win32/hatu trojan found in norton files

Discussion in 'NOD32 version 2 Forum' started by crazy1, Oct 3, 2003.

Thread Status:
Not open for further replies.
  1. crazy1

    crazy1 Guest

    hi all,

    my wife just bought norton antivirus 2004 because her NOD license ends this month and she likes the norton interface better :rolleyes: o_O. while she was installing norton, NOD found a win32/hatu trojan in LRsetup.exe and LUsetup.exe, which my wife says are for live register and live update in norton.

    i went to the NOD site, and apparently, the signature for win32/hatu was added in today's update (1.525). now my wife thinks NOD is trying to tell her something :)

    i thought this was funny, but obviously it's a false alarm that the people at eset should know about. the files are 1.5 and 2.5 mb respectively. should these be sent to eset? if so, can someone pls give me the addy.

    thanks
     
  2. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    Hi CrazyM,

    Please send the files to support@eset.com

    rgds,
    Martin
     
  3. Jane Sweatt

    Jane Sweatt Guest

    Hi all - chiming in with my two cents here. We are seeing the same messages after the latest virus pattern update. Oddly enough, it's popping up when we access files that have been on a static server for at least months, sometimes years. Although it DID pop up on a norton file, it also registered on a Macromedia update executable, along with 3 other install/update files.

    Do we have a bug in the last pattern update? My research showed that this is an old Trojan.

    Any help would be appreciated.
     
  4. Hank

    Hank Registered Member

    Joined:
    Jan 8, 2003
    Posts:
    31
    Location:
    good old europe
    Hi there,

    well - the scanner found 4 "Hatu-Trojans" on my disks -
    and they are all bought program-files (installation-files)

    I have doubts that these alarms are correct.

    So: what should I do ? Until now I have renamed them / put them
    into quarantine.

    @Martin: sending these files (if possible) to: support@eset.com
    or samples@eset.com ?

    Thanks for any advice

    Kind regards ,
    Hank
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Gents,

    This looks like a false positive. Eset has been informed in the meanwhile (unfortunately it's Friday evening at HQ).

    Please do not delete the flagged files, but stash them for the time being.

    Samples can be send to samples@eset.com

    regards.

    paul
     
  6. minacross

    minacross Registered Member

    Joined:
    May 12, 2002
    Posts:
    657
    I have false posuitives too.. o_O o_O o_O
     

    Attached Files:

    • fp.jpg
      fp.jpg
      File size:
      55.5 KB
      Views:
      1,145
  7. anotherjack

    anotherjack Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    224
    Location:
    Louisiana
    Join the club. I have multiple positives in IBM driver file executables that I downloaded a good while back. Same symptoms, W32.Hatu found, etc.
     
  8. faffy

    faffy Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    23
    This blunder will anger many NOD users. It sure made me angry. o_O

    Faffy
     
  9. faffy

    faffy Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    23
    I have to withdraw my previous complaint. Five seconds after I posted my previous message, my NOD update informed me that it had updated its virus protection database to 1.526. After a quick scan of the previously "hatu" infected files showed no signs of infection.

    Well done ESET!! That was a quick fix. My trust is restored . ;)

    Faffy
     
  10. minacross

    minacross Registered Member

    Joined:
    May 12, 2002
    Posts:
    657
    HouseCall shows that my system is clean.. :D
    I got the update and everything is back to normal now :D :D :D
     

    Attached Files:

    • hc.jpg
      hc.jpg
      File size:
      47.1 KB
      Views:
      1,145
  11. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Be sure, it WILL happen again. No AV/AT developer can guarantee that they created an unique signature.
    Dolf
     
  12. SaracenBlade

    SaracenBlade Guest

    My sister got the same warnings on 7 files and went into a panic. I scanned her drive with KAV and found nothing. The common denominator was that they were all InstallShield files, so I figured it was a bug in the update. I was about to e-mail ESET when another update came down that fixed it.
     
  13. Hank

    Hank Registered Member

    Joined:
    Jan 8, 2003
    Posts:
    31
    Location:
    good old europe
    Hm - it seems (!) to make sense but taking another scan-engine is not my philosophy.
    I am trusting in NOD because I think this is the best one.
    So: If NOD finds a virus simply because it's better than other programs which did not detect this virus - should I then be in doubt or believe in the other scan-result ?
    How many scanners should be installed feeling secure ?

    But I have to admit that I was a little bit angry about the hatu-detection.Because one day before the same thing happened with Win32/Flooder... on my machine.
    A little bit much within two days.............
     
  14. beng

    beng Guest

    G'day All,
    For what it is worth, using 1.526 and it is still detecting the Win32Hatu trojan. In fact it is getting worse, as it started with only two or three files, NovaBackup and MailMarshall installers, and has now migrated to Macromedia Flash and Dreamweaver.
    Interestingly it is only Amon, not the on-demand scanner......
    Hope Eset fix it before Monday, when most of my clients will discover it <sigh>.
    I think I'll turn the mobile off......

    Rgds Ben.
     
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    Hello,

    we apologize you all for the inconvenience. The false positives were remedied in the following update as soon as they had been reported to us.

    As to the problem AMON still detecting these FP though the on-demand scanner isn't, I presume that you have the option to perform instant virus signature database update in AMON setup disabled. Otherwise, the on-demand scanner would have detected the FP too. Please check this setting and the AMON status window to see what version AMON uses.


    Mark
     
  16. beng

    beng Guest

    G'day Marcos,
    Thanks for the inofrmation(And the fast response, should have stayed online longer <grin>). I had assumed that Amon would automatically update, and didn't realise that it could use an older version of the signature files, out of sync with the Control Centre....
    The curious thing now is, that function "to auto update amon", was enabled. Yet it was still using 1.525.
    I have re-booted and checked the versions and they are all now 1.526. The only possible explanation I can give is that perhaps the Amon alert window was active at the same time that the update came through? Is there any way to "force" an update to Amon other than to re-boot?
    I didn't re-boot earlier as I get nervous re-booting when a potential virus is about. While I think of it, since Microsoft are talking about working Phoenix to insert their code in the Bios, perhaps Eset should do the same, and produce the ultimate AV protection?

    Thanks for your help.
    Cheers Ben.
     
Thread Status:
Not open for further replies.