Virus, is it a false alarm?

Discussion in 'malware problems & news' started by Question!, Mar 28, 2003.

Thread Status:
Not open for further replies.
  1. Question!

    Question! Guest

    I am using WinXP home, sp1, with all updates applied.

    I have the latest virus definitions and use NAV 2003.

    My wife was searching randomly on google and clicked on a random website URL that appeared as a search result. As soon as she clicked the link, NAV popped up sayin that a virus was detected in temporary internet files.

    HTML.Redlof.A

    It said that it could not repair the file, and access was denied, and it could not quarantine.

    I researched the virus, it looks like it uses an exploit on windows systems to somehow use the ActiveX and make changes on your computer.

    Anyhow, I did a little more research and found a list of symptoms of the virus, and I can find none of these on my computer, none of the altered files, or the new files it was supposed to create.

    When I run NAV it does not detect anything, ONLY when that website is visited.

    Is it possible the virus was in the temporary internet file, but could not activate because I have the patch on my computer that fixes that exploito_O

    Please help,
    John Collins
    jcollins1973@yahoo.com
     
  2. controler

    controler Guest

    I am guessing you have
    enable script blocking enabled.

    If for some reason a person has put even the text of script that
    is in Nortons DEF's then Norton will kick off an alarm

    In other words, a person can copy the exact script in text form to a web page and even though that same script is harmless, Norton will still kick off. This alone tells you something is fishy
    Now if you were to copy that script to NOTEPAD for instance and save the file as say VBS, EXE ect .. then you would now have a ligit
    nasty that could cause damage.
    On the other hand, if there is truly active X script encoded into the web page, that would be harmfull also and Norton should still kick off a warning
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,838
    Location:
    New England
    Hi John,

    To carry forward a bit further on what controler has said, if this is the real HTML.Redlof.A, then NAV most likely caught it so that it did not run. (It did prevent access, as you stated.) This is why you don't find any of its characteristic system changes, such as registry entries or other copies of it in the documented known locations on your system.

    Now, there are many situations where a piece of malware could end up in your Internet webpage cache, (the TIF, if using IE) - after all, in order to view web pages, all the elements from the page must download to your PC in order to be rendered in the browser window.

    "On-access" virus scanners like NAV will catch a piece of malware as the file is written to the cache. They will alert you, prevent access to the file, and killed it right at that point, which is why it couldn't quarantine it either. This is a typical case and people often end up scratching their heads wondering where the virus went.

    This all assumes it was the real virus. As controler mentioned, there are also cases where a known signature of a virus is contained in a web page and that itself could trigger the alert. But, it isn't the real or whole virus at all. Again, access is prevented and the temporary file passes out of existence before you can run a full scan to find it.

    Hope that helps,
    LowWaterMark
     
  4. John Collins

    John Collins Guest

    It's odd, because when I visit the webpage, Norton fires up, and locates the infected file path as my temporary internet files, which does mean, I think, that the infected file is on my harddisk. But a scan will not pick it up.

    Is there anyway to find out if its on my harddrive besides NAV?

    John
     
  5. John C.

    John C. Guest

    Another thing, isnt this virus only supposed to infect systems that do not have the MS patch?

    John
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,838
    Location:
    New England
    As the file is first created in the cache, the on-access scanner catches it, shows you the path to it (in the TIF), but kills the file right then and there. Subsequently, you will not be able to find the file - it is already gone.

    As to getting infected - you weren't ever infected. NAV saw the signature of the virus and caught it. There is a difference between scanning and eliminating a virus file and actually being infected by the virus. You weren't ever infected, so being patched has nothing to do with it. Any system, even a patch one, can see the signature of a virus in a file. We still don't know if it was the real virus or just a false / partial signature.
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,838
    Location:
    New England
    Ah, missed this one. You can also use an Online Virus Scanner, such as the one at Panda, for a second opinion. There is a link to it on our Free Services (link) page.
     
  8. John C..

    John C.. Guest

    What is anyones opinion on the effectiveness and accuracy of NAV 2003?

    Any better suggestions? I'm open.

    I only use NAV 2003, and XP Home's builtin firewall.

    John
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    John, asking opinions and additions can result into a copy of the whole forum as replies to you!
    I mean: each has their own preferred software and solutions. Generally spoken i love layered protection and second opinions.
    Which means: as long as NAV doesn't conflict with next security items you might like to try out and add to your system, keep them together.
    You see i'm a mod for the DCS products, so you can guess where i would suggest you visit to have at least an impression and maybe even downloads for their evaluation versions. These are specialists in anti-trojans and anti-worms, registry protection, etc etc.
    You might get other people's suggestions to add more firewall capacity (if DCS had one at the moment in their tools i would not even mention other possibilities :) ... probably)
    I would mention many users look at special specialist anti-virus software working nicely together with all mentioned already, like NOD32.
    You will get replies to look at the JavaCool tools to protect against all the spyware and for file integrety, etc.
    Soooooooooooooooooooooo....... look out for asking advice what to add!
    Start looking and do LOTS of looking and shopping around, ask questions, people's opinions, try out tools recommended in this forum, make sure you download them from links here or the mentioned developers sites, etc.
    Lots to discover and to enjoy, but adding to your internet security and enjoyment for sure!
     
  10. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    My opinion: It's excellent. One of the best you can get. There are other solutions that are just as good, or better--but you can probably count them on less than one hand.

    FYI, I'd also like to chime in here to echo above posts--NAV works well at killing bugs in memory before they have a chance to do anything--it has killed NIMDA many times for me in this way.
     
Loading...
Thread Status:
Not open for further replies.