win32/hatu trojan found in norton files

hi all,

my wife just bought norton antivirus 2004 because her NOD license ends this month and she likes the norton interface better . while she was installing norton, NOD found a win32/hatu trojan in LRsetup.exe and LUsetup.exe, which my wife says are for live register and live update in norton.

i went to the NOD site, and apparently, the signature for win32/hatu was added in today's update (1.525). now my wife thinks NOD is trying to tell her something

i thought this was funny, but obviously it's a false alarm that the people at eset should know about. the files are 1.5 and 2.5 mb respectively. should these be sent to eset? if so, can someone pls give me the addy.

thanks

 

Hi CrazyM,

Please send the files to support@eset.com

rgds,
Martin

 

Hi all - chiming in with my two cents here. We are seeing the same messages after the latest virus pattern update. Oddly enough, it's popping up when we access files that have been on a static server for at least months, sometimes years. Although it DID pop up on a norton file, it also registered on a Macromedia update executable, along with 3 other install/update files.

Do we have a bug in the last pattern update? My research showed that this is an old Trojan.

Any help would be appreciated.

 

Hi there,

well - the scanner found 4 "Hatu-Trojans" on my disks -
and they are all bought program-files (installation-files)

I have doubts that these alarms are correct.

So: what should I do ? Until now I have renamed them / put them
into quarantine.

@Martin: sending these files (if possible) to: support@eset.com
or samples@eset.com ?

Thanks for any advice

Kind regards ,
Hank

 

I have false posuitives too..

 

Join the club. I have multiple positives in IBM driver file executables that I downloaded a good while back. Same symptoms, W32.Hatu found, etc.

 

This blunder will anger many NOD users. It sure made me angry.

Faffy

 

I have to withdraw my previous complaint. Five seconds after I posted my previous message, my NOD update informed me that it had updated its virus protection database to 1.526. After a quick scan of the previously "hatu" infected files showed no signs of infection.

Well done ESET!! That was a quick fix. My trust is restored .

Faffy

 

HouseCall shows that my system is clean..
I got the update and everything is back to normal now

 

Be sure, it WILL happen again. No AV/AT developer can guarantee that they created an unique signature.
Dolf

 

My sister got the same warnings on 7 files and went into a panic. I scanned her drive with KAV and found nothing. The common denominator was that they were all InstallShield files, so I figured it was a bug in the update. I was about to e-mail ESET when another update came down that fixed it.

 

Hm - it seems (!) to make sense but taking another scan-engine is not my philosophy.
I am trusting in NOD because I think this is the best one.
So: If NOD finds a virus simply because it's better than other programs which did not detect this virus - should I then be in doubt or believe in the other scan-result ?
How many scanners should be installed feeling secure ?

But I have to admit that I was a little bit angry about the hatu-detection.Because one day before the same thing happened with Win32/Flooder... on my machine.
A little bit much within two days.............

 

G'day All,
For what it is worth, using 1.526 and it is still detecting the Win32Hatu trojan. In fact it is getting worse, as it started with only two or three files, NovaBackup and MailMarshall installers, and has now migrated to Macromedia Flash and Dreamweaver.
Interestingly it is only Amon, not the on-demand scanner......
Hope Eset fix it before Monday, when most of my clients will discover it <sigh>.
I think I'll turn the mobile off......

Rgds Ben.

 

Hello,

we apologize you all for the inconvenience. The false positives were remedied in the following update as soon as they had been reported to us.

As to the problem AMON still detecting these FP though the on-demand scanner isn't, I presume that you have the option to perform instant virus signature database update in AMON setup disabled. Otherwise, the on-demand scanner would have detected the FP too. Please check this setting and the AMON status window to see what version AMON uses.


Mark

 

G'day Marcos,
Thanks for the inofrmation(And the fast response, should have stayed online longer <grin>). I had assumed that Amon would automatically update, and didn't realise that it could use an older version of the signature files, out of sync with the Control Centre....
The curious thing now is, that function "to auto update amon", was enabled. Yet it was still using 1.525.
I have re-booted and checked the versions and they are all now 1.526. The only possible explanation I can give is that perhaps the Amon alert window was active at the same time that the update came through? Is there any way to "force" an update to Amon other than to re-boot?
I didn't re-boot earlier as I get nervous re-booting when a potential virus is about. While I think of it, since Microsoft are talking about working Phoenix to insert their code in the Bios, perhaps Eset should do the same, and produce the ultimate AV protection?

Thanks for your help.
Cheers Ben.