• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

W32Koobface virus?

This morning I noticed in my Norton history the following

Risk

HTTP W32 Koobface File Download

Attacking computer-

 MY PC

Destination

72.191.xxx.xx   Port 80

Action taken

Blocked

So does this mean my computer tried to download the koobface virus to IP address 72.191.xxx.xx  ?

My Norton scan came up clean. I ran malewarebytes which also came up clean

Is this just a mistake?

Or is it a "flip flopped" reading and it should really show that the attacking computer was 72.191.216.58 and my Norton blocked it from downloading on my PC?

I use Norton Antivirus 2008 ( I'm waiting for 2010 to come out into the stores)

So could it be that NAV2008 has the alert flipped flopped?

I wonder why the Norton scan and malwarebytes scan would not detect the virus on my system, yet stop it from going out?

I think I read on here in the past that some alerts may "show" reversed, where the attacking computer reads the owner PC, when it is realley the remote IP address

Any help is appreciated

Thanks

Message Edited by Calls on 10-07-2009 06:42 AM

Replies

Kudos0

Re: W32Koobface virus?

This morning I noticed in my Norton history the following

Risk

HTTP W32 Koobface File Download

Attacking computer-

 MY PC

Destination

72.191.xxx.xx   Port 80

Action taken

Blocked

So does this mean my computer tried to download the koobface virus to IP address 72.191.xxx.xx  ?

My Norton scan came up clean. I ran malewarebytes which also came up clean

Is this just a mistake?

Or is it a "flip flopped" reading and it should really show that the attacking computer was 72.191.216.58 and my Norton blocked it from downloading on my PC?

I use Norton Antivirus 2008 ( I'm waiting for 2010 to come out into the stores)

So could it be that NAV2008 has the alert flipped flopped?

I wonder why the Norton scan and malwarebytes scan would not detect the virus on my system, yet stop it from going out?

I think I read on here in the past that some alerts may "show" reversed, where the attacking computer reads the owner PC, when it is realley the remote IP address

Any help is appreciated

Thanks

Message Edited by Calls on 10-07-2009 06:42 AM
Kudos0

Re: W32Koobface virus?

this is a IPS Detection , that means : You had open a website that is known for Norton as a malware website. The opening of the website has been blocked.

Kudos0

Re: W32Koobface virus?

so is the alert message reversed? and should read that the IP address 72.191.xxx.xx was really tring to download on my PC and not my PC trying to download to that IP address?

Because the way it currently shows, it looks like I'm trying to infect that site

confusing

Kudos0

Re: W32Koobface virus?


Calls wrote:

This morning I noticed in my Norton history the following

Risk

HTTP W32 Koobface File Download

Attacking computer-

 MY PC

Destination

72.191.xxx.xx   Port 80

Action taken

Blocked

So does this mean my computer tried to download the koobface virus to IP address 72.191.xxx.xx  ?

My Norton scan came up clean. I ran malewarebytes which also came up clean

Is this just a mistake?

Or is it a "flip flopped" reading and it should really show that the attacking computer was 72.191.216.58 and my Norton blocked it from downloading on my PC?

I use Norton Antivirus 2008 ( I'm waiting for 2010 to come out into the stores)

So could it be that NAV2008 has the alert flipped flopped?

I wonder why the Norton scan and malwarebytes scan would not detect the virus on my system, yet stop it from going out?

I think I read on here in the past that some alerts may "show" reversed, where the attacking computer reads the owner PC, when it is realley the remote IP address

Any help is appreciated

Thanks

Message Edited by Calls on 10-07-2009 06:42 AM

You can actually update to NAV2010 now for free by going to

www.symantec.com/nuc

Really though you should be running with NIS 2010 to give you a great firewall and AV protection.

We look forward to the time when the Power of Love will replace the Love of Power. Then will our world know the blessings of peace. ~William Ewart Gladstone
Kudos0

Re: W32Koobface virus?

actually I plan to update to NIS2010 once it hits the local store 

But until then, can anyone clarify the situation I have? We clicked on something on facebook taht we probably should not have so that may have been waht attempted to download the virus.

 

But if you read the alert as I had noted in the original post, it appears like MY PC is trying to infect the IP address noted. Is that true? Or is it just posted in the log incorrectly?

 

I think I read in past postings a long time back that sometimes the alert sometimes comes out reversed when it really means the IP is attacking MY PC  

So does the alert mean that MY PC is the attacking computer???

 Or is the message inadvertently reversed and it is really saying that MY PC was attempted to be attacked by the IP address noted and that my Norton blocked this? 

As I said, it would be odd that my Norton would block my PC from attacking another, yet let my PC get infected. Plus malwarebytes and Norton scans show no infected files

 I just need to clarify is the koobface coming out of my PC to attack other IPaddresses? Or was the attempt made to infiltrate my computer but stopped by Norton?

