updates, to it may be just an
over-enthusiastic response to the latest threats to MS vulverabilities...

Has anyone else noticed the same thing?

Chris

 

[Sean C]

Hi Chris,

I am experiencing the same thing i have received about 200 alerts.
I am waiting for Symantec to pick the phone about this.
It seems it has also ripped out a macro from alot our user excel
spreadsheets.
You may want to check if have the same problem.
I cannot find anything on Symantec website regarding this exploit or on
the web this is the first thing i have found.

Sean

 

[CJM]

Hi Chris,

I am experiencing the same thing i have received about 200 alerts.
I am waiting for Symantec to pick the phone about this.
It seems it has also ripped out a macro from alot our user excel
spreadsheets.
You may want to check if have the same problem.
I cannot find anything on Symantec website regarding this exploit or on
the web this is the first thing i have found.

Sean

Apparently, we've just had another AV update (v14?) and when we re-scan, it
doesn't suffer the same false-positives...

I'll update this as I find out more...

Chris

 

[Sean C]

Apparently Symantec respnonded to a Microsoft Security Bulletin, and
messed up that def.in the rapid release. They have since removed it and
todays def update, corrects the problem.
But if you have the macro problem like me then once the new definition
is deployed to the machine in question you can then restore the
quarantine file from the Local AV Quarantine and it should fix the
macro.
Thanks for your help Chris

Sean

 

[GreenTwig]

Apparently Symantec respnonded to a Microsoft Security Bulletin, and
messed up that def.in the rapid release. They have since removed it and
todays def update, corrects the problem.
But if you have the macro problem like me then once the new definition
is deployed to the machine in question you can then restore the
quarantine file from the Local AV Quarantine and it should fix the
macro.
Thanks for your help Chris

Sean

I've been experiencing this issue with Symantec and the macro issue in
word and excel as well... Can anyone please confirm or deny Sean's
comments... Greatly appreciated for the post!

Rolly

 

[David H. Lipman]

From: "CJM" <[email protected]>

| Our Symantec AV scanner have been going beserk overnight reporting that
| loads of files are infected with this exploit. AFAIK Bloodhound is the name
| given to heuristic-identified threats, so it's saying that this MAY be a
| threat.
|
| We're fairly sure that this isn't the case, and that these are false
| positives. We're getting the rapid-release updates, to it may be just an
| over-enthusiastic response to the latest threats to MS vulverabilities...
|
| Has anyone else noticed the same thing?
|
| Chris
|
| --
| (e-mail address removed)
| [remove the obvious bits]
|

Are you sure it is "bloodhound.exploit.45" and not "bloodhound.exploit.48" ?

 

[GreenTwig]

Are you sure it is "bloodhound.exploit.45" and not "bloodhound.exploit.48" ?

Symantec is seeing it as "bloodhound.exploit.45"
Though I have noticed we have new signatures available this morning.

Rolly

 

[|Ammo|]

This was a problem with the Symantec Definitions dated 10/11 - they
are too sensitive and are creating a lot of false positives. I have
confirmed this with my Symantec Rep. 45 was pulled from the 10/12 defs
and replaced with 47.

 

[Nikolai]

I am running a Win2k3 system and have managed to pick
Bloodhound.Exploit.45 up off a web page or something. I have run all
windows updates and have applied the fix that addresses this image
engine eploit and restarted (twice), I have run a norton scan and it
has found nothing. But when I open any word docs with emf or wmf images
I am getting real time scan issues

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Bloodhound.Exploit.45

does anyone know how I can completely remove this little pest from my
system?

Thanks in advance.

 

[David H. Lipman]

From: "Nikolai" <[email protected]>

| I am running a Win2k3 system and have managed to pick
| Bloodhound.Exploit.45 up off a web page or something. I have run all
| windows updates and have applied the fix that addresses this image
| engine eploit and restarted (twice), I have run a norton scan and it
| has found nothing. But when I open any word docs with emf or wmf images
| I am getting real time scan issues
|
| Scan type: Realtime Protection Scan
| Event: Virus Found!
| Virus name: Bloodhound.Exploit.45
|
| does anyone know how I can completely remove this little pest from my
| system?
|
| Thanks in advance.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend, Kaspersky and McAfee Anti Virus Command
Line Scanners to remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[Ian Kenefick]

I am running a Win2k3 system and have managed to pick
Bloodhound.Exploit.45 up off a web page or something. I have run all
windows updates and have applied the fix that addresses this image
engine eploit and restarted (twice), I have run a norton scan and it
has found nothing. But when I open any word docs with emf or wmf images
I am getting real time scan issues

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Bloodhound.Exploit.45

does anyone know how I can completely remove this little pest from my
system?

Thanks in advance.

All detected files should be submitted to Symantec since this is a
heuristic detection. Details on how to do this are available here
http://www.ik-cs.com/suspicious-files.htm

There is a chance that this is a false alarm. You should of course
also take Davids advice and run a full scan.

