Spyware.007 SPY found by NIS 2009, say what?

Hi,

  A full scan by NIS 2009 finds spyware.007 spy apparently in the uninstall file contained in a self extracting zip file that contains the manual for my canon mp530 printer.  I don't recall when I downloaded the file but I've had the printer for a couple of years.  This file has been there through numerous full scans and it only now finds this so called spyware.

 

I find it highly unlikely that some website I've visited or file I've downloaded has recently infected 2 copies of this same file that are on 2 seperate HDDs in my system, inserting the spyware into an existing self extracting zip file.  And if this has in fact occured then it has done so by circumventing all of the NIS 2009 realtime protection that is supposed to be protecting my system in the first place.

 

Does anyone else think this is a false positive?

 

BGC

Message Edited by bgc99 on 11-06-2009 12:06 AM
Message Edited by bgc99 on 11-06-2009 12:08 AM

Yes this is a False Positive.  Can you submit the file in question to Symantec for tweaking of the definition?

Since many prgrams and utilities include information gathering files for marketing or research purposes, it seems possible that a new definition is recognizing one of these files as spyware.  It might actually perform what could be considered spying but is a legitimate file included by Canon.  A similar issue was found in Realtek audio recently, but removal of the file would also result in an inability to download future updates.

 

It could also be a false positive.  You can upload the file to Symantec to be checked here.

 

https://submit.symantec.com/websubmit/retail.cgi: https://submit.symantec.com/websubmit/retail.cgi 

You can also Submit the File(s) from your Security History.  I would suggest putting the File(s) being Detected for the time being in the Scan Exclusions for a few days once you've Submitted your Sample.  Please note that Threats can Attach themselves to Legit. Files, or Copy Legit. Files.  If, after a few days the Files in question are still being Detected, then they will be Malicious; if you Subit them through the Web Site, you should get a Report through your e-mail detailing their findings.

 

 

 

Message Edited by Floating_Red on 11-06-2009 06:48 PM

Ok, as I said it appears that the file is a particular file inside a self extracting zip.  So I'll have to remove the file from quarantine and then send the whole zip?  Or is it possible to use a program like 7zip to remove just the particular file from the self extracting zip and send just that file?

 

I think I did hit submit file to symantec after looking at it in the quarantine listing.  Do I still need to submit via the website to find out the results?

 

Thanks,

BGC

 

Hi,

 

If you have Submitted the Files Detected as the mentioned Threat from Quarantine, then there is no real need to Submit the Files via the Web Site; if you do decide to Restore the Files from Quarantine to Submit them via the Web Site, please make sure you Run LiveUpdate afterwards, dis-connect from the Internet and do a Full System Scan, and the only differnece Submitting it via the Web Site is you may get a Report through detailing symantec Security Response's finding, as mentioned before.  Please can you also type in the exact Threat Name in your next Reply.  I'd just like to point out that Norton 2009/2010 does have a low False Positive Rating, so you could be dealing with a real Threat here.  Thank-you.

 

 

 

Message Edited by Floating_Red on 11-07-2009 11:11 AM

Spyware.007Spy is the threat name. 

 

BGC

Hi bgc

 

Here is what Threat Expert has to say about that Spyware.007

 

http://www.threatexpert.com/threats/spyware-007spy.html

Thank-you for providing the information asked for.  I would suggest that you follow the Removal Instructions for Spyware.007Spy.  Please keep us posted of how you're getting on; thanks.

 

 

 

A similar thing happened to me as soon as I switched the computer on, on Thursday morning.  Autoprotect reported that spyware.007Spy had been detected, Norton removed it.  It had infected 149 files all temp ones then one Canon uninstall file for my printer.  I ran a scan but it reported that it had found the spyware again, this time infected 15 files and the system restore file.  Norton removed it and I submitted it to Norton.

 

There was a rapid response update to this spyware on 6th November which made me wonder if it was a false positive or if the spyware had been modified in some way so it had got on to my computer without Norton recognising it then showed up with autoprotect. 

 

I thought if I kept Norton up to date I wouldn't be at risk is this not the case?  Can spyware still get through even though it is already listed in Norton's spyware definitions?

 

The only thing I installed the day before was a Java update.

Hi, wicket2005,

 

Welcome to the Norton Users' Discussion Forum.

 

If you use Rapid Response Virus Definitions, you have to be aware that there is a greater chance of these being F.P. due to the fact that the Rapid Release Virus Definitions do not go under the same Testing as the Virus Definitions that come out through Norton LiveUpdate.