 

at this point if anyone can help. Can one of the Norton people help me?Many thanks in advance 

Message Edited by Calls on 10-07-2009 03:28 PM
Kudos0

Re: W32Koobface virus?

I guess what I'm really asking is

could it be that the worm protection alert log and history log  for  Norton Antivirus 2008 sometimes has the attacker and the target reversed sometimes when  the logging takes place?

because if my PC is the target, then it appears Norton protected me.

 But if my PC is the attacker, then it appears like we have the koobface virus? But all scans show clean so I'm confused

But I will await feedback, as this could be no problem at all

thanks you everyone in advance.

Message Edited by Calls on 10-07-2009 03:39 PM
Kudos0

Re: W32Koobface virus?

I'd recommend looking at the HTTP W32 Koobface File Download: Attack Signature for details on the Intrusion.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: W32Koobface virus?

Hi

Have you tried Full Scans with Malwarebytes and  / SuperAntispyware Free, Updated defintions and then Full Scans?

Quads 

Kudos0

Re: W32Koobface virus?

thanksRed. I have looked at this. But I'm still not understanding if MY PC is the attacker or the target. I think my question is along those lines of how the log noted it.

I have searched old posts and have found some items talking about how the attacker/target directions have been reversed before.

Is this still sometimes the case? Is there a way I can fix it or is it just a sometimes default with NAV2008?

As long as it is just an error with the directions being switched, I'm cool with that

Maybe It would be best for me to post another topic specific to the logging question?Message Edited by Calls on 10-07-2009 04:21 PM
Kudos0

Re: W32Koobface virus?

quads- yes I have done full scans with both Norton and malwarbytes
Kudos1 Stats

Re: W32Koobface virus?

Risk

HTTP W32 Koobface File Download

Attacking computer-

 MY PC

Destination

72.191.xxx.xx   Port 80

Action taken

Blocked

I interpret the above as saying Koobface at destination 72.191.xxx.xx   Port 80 was blocked attempting to attack MY PC.

Go NAV!!

Message Edited by planet on 10-07-2009 08:23 PM
Kudos1 Stats

Re: W32Koobface virus?

Hi, Calls,

Your computer should be okay as this Attack was Blocked; what were the Scan Results from Norton and Malwarebytes'?

Good to see you're going to Upgrade to N.I.S. 2010...

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: W32Koobface virus?

Red and Planet- thanks for responding. I'm glad to see that it was blocked , but doesn't the way the alert reads seem to indicate that My computer was the "attacker"? Or am I misreading this?

Risk

HTTP W32 Koobface File Download

Attacking computer-

 MY PC

Destination

72.191.xxx.xx   Port 80

I know that IP 72.191.xxx.xx is that type of webpage you see on facebook requesting you download some video player (which we did not)

So it makes me thiink that the IP address 72.191.xxx.xx is the attacker. But it is not listed in the alert as the attacker

I think that is the part that I'm not understanding

Message Edited by Calls on 10-08-2009 03:55 PM
Kudos1 Stats

Re: W32Koobface virus?

Hi, Calls,

If your computer is the Attacking Computer, that means that Norton has Blocked a Drive-By Download, which means that someone was taking advantage of your Browser and tried to Download and Install a Threat on your computer.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: W32Koobface virus?

Thanks Red, what about why it shows the destination address as not my IP address but the address of the site that is most likely the source of the koobface virus?

Also, I don't know if this wil help clarify things, but I may have left off the full notification as shown in my history log

(don't know how to submit a screen shot without showing my IP address)

Here is what shows:

Security History

Internet Worm Protection

 

Level                Title

High                 An Intrusion attempt by MY-PC was blocked

 

think I partially understand it. but have a few bits of confusion

 

1. Why is the destination address the address of the infected link?

2. So does this mean the koobface virus is on my machine and tried to activate?

 

 

 

So again I wonder it the logging was reversed

I'm still using NAV2008 so maybe that was a bug in the logging?

sorry to be so dense. Please be patient with me. Maybe it is just an issue that I'm not understanding how to properly read the alertMessage Edited by Calls on 10-09-2009 06:28 AM
Kudos0

Re: W32Koobface virus?

Hi,

Is there any I.P. Address in the Destination Address, or is it just the Web Link?  Because this is a Drive-By Download, the Destination would be the Web Site as this was something being Downloaded by the Web Site, because the Web Site is the Target and any users on it.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: W32Koobface virus?

yes there was an IP address in the destination on the alert

Destination

72.191.216.5x   Port 80

the IP was in my browser history and when I expaned the entry there was a link and if you click on the link you get that some video wass trying to download and you needed to get a player update to see the video. We did not click the need player link

So on a drive by, the attacking computer would be ones own PC??

So bottom line, does this all appear that I have the

HTTP W32 Koobface virus?

Or was this "driveby" just trying to get me to download it?

so bottom line, does it appear that I'm infected with the koobface virus? Or was there an attempt to download it on my computer and it was stopped?

