Hi All
Had an alert pop up on the wife's PC yesterday to say there was an outbound connection attempt. She was fantastic and clicked on the 'block' button - saved the day.
BUT ... how did the worm get onto the PC in the first place ?
An online conversation with the Symantec ( Norton ) Live Technical Support Dept, reveals their admission of the following :
< quote >
If your computer is overloaded, it is possible that Norton AntiVirus may be unable to scan a file before it finishes executing. This could cause your computer to become infected or a virus to be missed during scanning.
< end quote >
A full copy of the conversation is below.
I will now be looking for some AV software that actually works as advertised !
Regards
DaveO
<<<<< Copy of Conversation >>>>>
• It is currently Wednesday, Sep 21, 2005 02:28 AM PDT
Jo****h: Hi, thank you for contacting Symantec Live Technical Support. My name is Jo****h. How may I help you?
Dave: Hi Jo****h. Yesterday morning, my PC was infected with the w32.bugbear.m@mm worm. My NAV2004 detected its outbound connection attempt and it was blocked. But, how did it get past the firewall onto my PC in the first place ?
Dave: The description in the NAV Activity log is :
Dave: Details: The user has created a rule to "block" communicationsOutbound UDP packet
Local address,service is (165.165.171.106,0)
Remote address,service is (196.25.255.34,domain(53))
Process name is "C:\Documents and Settings\Gail\Local Settings\Temp\Temporary Directory 1 for love.zip\love.jpg .scr"
Jo****h: While I review the issue in further detail, will you hold for 1 or 2 minutes?
Dave: It appears to have created a file called vuxolv.exe in the winsys32 dir and a registry entry. Using winXP pro sp2 ( win Firewall disabled - using Nortons )
Dave: I will wait
Jo****h: Thanks.
Jo****h: Please note that firewall is not the feature for blocking viruses. Norton AntiVirus (NAV) is the feature which can block viruses.
Dave: OK. but does the firewall not examine the incoming e-mails ?
Dave: Just out of interest, I do have VNC available if it assists you to examine the PC.
Jo****h: Norton Personal Firewall keeps personal data in and hackers out by monitoring and controlling all connections between your PC and the Internet. Right out of the box, Norton Personal Firewall makes your PC invisible on the Internet. That action alone can protect your computer from hackers and online thieves.
Jo****h: I will provide you a Web link which will help you to remove w32.bugbear.m@mm worm from your computer.
Dave: Yes. I see that as it detected the outbound attempt by the worm - but what do I need installed to stop the opening / receiving of the worm in the first plae ?
Jo****h: W32.Bugbear.M@mm is a mass-mailing worm that sends itself to email addresses it gathers from certain files on the system, using its own SMTP engine.
Dave: I already have downloaded the tool.
Dave: My question relates to how the worm got here in the first place and why it was not detected incoming.
Jo****h: Please let me check and find out. This may take me a minute or two. Are you able to stay online?
Dave: Virus definitions updates 2005-09-17, but bugbear has been around since 2004
Dave: I am on a permanent broadband connection so will gladly wait
Jo****h: Ok.
Jo****h: Please be informed that NAV cannot stop a worm from get it in your computer. It will detect it when a threat get on your computer.
Dave: does NAV not scan all incoming mail / attachments for known worms ? And should it not also alert me if I attempt to open a file or attachment that contains a worm ?
Jo****h: Norton AntiVirus Email Scanning verifies that email and attachments are free from viruses and other malicious code as you download them from your Internet service provider (ISP). The Outgoing Email Scanning feature verifies that the email that you send is free from viruses and malicious code before you send it.
Dave: Is the worm not considered 'malicious code' ? SurelY NAV should, as I download e-mail from my pop server, examine each e-mail and alert if it contains a worm.
Dave: Or at the very least, alert if I open a downloaded / e-mail received file that contains a known worm.
Jo****h: Please note that if the Email scanning in NAV detects any worm or viruses along with your emails, you will get an alert which will provide the details.
Jo****h: Since the NAV log file itself is showing that the worm has been blocked, then it means that your computer is not infected by that worm.
Dave: Then can you please advise, where in the NAV logs, I can see this alert of this incoming e-mail with the worm ? This is my concern - I did not get an alert of the incoming worm - I only knew about it after it was installed and it tried to create its own outgoing connection. Did NAV fail to detect the worm on an incoming e-mail ? I am certain that e-mail / web browser is the only way for the worm to arrive on the PC as we do not use disks,etc
Dave: "showing that the worm has been blocked" - Yes, but this is the outbound connection attempt by the worm - so how did it get past NAV in the first place and get installed on the PC ?
Dave: The fact that it is being blocked, actually CONFIRMS the existance of the worm.
Jo****h: While I review the issue in further detail, will you hold for 1 or 2 minutes?
