Norton 2000 and KLEZ

Discussion in 'other anti-virus software' started by Morgan Cason, May 17, 2002.

Thread Status:
Not open for further replies.
  1. Morgan Cason

    Morgan Cason Guest

    Greetings all! About two weeks ago I forwarded a suspicious email from my Yahoo account to my ISP email account so I could scan for a virus. At the time, I did not have Norton set up to scan incoming mail and saved the attached msg normally. The few times I've been hit with a mail born virus, Norton has issued a virus "alert" and you delete or quarantine and go on your merry way. However, when I right clicked and scanned this attachment, Norton said I was "INFECTED".  I closed the scan and deleted the saved file, but klez had rendered part of Norton useless. I have reinstalled Norton 2000 and independent online scans have declared my pc clean.

    I have always assumed one could save(not open!) an attachment and scan with an AV safely, but my confidence in this practice is really shaken now.

    I would appreciate your thoughts.

    Regards,

    Morgan Cason
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,347
    Location:
    The Netherlands
    Hi.

    From http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html#technicaldetails :

    If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a patch are available at

    http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

    So as you wil understand, applying this patch is of the utmost importance.
     
  3. Morgan Cason

    Morgan Cason Guest

    Hello and thank you for the reply. I should have gone into more detail. I use Calypso for email with no preview pane and HTML is turned off.

    Funny thing is Yahoo does not show an attachment. I forwarded the mail as an attachment and saved it from Calypso.

    Regards,

    Morgan Cason
     
  4. Morgan Cason

    Morgan Cason Guest

    I'm ready to answer my own question.......I think. No, under some circumstances it is not safe to even save a file for virus scanning, at least where said virus is klez and said AV is Norton 2000. From now on Morgan, if you wish to keep Norton 2000, have it scan all incoming mail and maybe use F-Prot for DOS as a good "on demand" scanner. Also the common sense stuff....keep virus defs up to date and by all means, practice "safe hex" annnnnnnnnnnd the next time you want to help somebody figure out a virus by saving one to your own PC, DON'T DO IT.
    Thanks Morgan
    U R Welcome Morgan
    Cheers, all.
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Morgan,

    At the moment, we are testing vSweeper; here's a copy and paste from (the relevant part of) the email concerning this service:

    I've bolded an interesting part; a fully licensed copy from the latest KAV anti-virus as a bonus.

    Can't comment on the service yet, since the testing has just recently started. KAV on the other hand does not need any introduction!

    regards,

    paul
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    lol! Morgan, you've got a great sense of humor, I'll give you that!

    "At the time, I did not have Norton set up to scan incoming mail and saved the attached msg normally."

    That, coupled with the fact that perhaps your defs weren't up-to-date, is probably what caused the problem then.

    If no one's already said so - welcome to the forum! See how much you've learned here already?  :D  Pete
     
  7. Morgan Cason

    Morgan Cason Guest

    Hello Paul and Pete! Thanks for the replies and information.

    Paul, I look forward to the test results of vSweeper.

    Pete, my virus defs are always up to date. I have found in different newsgroups that a lot of people like me think that one can save (NOT OPEN!) an attachment and then scan the attachment.......thinking the worst that can happen is the attachment is infected and your AV can delete or quarantine or repair...etc ....the bad file and then you go on to the next whatever.

    My point is that I feel Norton did not protect me by giving me an "alert", but told me I was screwed and "infected", this without me opening the attachment and only saving it.

    Whew! All this hunt and peck makes me thirsty. I think I'll head down to the pub. :)

    Bye for now and I wish you guys well.

    Morgan Cason
     
Loading...
Thread Status:
Not open for further replies.