Spybot Worm - Creaning procedure requiring restart on file never executed

Norton Security | Norton Internet Security
1

Hi,

I use NAV and I am satified for several reason.

 

I had today a strange behaviour. ON a file was detected a Spybot Worm. below there is the list of actions related to the risk.

(I put below as it is long and noising, just show how many data were reported)

If you take a very quick look, there are a lot of files and registry actions. How it could do that if I just moved to the trash?

 

The question is:

the procedure come from the signature (and so the list comes from the virus definitions, trying to remove all that is known as possible), and if not, how that could have been done if the file was simply moved to trash BUT never executed?

 

Thanks in advance

Fabio D'Alfonso

 

 

 

***********************************************************************************************************************

Full Path: q:\$recycle.bin\s-1-5-21-2693113961-3932365726-1538754782-1001\$rcm0n51.exe
____________________________
____________________________
On computers as of:
7/25/2011 at 8:35:42 PM
Last Used:
7/25/2011 at 8:37:52 PM
Startup Item:
No
Launched:
No
____________________________
____________________________
Many Users
Thousands of users in the Norton Community have used this file.
____________________________
High
This file risk is high.
____________________________
Threat Details
Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.
____________________________
Origin
Downloaded from  URL Not Available

Source File:
$rcm0n51.exe
____________________________
File Actions
File: q:\$recycle.bin\s-1-5-21-2693113961-3932365726-1538754782-1001\$rcm0n51.exe
Removed
File: C:\Users\admin\AppData\Local\Temp\1.reg
Removed
File: C:\Users\admin\AppData\Local\Temp\sysremove.bat
Removed
File: C:\a.bat
Removed
____________________________
Registry Actions
Registry change: HKEY_USERS\S-1-5-21-2693113961-3932365726-1538754782-1001\Software\Microsoft\Windows\CurrentVersion\RunServices\->Firewall Controls
Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunServices\->Firewall Controls
Removed
Registry change: HKEY_USERS\S-1-5-21-2693113961-3932365726-1538754782-1007\Software\Microsoft\Windows\CurrentVersion\RunServices\->Firewall Controls
Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunServices\->Firewall Controls
Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices\->Firewall Controls
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\->Firewall Controls
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\->246545
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\->665578
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\->7686743
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\->rrrun
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\->Microsoft Visual Application
Removed
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\->C:\WINDOWS\system32\dllcache\winsno.exe
Removed
Registry change: HKEY_USERS\S-1-5-21-2693113961-3932365726-1538754782-1001\Software\Microsoft\Windows\CurrentVersion\RunServices\->ATI Video Driver Controls
Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunServices\->ATI Video Driver Controls
Removed
Registry change: HKEY_USERS\S-1-5-21-2693113961-3932365726-1538754782-1007\Software\Microsoft\Windows\CurrentVersion\RunServices\->ATI Video Driver Controls
Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunServices\->ATI Video Driver Controls
Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices\->ATI Video Driver Controls
Removed
Registry change: HKEY_USERS\S-1-5-21-2693113961-3932365726-1538754782-1001\Software\Microsoft\Windows\CurrentVersion\RunServices\->Microsoft Directxsp
Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunServices\->Microsoft Directxsp
Removed
Registry change: HKEY_USERS\S-1-5-21-2693113961-3932365726-1538754782-1007\Software\Microsoft\Windows\CurrentVersion\RunServices\->Microsoft Directxsp
Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunServices\->Microsoft Directxsp
Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices\->Microsoft Directxsp
Removed
Registry change: HKEY_CLASSES_ROOT\CLSID\{1C047C97-CA7F-BAF1-05A4-AEBA271281ED}
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\->ATI Video Driver Controls
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\->Microsoft Directxsp
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\->ATI Video Driver Controls
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\->Microsoft Directxsp
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\->1123
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\->112
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\->AntiVirusOverride:0
Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\->FirewallOverride:0
Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\->Shell:Explorer.exe
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\->Start:4
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry->Start:2
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr->Start:3
Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole->EnableDCOM:Y
Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update->AUOptions:3
Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center->UpdatesDisableNotify:0
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control->WaitToKillServiceTimeout:20000
Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon->SFCDisable:0
Repaired
Registry change: HKEY_CLASSES_ROOT\.key
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa->restrictanonymous:0
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ccEvtMgr->Start:2
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ccSetMgr->Start:2
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\navapsvc->Start:3
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAVRT->Start:3
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAVRTPEL->Start:1
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NAVENG->Start:3
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NAVEX15->Start:3
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SymEvent->Start:3
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\->TransportBindName:\Device\
Repaired
____________________________
File Thumbprint - SHA:
780788d17ea8ff33abac434f7624f97d33ff215d43d53f59b27739e5e01ca0d9
____________________________
File Thumbprint - MD5:
0cc4ddd5271cdc8c6d81b1bb6ad68084
____________________________


