Hosting Provided By

RE: Norton Antivirus and the w32.spybot.worm.... false positive ?

From: Information Security <InformationSecurity(at)federatedinv.com>
Date: Mon Jun 02 2003 - 13:34:51 EDT

If it is sysreg.exe, beware...I took a hunt around on this one and found out that it's actually adware delivered by the Stukach trojan, you can tell by the file size (49,152 bytes) & some strings info. I say beware because at last check (a week ago), NAV signatures picked up the sysreg.exe as a generic trojan, but didn't pick up an eicar delivered by Stukach. As of last Monday, NAV identified sysreg.exe as a generic "Trojan". McAfee picked up both, but under different signatures.

AFAIK, the sysreg.exe thing calls home to tp.searchseekfind.com on startup only. Seems like it might have been delivered through weatherbug.

-----Original Message-----

From: Dowling, Gabrielle [mailto:dowlingg@sullcrom.com] Sent: Friday, May 30, 2003 2:22 PM
To: Chris Caydes; focus-virus@securityfocus.com Subject: RE: Norton Antivirus and the w32.spybot.worm.... false positive ?

Are you referring to sysreg.exe? We started getting detections today under "security risk", but I think they are valid as the objectionable executable seems to be associated with a new version of Huntbar. See http://securityresponse.symantec.com/avcenter/venc/data/security.risk.ht ml.

Regards,

Gaby

-----Original Message-----

From: Chris Caydes [mailto:chris_caydes@yahoo.com] Sent: Friday, May 30, 2003 12:11 PM
To: focus-virus@securityfocus.com
Subject: Norton Antivirus and the w32.spybot.worm.... false positive ?

Hello,

Do you need help?

Several recent posts in discussion groups and mailing lists complain about the "w32.spybot.worm" being picked up by Norton Antivirus.

I am starting to suspect a false positive problem with the latest signature file.
I haven't seen anything on the Symantec Security Reponse website. The description for the worm doesn't give much info.
Has anyone experienced this problem ?

Regards
Chris

Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com

---

This e-mail is sent by a law firm and contains information that may be privileged and confidential. If you are not the intended recipient, please delete the e-mail and notify us immediately.

Received on Mon Jun 2 13:44:16 2003

This message: [ Message body ]
Next message: Marc Fossi: "Announcement: SecurityFocus Pen-Test and Firewalls Focus Areas"
Previous message: Dowling, Gabrielle: "RE: Norton Antivirus and the w32.spybot.worm.... false positive ?"
Maybe in reply to: Chris Caydes: "Norton Antivirus and the w32.spybot.worm.... false positive ?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:39 EDT