PDA

View Full Version : When is a virus not a virus...?


Graham
20-05-2004, 04:11
Ok, here's a wierd one...

I got another one of those "This is a Micro$oft Update" e-mails seemingly trying to trick me into running the .exe attachment and infect my system.

Ho hum, thinks I, and I'm about to delete it when I suddenly realise that the message *doesn't* have a Norton AV warning of deletion in place of the attachment.

So I think "hello, that's odd" and get NAV to scan the attachment. To which it replies "it's clean".

Now this is strange, because it sure as hell *looks* like it's suspicious.

So I save the file, quarantine it, and send it off to Symantec for checking and get the reply back saying "this has been checked and it's the same as the official version of the install9.exe program"

This strikes me as totally bizarre. Someone sends out something that *looks* like a virus type message, but it's got perfectly legitimate content (and no other attachments), so what on *Earth* is the point?

Is someone *trying* to do me a favour by helping me to install updates on my system? (Not that I'd trust it anyway!) Is it a virus that's just really well concealed? (It doesn't seem to be)

Anyone got any ideas on this?

andygrif
20-05-2004, 10:54
It could well be that Norton haven't identified it yet as a virus. It's worth sending them the email along with the attachment to do some testing on.

Russ
20-05-2004, 10:56
Or possibly it's someone trying to trick you in to thinking you've been sent something nasty without actually getting in to trouble themselves?

Defiant
20-05-2004, 10:56
Hmm I'm always seeing people posting questions about virus's and for some reason its nearly always regarding Norton ;)

zovat
20-05-2004, 17:30
It could well be that Norton haven't identified it yet as a virus. It's worth sending them the email along with the attachment to do some testing on.
True, but Symantec said it was clean - and they are pretty quick at identifying virii once they are released...

Does seem strange though- Microsoft have never (to my knowledge) sent out any updates by Email.

Hmmm - a bit of googling tells me that this looks rather like the swen worm : see symantec's page (http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html) - bit wierd that symantec said it looked ok though....

MadGamer
20-05-2004, 18:14
True, but Symantec said it was clean - and they are pretty quick at identifying virii once they are released...

Does seem strange though- Microsoft have never (to my knowledge) sent out any updates by Email.

Hmmm - a bit of googling tells me that this looks rather like the swen worm : see symantec's page (http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html) - bit wierd that symantec said it looked ok though.... M$ do have this stated on their website somewhere. You are right, they never send out emails containing patches.

MadGamer
20-05-2004, 18:17
Ok, here's a wierd one...

I got another one of those "This is a Micro$oft Update" e-mails seemingly trying to trick me into running the .exe attachment and infect my system.

Ho hum, thinks I, and I'm about to delete it when I suddenly realise that the message *doesn't* have a Norton AV warning of deletion in place of the attachment.

So I think "hello, that's odd" and get NAV to scan the attachment. To which it replies "it's clean".

Now this is strange, because it sure as hell *looks* like it's suspicious.

So I save the file, quarantine it, and send it off to Symantec for checking and get the reply back saying "this has been checked and it's the same as the official version of the install9.exe program"

This strikes me as totally bizarre. Someone sends out something that *looks* like a virus type message, but it's got perfectly legitimate content (and no other attachments), so what on *Earth* is the point?

Is someone *trying* to do me a favour by helping me to install updates on my system? (Not that I'd trust it anyway!) Is it a virus that's just really well concealed? (It doesn't seem to be)

Anyone got any ideas on this? For someone to install updates for you, they would need access to your system.

Chris W
20-05-2004, 18:20
<snip>
Anyone got any ideas on this?

Have you tried running an online scan of the file with a different AV program, eg http://housecall.trenmicro.com/

MB

greencreeper
20-05-2004, 19:12
Might be softening you up for the kill :) If someone's sent a non-nasty email and they run the attachment without problems, then they're more likely to run subsequent attachments and advise friends/relatives that those emails really are harmless.

Xaccers
20-05-2004, 19:27
It could be a dialer rather than a virus
You know, the sort of thing that installs itself and tries to get your modem to call a premium rate number.
Its not a virus, so NAV wouldn't flag it up, tho it's still not a nice bit of software to have.

Graham
20-05-2004, 19:34
It could well be that Norton haven't identified it yet as a virus. It's worth sending them the email along with the attachment to do some testing on.

Its not a virus, so NAV wouldn't flag it up

"So I save the file, quarantine it, and send it off to Symantec for checking and get the reply back saying "this has been checked and it's the same as the official version of the install9.exe program" :)

I can't see why they'd say this if it wasn't kosher, but it's just really odd.

Graham
20-05-2004, 19:36
Have you tried running an online scan of the file with a different AV program, eg http://housecall.trenmicro.com/

Thanks, but that address comes up "not found".

Tezcatlipoca
20-05-2004, 19:38
Thanks, but that address comes up "not found".

Try http://housecall.trendmicro.com/ ;) :)

greencreeper
20-05-2004, 20:24
It could be a dialer rather than a virus
You know, the sort of thing that installs itself and tries to get your modem to call a premium rate number.
Its not a virus, so NAV wouldn't flag it up, tho it's still not a nice bit of software to have.

I wonder what happens when a dialler tries dialling on a system without DUN installed, like most broadband connected PCs?? :erm: Crash the system maybe, or will Windows auto-install DUN??

MadGamer
20-05-2004, 23:22
Check for any spyware.

Graham
21-05-2004, 02:18
Check for any spyware.

Nope, I run Adaware every week after NAV does its thing :(

Oh well, it's just one of those wierd things... :shrug:

Xaccers
21-05-2004, 02:47
Nope, I run Adaware every week after NAV does its thing :(

Oh well, it's just one of those wierd things... :shrug:

Sorry, did you say you sent it off to Symantec to be checked and they came back saying it wasn't a virus?

You could download something like virtual PC and run it on there, that way if it is nasty it just infects the virtual pc and not your own.

Graham
21-05-2004, 04:15
Sorry, did you say you sent it off to Symantec to be checked and they came back saying it wasn't a virus?

Yes, their actual response was the the file matched the "official" version of the file they had on record.

You could download something like virtual PC and run it on there, that way if it is nasty it just infects the virtual pc and not your own.

Well since it comes through Netscape and I'm not stupid enough to try to run the thing, it's not going to infect my system anyway :D

zovat
21-05-2004, 11:28
Yes, their actual response was the the file matched the "official" version of the file they had on record.



Well since it comes through Netscape and I'm not stupid enough to try to run the thing, it's not going to infect my system anyway :D


As Symantec have this file and Email down as the SWEN.A worm (goes back to 2003) I am very surprised that they said it was clean.

Maybe someone has managed to fool symantec into believing that the version they have is from M$ when it is actually the worm form :Yikes: