Norton (NAV 2002) does not detect hotfix.exe as a threat even afterupdate

V

Virus Guy

To re-cap: A co-worker brought in her home XP machine on Nov 29 because
it was non-functional after a recent web-browsing session earlier that
day. It was infected with the fraud AV known as "ThinkPoint".

The malware was 100% contained within the file "hotfix.exe" which was
launched from an auto-run startup key. Removal of the file from the
system's hard drive was the only action needed to restore the system,
but one or two registry entries were also deleted just to keep things
clean.

A scan by Virustotal of the file soon after it was removed from the
system resulted in 3 positive hits out of a possible 43.

On Dec 3, a submission of the same file to VT resulted in 37 hits.

However, even after updating Norton Antivirus 2002 (NAV) with the Dec 3
version of the intelligent updater daily update package:

http://definitions.symantec.com/defs/20101204-002-i32.exe

and then this:

http://definitions.symantec.com/defs/20101204-002-x86.exe

Note: I'm not quite sure what the difference is between those two
files. They can be found linked from here:

http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

So even after downloading and running each file separately, my
installation of NAV 2002 did not detect the file "hotfix.exe" as a
threat. Even though NAV was telling me that it's definitions were
dated as DEC 2, 2010.

So I fired off an e-mail to symantec, asking them why my NAV product
(which I did not identify as NAV 2002) was not detecting hotfix.exe even
after the definition update. The response is copied below.

Basically, the response is that I should be using the "rapid response"
update package, located here:

http://definitions.symantec.com/defs/rapidrelease/symrapidreleasedefsi32.exe

So I downloaded and ran it, but still NAV does not recognize hotfix.exe
as a threat.

I'd like to know if anyone else, particularly those running some version
of NAV or any other Symantec AV product, would or does detect this file
as a threat.

The file hotfix.exe can be found here:

http://www.fileden.com/files/2008/7/19/2010382//HOTFIX.ZIP

That is a password-protected zip file. The password is "a" (no
quotes). This will unzip to hotfix.xex. Feel free to upload that file
to virustotal for your own curiosity or verification. If your AV
program is working, it should quarantine the file immediately after it
is unzipped.

=========== Begin symantec support response ============

This message is an automatically generated reply -- do not reply to this
message.

This system is designed to analyze and process suspicious file
submissions into Symantec Security Response and cannot accept
correspondence or inquiries.

---------------------------------------------------------------------
Submission Summary
---------------------------------------------------------------------

We have processed your submission (Tracking #184126xx) and your
submission is now closed. The following is a report of our findings for
the files in your submission:

File: HOTFIX.EXE
Machine: Machine
Determination: This file is detected as 'SecurityEssentialFraud, ' with
our existing Rapid Release definition set.

---------------------------------------------------------------------
Customer Notes
---------------------------------------------------------------------

The file hotfix.exe is a fake-AV malware and is detected as
SecurityEssentialFraud by the Symantec scanner on VirusTotal.com.
However it is not detected by my Norton Antivirus product even though I
have
updated NAV with the SARC intelligent updater package dated Dec 2.
Please explain why the Intelligent Updater package is not detecting this
threat.

---------------------------------------------------------------------
Developer Notes
---------------------------------------------------------------------

HOTFIX.EXE known exploit or attack code which can be delivered by a
number of channels to compromise a system


---------------------------------------------------------------------
Remediation
---------------------------------------------------------------------

Existing Rapid Release definitions contain the necessary updates for the
files in your submission.

Downloading and Installing Rapid Release Definitions:

1. Open your Web browser. If you are using a dial-up connection, connect
to any Web site, such as http://www.symantec.com

2.
Click on the following link to open our Rapid Release FTP Site. If it
does not go to the FTP Site (this could take a minute or so if you have
a slow connection,) copy and paste the link into the address bar of your
Web browser, and then press Enter.

Current Symantec Rapid Release Definitions
ftp://ftp.symantec.com/AVDEFS/norton_antivirus/rapidrelease/

3.
Download the appropriate file to update your product. To identify the
correct definition file format for your product, please review the
information here:

Symantec Rapid Release Virus Definitions
http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

4. When a download dialog box appears, save the file to the Windows
desktop. Either double-click the downloaded file and follow the prompts,
or refer to your product documentation.

This message was generated by Symantec Security Response automation.

Should you have any questions about your submission, please contact our
regional technical support from the Symantec Web site, and give them the
tracking number included in this message.

Symantec Technical Support
http://www.symantec.com/techsupp/
 
R

RayLopez99

To re-cap:  A co-worker brought in her home XP machine on Nov 29 because
it was non-functional after a recent web-browsing session earlier that
day.  It was infected with the fraud AV known as "ThinkPoint".

Good catch. To get rid of registry keys automatically in XP, and I've
not had a problem yet even with the 'aggressive' option set, is Revo
Uninstaller Pro. Works like a charm to find and get rid of all
registry entries, though I'm sure as a professional you probably like
using RegEdit manually.

RL
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top