Security Incidents mailing list archives
RE: Strange servicepack.exe file (not service.exe) found.
From: John Ives <jives () cchem berkeley edu>
Date: Wed, 17 Dec 2003 11:04:34 -0800
One of the things I have noticed with Symantec (and I am sure other vendors do the same thing) is that files that have both good and bad uses are considered good, no matter how rarely they are used that way.
A better system would be a prompt informing the user of the file's name, location and any relevant information about its legitimate uses and asking if this was running intentionally. If so it should take a hash of the file and its directory path, archive that information to a file, digitally sign the file and use it as a reference whenever it does future scans. If it is not intentionally being run then quarantine it and notify the user that, if there are any problems they can un-quarantine the file by doing x y and z.
This isn't an absolute answer, because it still relies on the user to make sound decisions, but it would help alleviate problems caused by legitimate files performing illegitimate actions.
John At 05:15 PM 12/17/2003 +0000, James C Slora Jr wrote:
Eric Chien wrote Wednesday, December 17, 2003 10:31 > --- Chip Mefford <cmefford () avwashington com> wrote: > > Running in the task manager on a windows 98 box on our lan. The > > machine was misbehaving badly yesterday > [cut] > > I've posted the file "servicepack.exe" in zipped and tarred formats > > both at this url. > > This is a variant of RapidBlaster. See > http://securityresponse.symantec.com/avcenter/venc/data/dialer > .rapidblaster.html How fun is this, though - Symantec's response today says the file contains no malicious code. So nothing ever happened on the machine that had to be rebuilt. Hmmmm. Of course the servicepack.exe file could have been a downloaded byproduct of another infection on the affected machine. > -----Original Message----- > From: SecurityResponse () symantec com > [mailto:SecurityResponse () symantec com] > Sent: Wednesday, December 17, 2003 16:51 > To: Jim.Slora () phra com > Subject: [CLOSING]: Symantec Security Response Automation: > Tracking #3555918 > > > This message is an automatically generated reply. This > system is designed to analyze and process virus submissions > into the Symantec Security Response and cannot accept > correspondence or inquiries. > Please contact your Technical Support representative if more > detailed information about your submission is required. Do > not reply to this message. > > Below is a status update on your virus submission: > > Date: December 17, 2003 > > Jim Slora > > > > Dear Jim Slora, > > We have analyzed your submission. The following is a report > of our findings for each file you have submitted: > > filename: README.TXT > machine: AVCAutomation: > result: See the developer notes > > filename: servicepack.exe > machine: AVCAutomation: > result: See the developer notes > > Developer notes: > README.TXT does not appear to contain malicious code. > servicepack.exe contains no malicious code. It is used to > access a pornographic service. It is safe to delete this file. > > > Our automated system has performed an extensive analysis on > the file(s) that you have submitted and found no evidence of > malicious code. If you have additional evidence to suggest > that a malicious program still resides in the file that was > submitted to us, please contact Symantec Technical Support > for assistance. > > Should you have any questions about your submission, please > contact your regional technical support from the Symantec > website and give them the tracking number in the subject of > this message. > > -------------------------------------------------------------- > --------- > This message was generated by Symantec Security Response automation. > > For USA: > For electronic support options, Symantec provides On-Line > Services at http://www.symantec.com/techsupp/ > > > -------------------------------------------- > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
------------------------------------------------- John Ives, GCWN, GCIH, GSEC Systems Administrator College of Chemistry (510) 643-1033"If you spend more on coffee than on IT security, Then you will be hacked. What's more, you deserve to be hacked." - Richard Clarke
Any opinions expressed are my own and not those of the Regents of the University of California.
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Strange servicepack.exe file (not service.exe) found. Chip Mefford (Dec 16)
- RE: Strange servicepack.exe file (not service.exe) found. Bojan Zdrnja (Dec 17)
- SV: Strange servicepack.exe file (not service.exe) found. Peter Kruse (Dec 17)
- Re: Strange servicepack.exe file (not service.exe) found. Eric Chien (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. James C Slora Jr (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. John Ives (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. Rob Shein (Dec 18)
- RE: Strange servicepack.exe file (not service.exe) found. John Ives (Dec 18)
- RE: Strange servicepack.exe file (not service.exe) found. James C Slora Jr (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. Harlan Carvey (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. James C Slora Jr (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. Harlan Carvey (Dec 18)
- RE: Strange servicepack.exe file (not service.exe) found. David Gillett (Dec 18)
- Re: Strange servicepack.exe file (not service.exe) found. Doug Foster (Dec 19)
- Re: Strange servicepack.exe file (not service.exe) found. dreamwvr () dreamwvr com (Dec 19)
- Administrivia: Dead Thread - Strange servicepack.exe file (not service.exe) found. Dan Hanson (Dec 19)
- RE: Strange servicepack.exe file (not service.exe) found. Lucretia (Dec 19)