19.1.0.28: undetected rootkit sample submission offer

Niko233 · ‎06-25-2010

on one of computers I installed NIS 19.1.0.28, computer have no internet connection, so i can not to update it, as i know I only can update virus definitions file (and that is all???)

( http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=n95 )

on that machine I have undetectable rootkit, detected by GMER (high-lighted red with "hidden service" and close to "svchost.exe -netsvc" process) exactly this process in %windir%/system32 is Norton trusted.

HitmanPro displays a note that somethat have direct access to HDD and usually it is a threat.

probably it is not new rootkit (connection between computers are only by local network and usb sticks and CD/DVD discs)

Rootkit is detected by that software while non updated (only virus definitions) are running.

Do Symantec need this sample? What to do to catch it on that machine to transfer it to you with tracking number in further?

From Team: offer of instruments and tactic of sample catching, from me - submitted sample offer.

---

WinXP SP:unknown probably 2, 32 bit

Niko233 · ‎06-25-2010

Heuristic is turning into auto mode, SONAR: aggressive, and aggressive boot time defense, using non-smart definitions.

Niko233 · ‎06-25-2010

no need in it? so can I reinstall windows?

DarkSta · ‎07-07-2011

How about just submit the samples and reinstall Windows. What's the name of the infected file. I believe svhost.exe is a legitimate process.

Norton Internet Security 2012, Windows 7 Home Premium SP1 64-bit, Internet Explorer 9

Please support my ideas to have an offline/online help system similiar to Microsoft Office help or Windows help for Norton products.

Niko233 · ‎06-25-2010

svchost.exe is norton trusted as i said, I think it is not infected. I will not repost all I wrote about what said HitmanPro and GMER about my situation - you can see it above. I need instruments and tactics if Symantec want to get sample. If not - I can not force to do that, it is not for my situation. I will only understand that. I will reinstall windows anyway to be away from something undetected else, if it is.

DarkSta · ‎07-07-2011

What I mean is that you could upload the file to Norton via the report suspected file. In addition, you could save the file by uploading to your email to send to Norton if they need. You could also upload to virustotal to see what other a/v think.

Norton Internet Security 2012, Windows 7 Home Premium SP1 64-bit, Internet Explorer 9

Please support my ideas to have an offline/online help system similiar to Microsoft Office help or Windows help for Norton products.

Niko233 · ‎06-25-2010

Are you kidding giving metods of submission? :)

I need instruments and tactics how to get the sample.

Bombastus · ‎11-16-2009

People seem to think that you have an infected computer and need help cleaning it. :)

Nerimash · ‎02-25-2011

... but it's not true

Niko233 · ‎06-25-2010

here came the snapshots illustrated given situation:

Безымянный1.png

Безымянный2.png

HitmanPro (my translate): Present of "invisible" HDD driver detected. At most cases it means that rootkit is present.

Безымянный3.png

Безымянный5.png

copied from infected machine atapi.sys:

other detected by hitman pro:

pivot.sys - Norton trusted file

pivotmou.sys - Norton trusted file

sondman.exe - Norton trusted file

other listed are just plugins to total commander (can be infected, but probably none of them is rootkit, at most trojan horse)

---

All files taken to further analyse are gathered via typical Explorer.exe - may be real atapi.sys or svchost.exe was hiden from direct access and instead of them rootkit has given clean files to cover infection fact?