The killer Virus – Is Symantec Secure?

January 26, 2007 at 4:13 pm | In Technical | 4 Comments

So you thought I enjoyed my 760 on GMAT (5th January) ? Well I couldnt.

[If you want to check my posts on GMAT only, check: GMAT Blog only ]

As soon as I joined office, we were under attack of a new variant of virus W32.Spybot.Worm. The genius of the virus is that it uses the vulnerabilites of Symantec (poor Symantec clients like us), to disable it and then it happily lives in the system and passes on from one file share to another. The first week of January we had a massive outbreak which ran for 10 days and we ended up cleaning about 500 PCs and 200 servers (most manually). Symantec kept giving us fixes which didnt work. Finally we got a fix from them which worked. The variants of the worm which we noticed were “jamesbond.exe”, “ctfmom.exe” and “sslms.exe”. The other known variants which have similar effects are: “n00s.exe”.

So after 10 days of relief, in comes another two viruses new variants and new names, but same symptons: “scheduler.exe” and “wupdmngr.exe” . The Symantec could identify the viruses (luck us!), but couldnt quarantine or delete the viruses. Both are previously known viruses of W32.Spybot.worm family. The viruses use Symantec’s Sym06-010 vulnerability. This time however, we were better prepared and so was symantec. They released a rapidrelease definition update which was ‘effective’ this time.

However, it makes one wonder, if the Sym06-010 vulnerability was patched ‘properly’ how come the variants are still able to play with Symantec? Did the patch had more holes than it really filled? or does the hole still exist, only the older versions of the virus are caught before they make use of it?

4 Comments »

RSS feed for comments on this post. TrackBack URI

  1. we got the same virus we had to delete the n00s.exe file and then recreate a dummy file and remove all permissions from it so it would not re-populate.

    Comment by John Spencer — February 12, 2007 #

    Reply

  2. We have had n00s.exe try to infect one of our DC’s. Windows rejected it and i found the error box on my desktop. It had 227 infections of sasser like qualities in less than one minute. I had to remove them manuely because Symantec only saw a handful of them. N00s is letting old viruses in, and now when Symantec finds something i always scan the reg. and find n00s.exe in there. If you thought we were being setup for zero-day, well this would be the way i would think it would work. I’m sure they will find something that will come through unseen and we will all be working weekends for awhile.

    Comment by jeff miller — February 14, 2007 #

    Reply

  3. The fix for us was the following:
    - Make sure you have the latest Symantec Client
    - Make sure all PCs are updated

    Yes there are variants of older virus which still keep coming up. The only plan of action we had was to take those PCs off the network and submit the virus file to symantec so that they can provide a removal as a fix.

    Comment by scifi — February 14, 2007 #

    Reply

  4. [...] unknown wrote an interesting post today onHere’s a quick excerptThe genius of the virus is that it uses the vulnerabilites of Symantec (poor Symantec clients like us), to disable it and then it happily lives in the system and passes on from one file share to another. The first week of January we had … [...]

    Pingback by live update » The killer Virus - Is Symantec Secure? — April 4, 2007 #

    Reply

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Blog at WordPress.com. | Theme: Pool by Borja Fernandez.
Entries and comments feeds.