ET WORM TheMoon.linksys.router 1

Just after Norton 360 updated itself to ver. 24.xx on my Win10 notebook, my UDM-Pro’s (security gateway) Unifi Network Security app started reporting and blocking – every single day – this security alert signature: “ET WORM TheMoon.linksys.router 1”
The source IP reported is this Windows 10 notebook (which is running the updated Norton 360) and the destination IP reported is my UDM-Pro gateway IP address, on port 8080.
I’m thinking it’s possible that Norton’s new version 24, or a specific new feature, is triggering these outgoing network probes that my UDM-Pro gateway is mistaking for a worm signature and thus flagging and blocking.
Does the updated version of Norton 360 have a setting for “network scanning” or “vulnerability scanning” that I can adjust or temporarily disable to test? If there’s an option to exclude router IPs or specific ports, that may also help.

1 Like

Hi there
I am experiencing exactly the same challenge.
Watching the Norton 360 scan schedules and by manualy running a Norton 360 scan I can replicate this. Within a few seconds of running the scan I get an alert and it shows up in my log file one my Ubiquiti Dream Machine

Hello @Kerry_Hunt , @persist
fwiw ~

==============================================

Are you Smart Mode with Notifications?
Maybe, try Windows Settings Mode…as test.
png_21107

png_21108

How risks are detected [here ]
Learn more about Smart Firewall [here]
Configure Smart Firewall settings [here ]
Learn more about Real-Time Protection [here ]
Learn more about Antivirus settings [here ]
Learn more about Norton scans [here]
Learn more about Exploit Prevention [here]
Respond to the man-in-the-middle attack alert [here]
Learn more about Wi-Fi Security [here]
Learn more about Intrusion Prevention [here]

@bjm Thanks for the link to the thread @ community.ui.
My Norton 360 Firewall Automatic Network Control is set for “Smart Mode with Notifications.” How will changing it to, “Windows Setting Mode” be a test? What and where am I looking for?
If the Unifi Network security detection is a false positive, I can Allow This Threat Signature in Unifi Network.

@toddinator posted in the Unifi thread:

More searching on the internet led to the following discovery - AVAST and Norton merged recently, and apparently, the latest release of the Norton antivirus platforms is now using the AVG code. The executable file name has been changed, but it is likely the problem behind the intrusion detection issues we are seeing now.

Yeah, that’s why I wondered about Windows Settings Mode which uses Windows Firewall rules. Takes Norton Smart Firewall out of the equation.

Norton™ is part of Gen™ - a global company with a family of consumer brands including Norton, Avast, LifeLock, Avira, AVG, ReputationDefender and CCleaner.

Do you think the Norton 360 full virus scan would detect TheMoon ET worm on my Win10 notebook if it was present? While I’m still getting security warnings from my UniFi Network app that it’s blocking outbound traffic from Port 8080 from same Win10 notebook, my just completed Full Virus Scan with ver. 24.10.xx of Norton 260 reports, “No Security Risks.”

I am experiencing the same problem on my UDM SE. It started this week when the new version of 360 was updated on my laptop. I get an email notification that a network intrusion attempt was detected and blocked and when I check the router’s description of the source it shows my laptop that has the new 360 version and describes the threat as the ET-Worm. I get this alert twice a day. My other 2 computers with the previous version of 360 still on them are fine for now and not showing this intrusion attempt. I’m trying to find out if I can delay the update on those machines for now.
In addition the new update has caused my Quick Scans to go from only taking 5 minutes to 82 minutes.
Does Norton know of these problems and are fixes being worked on? How do you bring this stuff to their attention for solutions?