RE: Strange servicepack.exe file (not service.exe) found.
From: John Ives (jives_at_cchem.berkeley.edu)
Date: 12/17/03
- Previous message: James C Slora Jr: "RE: Strange servicepack.exe file (not service.exe) found."
- In reply to: James C Slora Jr: "RE: Strange servicepack.exe file (not service.exe) found."
- Next in thread: Rob Shein: "RE: Strange servicepack.exe file (not service.exe) found."
- Reply: Rob Shein: "RE: Strange servicepack.exe file (not service.exe) found."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Dec 2003 11:04:34 -0800 To: <incidents@securityfocus.com>
One of the things I have noticed with Symantec (and I am sure other vendors
do the same thing) is that files that have both good and bad uses are
considered good, no matter how rarely they are used that way.
A better system would be a prompt informing the user of the file's name,
location and any relevant information about its legitimate uses and asking
if this was running intentionally. If so it should take a hash of the file
and its directory path, archive that information to a file, digitally sign
the file and use it as a reference whenever it does future scans. If it is
not intentionally being run then quarantine it and notify the user that, if
there are any problems they can un-quarantine the file by doing x y and z.
This isn't an absolute answer, because it still relies on the user to make
sound decisions, but it would help alleviate problems caused by legitimate
files performing illegitimate actions.
John
At 05:15 PM 12/17/2003 +0000, James C Slora Jr wrote:
>Eric Chien wrote Wednesday, December 17, 2003 10:31
>
> > --- Chip Mefford <cmefford@avwashington.com> wrote:
> > > Running in the task manager on a windows 98 box on our lan. The
> > > machine was misbehaving badly yesterday
> > [cut]
> > > I've posted the file "servicepack.exe" in zipped and tarred formats
> > > both at this url.
> >
> > This is a variant of RapidBlaster. See
> > http://securityresponse.symantec.com/avcenter/venc/data/dialer
> > .rapidblaster.html
>
>
>How fun is this, though - Symantec's response today says the file contains
>no malicious code. So nothing ever happened on the machine that had to be
>rebuilt. Hmmmm.
>
>Of course the servicepack.exe file could have been a downloaded byproduct of
>another infection on the affected machine.
>
> > -----Original Message-----
> > From: SecurityResponse@symantec.com
> > [mailto:SecurityResponse@symantec.com]
> > Sent: Wednesday, December 17, 2003 16:51
> > To: Jim.Slora@phra.com
> > Subject: [CLOSING]: Symantec Security Response Automation:
> > Tracking #3555918
> >
> >
> > This message is an automatically generated reply. This
> > system is designed to analyze and process virus submissions
> > into the Symantec Security Response and cannot accept
> > correspondence or inquiries.
> > Please contact your Technical Support representative if more
> > detailed information about your submission is required. Do
> > not reply to this message.
> >
> > Below is a status update on your virus submission:
> >
> > Date: December 17, 2003
> >
> > Jim Slora
> >
> >
> >
> > Dear Jim Slora,
> >
> > We have analyzed your submission. The following is a report
> > of our findings for each file you have submitted:
> >
> > filename: README.TXT
> > machine: AVCAutomation:
> > result: See the developer notes
> >
> > filename: servicepack.exe
> > machine: AVCAutomation:
> > result: See the developer notes
> >
> > Developer notes:
> > README.TXT does not appear to contain malicious code.
> > servicepack.exe contains no malicious code. It is used to
> > access a pornographic service. It is safe to delete this file.
> >
> >
> > Our automated system has performed an extensive analysis on
> > the file(s) that you have submitted and found no evidence of
> > malicious code. If you have additional evidence to suggest
> > that a malicious program still resides in the file that was
> > submitted to us, please contact Symantec Technical Support
> > for assistance.
> >
> > Should you have any questions about your submission, please
> > contact your regional technical support from the Symantec
> > website and give them the tracking number in the subject of
> > this message.
> >
> > --------------------------------------------------------------
> > ---------
> > This message was generated by Symantec Security Response automation.
> >
> > For USA:
> > For electronic support options, Symantec provides On-Line
> > Services at http://www.symantec.com/techsupp/
> >
> >
> > --------------------------------------------
> >
>
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------
-------------------------------------------------
John Ives, GCWN, GCIH, GSEC
Systems Administrator
College of Chemistry
(510) 643-1033
"If you spend more on coffee than on IT security, Then you will be hacked.
What's more, you deserve to be hacked." - Richard Clarke
Any opinions expressed are my own and not those of the Regents of the
University of California.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: James C Slora Jr: "RE: Strange servicepack.exe file (not service.exe) found."
- In reply to: James C Slora Jr: "RE: Strange servicepack.exe file (not service.exe) found."
- Next in thread: Rob Shein: "RE: Strange servicepack.exe file (not service.exe) found."
- Reply: Rob Shein: "RE: Strange servicepack.exe file (not service.exe) found."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