2

Hi,
the detection was as spyboat.worm 32.

As i wrote above how a fìle infected BUT executed made that changes?
It could be understandable if the fix were part of the NAV signature / fix and executed anyway.
I was asking about that.
Thanks
Fabio D’ALFONSO

3

Hi,

I use NAV and I am satified for several reason.

 

I had today a strange behaviour. ON a file was detected a Spybot Worm. below there is the list of actions related to the risk.

(I put below as it is long and noising, just show how many data were reported)

If you take a very quick look, there are a lot of files and registry actions. How it could do that if I just moved to the trash?

 

The question is:

the procedure come from the signature (and so the list comes from the virus definitions, trying to remove all that is known as possible), and if not, how that could have been done if the file was simply moved to trash BUT never executed?

 

Thanks in advance

Fabio D'Alfonso

 

 

 

***********************************************************************************************************************

Full Path: q:\$recycle.bin\s-1-5-21-2693113961-3932365726-1538754782-1001\$rcm0n51.exe
____________________________
____________________________
On computers as of:
7/25/2011 at 8:35:42 PM
Last Used:
7/25/2011 at 8:37:52 PM
Startup Item:
No
Launched:
No
____________________________
____________________________
Many Users
Thousands of users in the Norton Community have used this file.
____________________________
High
This file risk is high.
____________________________
Threat Details
Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.
____________________________
Origin
Downloaded from  URL Not Available

Source File:
$rcm0n51.exe
____________________________
File Actions
File: q:\$recycle.bin\s-1-5-21-2693113961-3932365726-1538754782-1001\$rcm0n51.exe
Removed
File: C:\Users\admin\AppData\Local\Temp\1.reg
Removed
File: C:\Users\admin\AppData\Local\Temp\sysremove.bat
Removed
File: C:\a.bat
Removed
____________________________
Registry Actions
Registry change: HKEY_USERS\S-1-5-21-2693113961-3932365726-1538754782-1001\Software\Microsoft\Windows\CurrentVersion\RunServices\->Firewall Controls
Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunServices\->Firewall Controls
Removed
Registry change: HKEY_USERS\S-1-5-21-2693113961-3932365726-1538754782-1007\Software\Microsoft\Windows\CurrentVersion\RunServices\->Firewall Controls
Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunServices\->Firewall Controls
Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices\->Firewall Controls
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\->Firewall Controls
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\->246545
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\->665578
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\->7686743
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\->rrrun
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\->Microsoft Visual Application
Removed
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\->C:\WINDOWS\system32\dllcache\winsno.exe
Removed
Registry change: HKEY_USERS\S-1-5-21-2693113961-3932365726-1538754782-1001\Software\Microsoft\Windows\CurrentVersion\RunServices\->ATI Video Driver Controls
Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunServices\->ATI Video Driver Controls
Removed
Registry change: HKEY_USERS\S-1-5-21-2693113961-3932365726-1538754782-1007\Software\Microsoft\Windows\CurrentVersion\RunServices\->ATI Video Driver Controls
Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunServices\->ATI Video Driver Controls
Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices\->ATI Video Driver Controls
Removed
Registry change: HKEY_USERS\S-1-5-21-2693113961-3932365726-1538754782-1001\Software\Microsoft\Windows\CurrentVersion\RunServices\->Microsoft Directxsp
Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunServices\->Microsoft Directxsp
Removed
Registry change: HKEY_USERS\S-1-5-21-2693113961-3932365726-1538754782-1007\Software\Microsoft\Windows\CurrentVersion\RunServices\->Microsoft Directxsp
Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunServices\->Microsoft Directxsp
Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices\->Microsoft Directxsp
Removed
Registry change: HKEY_CLASSES_ROOT\CLSID\{1C047C97-CA7F-BAF1-05A4-AEBA271281ED}
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\->ATI Video Driver Controls
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\->Microsoft Directxsp
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\->ATI Video Driver Controls
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\->Microsoft Directxsp
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\->1123
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\->112
Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\->AntiVirusOverride:0
Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\->FirewallOverride:0
Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\->Shell:Explorer.exe
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\->Start:4
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry->Start:2
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr->Start:3
Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole->EnableDCOM:Y
Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update->AUOptions:3
Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center->UpdatesDisableNotify:0
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control->WaitToKillServiceTimeout:20000
Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon->SFCDisable:0
Repaired
Registry change: HKEY_CLASSES_ROOT\.key
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa->restrictanonymous:0
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ccEvtMgr->Start:2
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ccSetMgr->Start:2
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\navapsvc->Start:3
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAVRT->Start:3
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAVRTPEL->Start:1
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NAVENG->Start:3
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NAVEX15->Start:3
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SymEvent->Start:3
Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\->TransportBindName:\Device\
Repaired
____________________________
File Thumbprint - SHA:
780788d17ea8ff33abac434f7624f97d33ff215d43d53f59b27739e5e01ca0d9
____________________________
File Thumbprint - MD5:
0cc4ddd5271cdc8c6d81b1bb6ad68084
____________________________