Dave: sure
Jo****h: Thanks.
Jo****h: Please note that if the worm is installed with file which is the part of a legitimate program or it with a Windows temperory file, then NAV will not detect it.
Jo****h: In this situation, I recommend that you please delete Windows temporary files then run a scan.
Jo****h: I will provide the steps for deleting temporary files.
Dave: So are you confirming that, if I download a program from the internet, and then install that program, that the worm may be installed as part of the program and NAV will not detect it. And that it will only detect the outbound worm connection attempt ( as it did ) ? I have already cleared all internet temp files and run a full system scan.
Jo****h: Since you have already cleared the Windows temporary files, I kindly request you please contact Symantec virus removal support.
Jo****h: We have separate virus removal support division. They will be glad to assist you in removing the infection from your computer. If you need interactive technical assistance with removing a virus, trojan or worm from your system, you can call Symantec's fee-based virus removal service for assistance. For more details, please refer to the URL link provided below:
> Web URL:
https://www-secure.symantec.com/techsupp/vrq/contact.jsp
Dave: You said "with a Windows temperory file" - does that mean that a temp file downloaded during the display of a web page can contain the worm and will not be detected ? If so, will the activation of the worm not trigger an alert ?
Dave: As already stated _ I have removed the worm, but want a satisfactory explanation before I renew the NIS subscriptions for 5 PCs - if NAV can't detect a simple worm, where else is it failing ?
Jo****h: Please let me check and find out. This may take me a minute or two. Are you able to stay online?
Dave: of course.
Jo****h: Thanks.
Jo****h: I apologize for the delay in the response. Please note that although Norton AntiVirus is designed to provide the best virus protection available, there are certain situations in which any anti-viral program can fail.
Dave: Can you please list these "certain situations" - as no new software has been installed during the last 3 months, and NIS & NAV updates are done every Saturday of every week, is NAV unable to detects a worm in incoming e-mail ?
Jo****h: If your computer is overloaded, it is possible that Norton AntiVirus may be unable to scan a file before it finishes executing. This could cause your computer to become infected or a virus to be missed during scanning.
Dave: Jo****h. Thank you for the replies. I regret that I am now less confidant with the abilities of NAV. I shall contact other AV vendors and quote these shortcomings of Norton AntiVirus with a view to finding a solution that will not leave me exposed as this has. Regards, Dave
Had an alert pop up on the wife's PC yesterday to say there was an outbound connection attempt. She was fantastic and clicked on the 'block' button - saved the day.
BUT ... how did the worm get onto the PC in the first place ?
An online conversation with the Symantec ( Norton ) Live Technical Support Dept, reveals their admission of the following :
< quote >
If your computer is overloaded, it is possible that Norton AntiVirus may be unable to scan a file before it finishes executing. This could cause your computer to become infected or a virus to be missed during scanning.
< end quote >
A full copy of the conversation is below.
I will now be looking for some AV software that actually works as advertised !
Regards
DaveO
<<<<< Copy of Conversation >>>>>
• It is currently Wednesday, Sep 21, 2005 02:28 AM PDT
Jo****h: Hi, thank you for contacting Symantec Live Technical Support. My name is Jo****h. How may I help you?
Dave: Hi Jo****h. Yesterday morning, my PC was infected with the w32.bugbear.m@mm worm. My NAV2004 detected its outbound connection attempt and it was blocked. But, how did it get past the firewall onto my PC in the first place ?
Dave: The description in the NAV Activity log is :
Dave: Details: The user has created a rule to "block" communicationsOutbound UDP packet
Local address,service is (165.165.171.106,0)
Remote address,service is (196.25.255.34,domain(53))
Process name is "C:\Documents and Settings\Gail\Local Settings\Temp\Temporary Directory 1 for love.zip\love.jpg .scr"
Jo****h: While I review the issue in further detail, will you hold for 1 or 2 minutes?
Dave: It appears to have created a file called vuxolv.exe in the winsys32 dir and a registry entry. Using winXP pro sp2 ( win Firewall disabled - using Nortons )
Dave: I will wait
Jo****h: Thanks.
Jo****h: Please note that firewall is not the feature for blocking viruses. Norton AntiVirus (NAV) is the feature which can block viruses.
Dave: OK. but does the firewall not examine the incoming e-mails ?
Dave: Just out of interest, I do have VNC available if it assists you to examine the PC.
Jo****h: Norton Personal Firewall keeps personal data in and hackers out by monitoring and controlling all connections between your PC and the Internet. Right out of the box, Norton Personal Firewall makes your PC invisible on the Internet. That action alone can protect your computer from hackers and online thieves.
Jo****h: I will provide you a Web link which will help you to remove w32.bugbear.m@mm worm from your computer.
