Re: SpyBot infected?

cquirke (MVP Windows shell/user) wrote:
On Sun, 1 Oct 2006 12:00:58 -0500, "Marek Kalisz"

This night I downloaded an update to SpyBot the started scan. This download was from See-Cure #2 (Europe) server. Then, after a few minutes, in about 40% of scan, my AV (G Data AVK) warned me about some virus in Spybot:

Generic.Malware.SYdlg.D42B776F (file: C:\Windows\system32\CloseAll.exe)

That can happen when a resident av responds to a "touch" made by an
on-demand scanner. Consider....
- the resident av doesn't recognise a new malware
- the new malware arrives, but may not run (i.e. remains inactive)
- the resident av is updated, now can recognise the malware
- the malware is inactive, so doesn't get detected
- you use a different on-demand scanner, e.g. SpyBot
- this scanner reads the malware file
- this brings the file to the attention of the resident av
- the resident av then detects and managed the malware

There are two other aspects to this.

Firstly, a scanner may be unaware of locations in which other scanners
store their material, and thus detect malware within these stores.
This malware has already been detected and managed, and thus is
unlikely to pose an active threat, but may be detected.

Usually, each scanner takes pains to hide what they quarrantine so
that other scanners can't detect it - but this may fail for various
reasons, and when that happens, you get "new" detections.

Secondly, some management tools may themselves be detected as malware,
either because what they do could be seen as a risk (e.g. password
resetters, product key finders, etc.) or because they may contain
signatures of the malware they clean (e.g. an old GoHip killer that's
often detected as GoHip itself).

Now, you can chose SpyBot updates from a few alternate servers. Already in the past I experienced unsuccessful update of some modules from some of those servers (wrong sum, for example) so I had to change server to finish full updates.

Yes, I see that often as well, across multiple systems and sites.
Spyware Blaster's updates are equally trouble-prone.

But - if what happened to me with SpyBot is real it means that even "anti"s with an excellent renome aren't completely safe.

Any code can be infected by a generic code-infecting virus, such as
CIH, Magistr, etc. I've often seen av programs infected this way, and
I've also seen systems where the infected file count was massively
higher when the resident av was infected in this way.

If you put on your Matrix-vision glasses, you'll see it's all just
code; the intention of the code is meaningless.

To the user, it's a resident av scanner.

To an attacker, it's an infectable underfootware file-groper with
low-level access to every file on the system.

The only reason we don't see the full impact of this as yet, is that
there are many different resident av out there, with none having such
a dominant market share that it presents a worthwhile target.

This is a large reason why I hope MS will not build an av solution
into the OS, as doing so would take the chocks off such attacks.



------------ ----- --- -- - - - -
Drugs are usually safe. Inject? (Y/n)
------------ ----- --- -- - - - -


Great point and I had not even considered your final point. I guess the solution is for Microsoft to continue Live Care and like David points out the antivirus in live one care is not good enough yet to be considered and I would continue to stay with products such as AVG anti-virus.

BTW, Chris -- fixing one of the XP Professional computers at school and Spybot Search and Destroy destroyed special hidden and planted active vector deep within the registry that would allow the system to be compromised by a virus ------------------- I was able to save the system just in time --------------- Threat Factor Determined to be HIGHLY CRITICAL

Also, some adware and other junk and tightened the settings. Installed Mozilla Firefox -- safer and more secure solution and computer now in good shape and of course allowed all files shown and removed the really weak link of remote assistance and control boxes that were checked.

--
Dan W.

Computer User
.

Relevant Pages

  • Re: SpyBot infected?
    ... the resident av doesn't recognise a new malware ... the new malware arrives, but may not run ... you use a different on-demand scanner, ... reasons, and when that happens, you get "new" detections. ...
    (microsoft.public.security.virus)
  • Re: Spy Sweeper vs. Spybot Search and Destroy
    ... Real-time AV applications - for viral malware. ... Disable the e-mail scanning function during installation (Custom ... Why You Don't Need Your Anti-Virus Program to Scan Your E-Mail ... (add them to your arsenal and use them as a "second opinion" av scanner). ...
    (microsoft.public.windowsxp.general)
  • Re: Stinger
    ... but that won't hit the spot Stinger is designed for. ... I think the poster is looking for an after-the-fact av scanner to look ... That you suspect active malware means this has already failed. ... In theory, you can use a CDR-bootable Linux, such as Knoppix (oh, the ...
    (microsoft.public.security.virus)
  • Re: Strange behaviour - some text and e-mails disappeared
    ... you can rely on the scanner detecting everything ... malware manages to disable or confound it. ... it's not known to the scanner vendor, ... new" replacement for itself before the online scanner finds and fixes ...
    (microsoft.public.security.virus)
  • Re: Kaspersky Online Scan: How Comprehensive?
    ... No malware has been detected. ... The sections that have been scanned are CLEAN. ... While much spyware/adware detections are included, ... still a good idea to use specialized scanners such as AdAware and ...
    (alt.comp.anti-virus)