My guess is that if my Norton stopped the drive by, that if I actually had the virus Norton would detect that on my computer too right?

Kudos0

Re: W32Koobface virus?

By the way, my Norton full system scan and malwarebytes full system scan came up clean. If I had the koobface virus, they would detect taht right?
Kudos0

Re: W32Koobface virus?


Calls wrote:
By the way, my Norton full system scan and malwarebytes full system scan came up clean. If I had the koobface virus, they would detect taht right?

Hi, Calls,

Like I mentioned before, Norton Blocked this Intrusion Attack and your computer is safe.  If something was on your system, the chances of Norton or Malwarebytes' Detecting it are quite high as both Products will use slightly-differnet Signatures.  Is your computer Running normally, or is it Running slower-than-usual?

Message Edited by Floating_Red on 10-09-2009 11:38 PM
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: W32Koobface virus?

The computer seems to be running just fine. I'm able to get Norton def updates and Microsoft updates without issue. Also appears the the inbound firewall/intrusion prevention of NAV2008 is working as I see entries that indicate "unused port blocking has blocked...."

My Norton scans just pick up tracking cookies and all the check marks for protection show green

I guess I just may not be understanding what is meant by

Attacking Computer- MY PC

maybe I just read that wrong.

Red- It is not saying that my computer has the koobface virus and is trying to attack IP 72.191.216.5x is it? I'm hearing you that is is NOT my computer trying to infect some other IP (especially since this 72.191.216.5x seems to spawn the alert when you click on teh link associated with it)

In fact, it seems the only time tha the alert got spawned was when a family member clicked the link ( but luckily did not fall for teh "you need to install this video player" part ). I clicked the link myself and it spawned another alert

Kudos1 Stats

Re: W32Koobface virus?

When you Download something from the Internet, the Traffic is In-coming to your P.C. and it Installs software on your Hard Drive.  Because this Attack was via your Internet Broswer, and because the Connection was In-coming, Norton thinks that you computer is trying to Attack it-self because of this Drive-By Download Attack.  And the Destitnation Address was obviously your computer.  I'd be happy to be corrected of this is in-correct in any way.

As mentioned in that Web Link I provided earlier in this Thread, this Threat spreads via Networking Web Sites.  When you went to that Web Site, the Attack probably set-up this Attack to see if the user was using security software.  If it was Blocked - which in your case it was - the Attacker has put in a second chance of getting someone to Download a Mis-Leading Application and probably along with other Threats as well, via that "you need to Update to [such-and-such Player] to view the video".  Glad you got the Intrusion Alert.  If you has N.I.S., then Phishing Protection would have told you that the Web Site you were on was Un-Safe, although, not every Web Site is caught with every Signature Update.

I hope this answers your question somewhat; please let me know if it doesn't.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: W32Koobface virus?

thank you Red, it helps me clarify a lot.

So because the attempt went through via my browser, the alert indicated that it was my PC.

But just to understand, that doesn';t mean my PC has the koobface virus, right? Just that it attempted to download via my browser, but was stopped?

So that is why when I do teh Norton and malwarebytes scan, I do not see the koobface virus, because it did not make it on my computer?

Am I now understanding correctly?

So it IS NOT as some have told me, the virus trying to "phone home"?

Message Edited by Calls on 10-09-2009 04:32 PM
Kudos0

Re: W32Koobface virus?

Just last bit of confirmation that all is well (that I'm not infected and trying to get out), if anyone would like to confirm

Thansk all for your patience with me.

Kudos4 Stats

Re: W32Koobface virus?

Let me confirm that this an error where the attacker and attackee were reversed in the signatures for 2008 product systems. A fixed signature will be delivered in the next update.
Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: W32Koobface virus?

Thanks, Reese.  I'm sure that will put a lot of minds at ease and stop some head scratching!Message Edited by dbrisendine on 10-15-2009 06:25 PM
Win10 x64; Proud graduate of GeeksToGo
Kudos1 Stats

Re: W32Koobface virus?


Calls wrote:

Just last bit of confirmation that all is well (that I'm not infected and trying to get out), if anyone would like to confirm

Thansk all for your patience with me.


Hi,

Yes, your computer is secure.  Since Norton Blocked this Attack, your Norton Product has Protected; this is the same for everytime Norton Blocks something via Intrusion Detection/Intrusion Prevention Signatures, or via Auto-Protect; (yes, Auto-Protect can Block Files from being Created on your computer).  This is why it is important to keep all your Signatures up-to-date daily.

And since you mentioned that your scans are coming up Clean, it is probably safe to say that your computer is okay. 

Thank-you for your understanding.

Message Edited by Floating_Red on 10-15-2009 11:40 PM
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: W32Koobface virus?

while not wanting to have even the slightest contact with such virus, it is an EXCELLENT feeling to see that Norton, even the 2008 product, kept me safe!!!!!

This thread is closed from further comment. Please visit the forum to start a new thread.