 

Threats can change by the hour - or by the minute - which is why some Threats can slip through between each Virus Definitions' Update.  This is why if you have Windows X.P., Vista or 7, you should be using either currently N.I.S. 2009 or N.I.S. 2010, or Norton 360 Version 3 as these Products have Pulse Updates, which are small Virus Definitions' changes that you get every five-to-fifteen minutes, and Phishing Protection, as well as a Smart Firewall.  It is also recommended that you do all your Anti-Virus Scans dis-connected from the Internet, as this may prevent the Threat from using Anti-Detection or Anti-Removal Techniques, as well as helping to prevent re-infection once the Threat(s) have been Removed.  Also, if you do not keep your applications up-to-date, or you visit Un-Safe or Caution Web Sites, then there is a greater chance you will get Infected.  If not already done so, I would recommend that you follow the Removal Instructions I posted in my last Message.

 

I hope this helps.  If you have any other questions or concerns, please feel free to ask them.

 

 

Thanks for that.  I don't used rapid response just noticed it on Norton's spyware info for 007Spy, I presumed these were automatically sent to computers as a rapid response to a definition.  I use Norton Internet Security 2009, which is kept fully up to date and the computer is scanned regularly.  I do not visit 'dodgy' sites.

 

Do I still need to go through those instructions because Norton recognised the threat and said it was going to remove it, it now says the matter has been resolved and the spyware has been fully removed.  Can I not trust Norton to have got rid of it for me?  Also as my computer is kept up to date constantly why has this spyware got on to it in the first place, surely Norton would have recognised it and stopped it from coming on my computer?

 

Thanks for any help.

Hi,

 

If Auto-Protect Detects something, or if a Threat is Detected during a Full System Scan, then it is always a good idea to either have a look at the Removal Instructions for that Threat, and/or re-start your computer In Safe Mode and do a Full System Scan, dis-connected from the Internet.  Also, if your Security Product does not have the Definitions to Detect the Threat as stated in my last Reply, then your Security Product will not be able to Detect the Threat.  If Auto-Protect Detects that Files are being Downloaded that are part of a Threat, then Auto-Protect will Block these Files from being Installed on your computer.  Once again, thank-you for Replying.

 

If you require any more assistance, please let us know.  Also, I'd be greatful if you could let us know what you decided to do, and any Results.  Thank-you.

 

You're Most Welcome; glad I could be of assistance to you.

 

 

 

 

Thanks.

 

'If Auto-Protect Detects that Files are being Downloaded that are part of a Threat, then Auto-Protect will Block these Files from being Installed on your computer.  '

 

With you saying this makes me think it is a false positive, as my Norton Internet Security is as up to date as it can be.  The spyware.007Spy was recognised back in 2007 (I think) so I don't see how it could have become installed on my computer without Norton flagging it up and stopping it.  If it has my confidence in my Norton product will be seriously knocked.  I have been using Norton now for about 14 years and it has never let me down.

 

I will run off those removal instructions and have a look through them.

 

 

But between the time that the new Threat Files are analysed and released, the Threat may have changed a few Files and this may let it slip through.  Yes, I agree with you that N.I.S. 2009/2010 are a big leap forward in terms of Detection Rates, and the Firewall and Intrusion Prevention is really excellent; un-fortunately, you may get Infected every once-in-a-while, but I have seen people write that they haven't been Infected for ten years using Norton products.  You may count yourself un-lucky to get Infected if you follow good practices while Surfing, and, like you already mentioned, you keep your Norton Product up-to-date.  You're actully seeing Norton doing it's job because it actually Detected those Files, while some Anti-Virus Software may have missed them, so I wouldn't feel too down-beat about it; you've got one of the best installed.  You can Upgrade for free to N.I.S. 2010, which will use your Current Subscription Remaining Days.

 

If you wish, you can install Malwarebytes' Anti-Malware to use along-with your Norton product, as long as you do not pay for Malwarebytes'; just go to www.download.com and, in the Search Bar, type in Malwarebytes' Anti-Malware, and install.  This is a great Product to use as an On-Demand Scanner with your Norton Product.

 

 

User's who have an active subscription to Norton Internet Security or Norton AntiVirus 2006 and newer can update to the 2010 for FREE by visiting the Norton Update Center.  If you do wish to Upgrade, please let us know, because some users have lost their Identity Safe Profile when Upgrading.  Thank-you.

 

 

 

It was detected by Autoprotect initially just when I switched the computer on, autoprotect told me it was deleting it and went off and did it, I had to restart computer, then I ran a full scan and it was detected again.  Then it has disappeared.

 

Is there any way of seeing if it is still on the computer, Norton says it isn't there?  Can I trust Norton to be telling me the truth?

Hi,

 

Yes you can trust Norton; I'd recommend doing a Full System Scan in Safe Mode just to be sure.

 

Download HiJackThis, the third .exe (Executable) Version in the list, run it, creating a Log.  If using Vista, Right-Click and "Run as Administrator".  You can Upload the Log to the Forums via the "Add Attachments" button just below the "Post" button.  HiJackThis will let us see what's Running on your computer.

Ok, I restored the instance that was on the D: drive to my desktop.  I then did a scan of that file with both NIS 2009 and the MalwareBytes free scanner and no infections found.

 

BGC