 

[Nikolai]

How come when I scan a word document for a virus it scans fine with no
issues. But when I open the document and word attempts to open an emf
file in "C:\Documents and Settings\user\Local Settings\Temporary
Internet Files\Content.MSO" the realtime file protection goes nuts.

Like I have stated I have run all required updates and performed scans
and can find no traces of it other than these real time file protection
errors. I would contact Symantec if they actually had some kind of
contact forms, hopefully they read the anti-virus user groups....

http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.45.html

http://www.microsoft.com/downloads/...3B-3C20-47A9-8BBD-1EA2FBB4AF96&displaylang=en

http://secunia.com/advisories/17498/

 

[David H. Lipman]

From: "Nikolai" <[email protected]>

| How come when I scan a word document for a virus it scans fine with no
| issues. But when I open the document and word attempts to open an emf
| file in "C:\Documents and Settings\user\Local Settings\Temporary
| Internet Files\Content.MSO" the realtime file protection goes nuts.
|
| Like I have stated I have run all required updates and performed scans
| and can find no traces of it other than these real time file protection
| errors. I would contact Symantec if they actually had some kind of
| contact forms, hopefully they read the anti-virus user groups....
|
| http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.45.html
|
|
http://www.microsoft.com/downloads/...3B-3C20-47A9-8BBD-1EA2FBB4AF96&displaylang=en
|
| http://secunia.com/advisories/17498/
|

Dump the contents of the IE cache !
Start --> settings --> control panel --> Internet options --> delete files

 

[Nikolai]

Thanks Ian, I would submit the suspect emf files but they get locked by
word while the doc is open and cleaned up when it is closed. I would
submit my word document but it is a commercially sensitve specification
that I am working on and I am not really able to distribute it....

I have created a test document with the realtime protection turned off
that causes the virus alert with real time turned on. I will forward
this and see what feedback I get.

Thanks

 

[Ian Kenefick]

Thanks Ian, I would submit the suspect emf files but they get locked by
word while the doc is open and cleaned up when it is closed. I would
submit my word document but it is a commercially sensitve specification
that I am working on and I am not really able to distribute it....

I have created a test document with the realtime protection turned off
that causes the virus alert with real time turned on. I will forward
this and see what feedback I get.

Understandable. You could and should explain this to symantec. Perhaps
they have a workaround for this situation. You could also disable
Heuristics within Norton Antivirus... although I am not sure how much
this would affect it's detection rate. I am not very familiar with
recent versions.

 

[Nikolai]

Well I submitted the file to Symantec Security and the scan came back
as clean.

I can only conclude that this is an issue similar to those false
positives as described above. I would have expected a higher level of
quality for the virus definitions from a company that charges through
the nose for its product. Thanks Symantec you suck.

 

[David H. Lipman]

From: "Nikolai" <[email protected]>

| Well I submitted the file to Symantec Security and the scan came back
| as clean.
|
| I can only conclude that this is an issue similar to those false
| positives as described above. I would have expected a higher level of
| quality for the virus definitions from a company that charges through
| the nose for its product. Thanks Symantec you suck.

Did you dump the IE cache as I suggested ?

 

[Nikolai]

Yes I dumped the IE cache and it made no difference. I have also tested
and confirmed this issue on other users PCs that run the same virus
definitions as me.

I am currently using Symantec AntiVirus Corporate Edition, v 8.1.0.825,
scan engine 4.2.0.7, virus definitions 9/Nov/2005 rev. 24.

I have just changed all my emmbeded images to jpgs and I can continue
my work unimpeded by virus alerts....

 

[Ian Kenefick]

Yes I dumped the IE cache and it made no difference. I have also tested
and confirmed this issue on other users PCs that run the same virus
definitions as me.

I am currently using Symantec AntiVirus Corporate Edition, v 8.1.0.825,
scan engine 4.2.0.7, virus definitions 9/Nov/2005 rev. 24.

I have just changed all my emmbeded images to jpgs and I can continue
my work unimpeded by virus alerts....

....you could have just disabled Heuristics.

 

[Nikolai]

Ok I tried that and it works fine. I had only come across the concept
of heuristics in research methods and didn't realise it had meaning in
AntiVirus circles. Thanks for everyones help and suggestions.

http://antivirus.about.com/library/glossary/bldef-heur.htm
Heuristics are designed to detect previously unknown viruses, that is
to say, viruses that are newly released into the wild for which
antivirus vendors have no specific definition files to address the
threat. Unfortunately, heuristics are not very successful in catching
newly released threats - mainly due to consumer demand for an
unobtrusive scanner. To minimize the risks of false positives, some
vendors have cut back on the level of heuristics employed, or given
users configurable options to lessen or increase heuristics as desired.
As a result, traditional antivirus scanners, even those with
heuristics, are more adept at detecting and disinfecting known viruses
only. As more users become infected by viruses, particularly those with
damaging payloads, a greater degree of user involvement will be
tolerated and the level of heuristics will likely increase.