4

I meant BUT NEVER executed.
Fabio

5

Hang on for some help then ....

 

If I read the  log correctly, I notice that the file seems to have been discovered at this location:   q:\$recycle.bin   which would seem to mean that it had been deleted and that it was originally on drive Q: which would be not be an operating system drive on normal computers where yours seems to be the normal C: drive -- although it can be on multiboot computers such as mine where I even have a version of Windows running on drive Z: ..... <s>

 

As I asked before, please tell us:

 

<< What version of Windows are you using including Service Packs and whether 32 bit or 64 bit as well as the Name and Version ID of the Norton product that you are using -- Help or Support / About is where that is, in the format of nn.nn.nn.nnn where n is a number.  >>

 

Thank you

6

Hi,

I am using a Windows 7 Ultimate, english, 32 Bit SP1 + updates up to today.

 

NAV 2011 is at version 18.0.6.29.

 

The Q:\ disk is the forth partition of the 500 GB drive of thye notebook. It is an ordinary local partition.

 

The layout is C-D-E-Q .the first three , C-D-E, are interdependent (system, data and more that use something but always in the boundary of these partitions) and go weekly to an Acronis Image

The Q, Quorum partition is a sleeping 300 GB location, with all dormant materials.

 

But, apart of details that are above, the question is still the same: a file cannot make actions if it was not executed. So these actions were got from the remedies listed in NAV for this threat?

Thanks

Fabio D'Alfonso

 

 

7

It's like this one http://community.norton.com/t5/Norton-Internet-Security-Norton/Trojan-Vundo-capable-to-unzip-itself-from-zip/m-p/130717#M65313

 

Turn off Norton then delete the file in the Recycle Bin.  Now go into Norton's History log and the Unresolved Threats list and clear that list.

 

Now turn on Norton it should not detect any of it again.

 

Quads

8

Hi,

thanks for your reply.

 

I made a test on a "test & trash" vm running the same w7 (also not updated) as that I have on my notebook, recovering a backup of the unfected file.

 

Running that infected file (nic disabled) I did not get any behaviour reported by the NAV.

 

The file is detected as generic.PUP.zley from Virusscan. 

 

So in any way, I will close the issue running a full scan and if all is ok, I will pass over.

I will put the log here.

 

Thanks

Fabio D'Alfonso