Dave: Yes. I see that as it detected the outbound attempt by the worm - but what do I need installed to stop the opening / receiving of the worm in the first plae ?
Jo****h: W32.Bugbear.M@mm is a mass-mailing worm that sends itself to email addresses it gathers from certain files on the system, using its own SMTP engine.
Dave: I already have downloaded the tool.
Dave: My question relates to how the worm got here in the first place and why it was not detected incoming.
Jo****h: Please let me check and find out. This may take me a minute or two. Are you able to stay online?
Dave: Virus definitions updates 2005-09-17, but bugbear has been around since 2004
Dave: I am on a permanent broadband connection so will gladly wait
Jo****h: Ok.
Jo****h: Please be informed that NAV cannot stop a worm from get it in your computer. It will detect it when a threat get on your computer.
Dave: does NAV not scan all incoming mail / attachments for known worms ? And should it not also alert me if I attempt to open a file or attachment that contains a worm ?
Jo****h: Norton AntiVirus Email Scanning verifies that email and attachments are free from viruses and other malicious code as you download them from your Internet service provider (ISP). The Outgoing Email Scanning feature verifies that the email that you send is free from viruses and malicious code before you send it.
Dave: Is the worm not considered 'malicious code' ? SurelY NAV should, as I download e-mail from my pop server, examine each e-mail and alert if it contains a worm.
Dave: Or at the very least, alert if I open a downloaded / e-mail received file that contains a known worm.
Jo****h: Please note that if the Email scanning in NAV detects any worm or viruses along with your emails, you will get an alert which will provide the details.
Jo****h: Since the NAV log file itself is showing that the worm has been blocked, then it means that your computer is not infected by that worm.
Dave: Then can you please advise, where in the NAV logs, I can see this alert of this incoming e-mail with the worm ? This is my concern - I did not get an alert of the incoming worm - I only knew about it after it was installed and it tried to create its own outgoing connection. Did NAV fail to detect the worm on an incoming e-mail ? I am certain that e-mail / web browser is the only way for the worm to arrive on the PC as we do not use disks,etc
Dave: "showing that the worm has been blocked" - Yes, but this is the outbound connection attempt by the worm - so how did it get past NAV in the first place and get installed on the PC ?
Dave: The fact that it is being blocked, actually CONFIRMS the existance of the worm.
Jo****h: While I review the issue in further detail, will you hold for 1 or 2 minutes?
Dave: sure
Jo****h: Thanks.
Jo****h: Please note that if the worm is installed with file which is the part of a legitimate program or it with a Windows temperory file, then NAV will not detect it.
Jo****h: In this situation, I recommend that you please delete Windows temporary files then run a scan.
Jo****h: I will provide the steps for deleting temporary files.
Dave: So are you confirming that, if I download a program from the internet, and then install that program, that the worm may be installed as part of the program and NAV will not detect it. And that it will only detect the outbound worm connection attempt ( as it did ) ? I have already cleared all internet temp files and run a full system scan.
Jo****h: Since you have already cleared the Windows temporary files, I kindly request you please contact Symantec virus removal support.
Jo****h: We have separate virus removal support division. They will be glad to assist you in removing the infection from your computer. If you need interactive technical assistance with removing a virus, trojan or worm from your system, you can call Symantec's fee-based virus removal service for assistance. For more details, please refer to the URL link provided below:
> Web URL:
https://www-secure.symantec.com/techsupp/vrq/contact.jsp
Dave: You said "with a Windows temperory file" - does that mean that a temp file downloaded during the display of a web page can contain the worm and will not be detected ? If so, will the activation of the worm not trigger an alert ?
Dave: As already stated _ I have removed the worm, but want a satisfactory explanation before I renew the NIS subscriptions for 5 PCs - if NAV can't detect a simple worm, where else is it failing ?
Jo****h: Please let me check and find out. This may take me a minute or two. Are you able to stay online?
Dave: of course.
Jo****h: Thanks.
Jo****h: I apologize for the delay in the response. Please note that although Norton AntiVirus is designed to provide the best virus protection available, there are certain situations in which any anti-viral program can fail.
Dave: Can you please list these "certain situations" - as no new software has been installed during the last 3 months, and NIS & NAV updates are done every Saturday of every week, is NAV unable to detects a worm in incoming e-mail ?
Jo****h: If your computer is overloaded, it is possible that Norton AntiVirus may be unable to scan a file before it finishes executing. This could cause your computer to become infected or a virus to be missed during scanning.
Dave: Jo****h. Thank you for the replies. I regret that I am now less confidant with the abilities of NAV. I shall contact other AV vendors and quote these shortcomings of Norton AntiVirus with a view to finding a solution that will not leave me exposed as this has. Regards, Dave
From the conversation you pasted, that Norton rep sounds like a bot - you have a lot of patience 
