• 所有社区 - 中文
    • 所有社区 - 中文
    • 论坛
    • 创意
    • 博客
高级

不是您要找的? 咨询专家!

此论坛帖文需要解决方案。
好评0

Trojan.Swifi?

Hi, everyone. I'm currently running NIS 2014 on a Windows Vista computer. I just realized that Norton has managed to "remove" and "quarantine" this Trojan.Swifi, also showing up in the program as vip_117[1].swf, a total of five times in the last twenty four hours. I don't know where this came from or what to do about it, or if Norton truly removed it. If it removed it, why does it keep appearing? Is it a false positive? I checked the forum with no luck for results. Would it be a good idea to run Norton Power Eraser? Thanks, Gina

回复

好评0

Re: Trojan.Swifi?

Firstly, please do NOT try any quick 'fixes' or to solve this yourself.

Here's the Symantec write up about it.

http://www.symantec.com/security_response/writeup.jsp?docid=2009-072317-...

Can I suggest you sign up for help from one of the free malware removal sites to get your machine checked out?  Pick one and stay with them until they tell you your machine is clean.

https://community.norton.com/forums/malware-removal-forum-recommendations

A little bit of knowledge is... well a little bit of knowledge.
好评1 Stats

Re: Trojan.Swifi?

Norton quarantined and removed 10 threats on my computer from this Trojan Swifi yesterday, 11/29/14, in the span of just less than 2 and 1/2 hours.  Norton did a great job at taking care of all 10 of these attacks.  When I looked up vip_117[1].swf in a Google search I found several entries from different sites that were dated yesterday; some of these entries referenced a vulnerability in Adobe Flash.  Would like to see updated info from Symantec regarding this recent bout of attacks from this older virus - the article from 2009, while helpful in describing what this Trojan Swifi is, can't answer questions about what happened yesterday.  Thank you.

好评0

Re: Trojan.Swifi?

The boards are monitored...so, we'll see if Norton will reply.  Usually, it's user to user.
Please advise Norton product and OS info...
Be good to hear which product protected you.

Welcome to the Community

好评0

Re: Trojan.Swifi?

Thank you, bjm, for the info and for the kind welcome.  OS is Windows 7 and Norton product is Norton 360. 

好评0

Re: Trojan.Swifi?

If any doubt in your mind..that system is clean.
Update and run full scan with your Norton product (normal / safe mode) + on-demand scans with MBAM free (link is external) (orange bar) + ESET OnlineScanner free (blue bar).  You may save both for future on-demand second opinion scans & obviously check Adobe current and check that all your apps have security patches with PSI free

You may visit one of the free Malware Removal Forums recommended by the Community for a security check up.
https://community.norton.com/forums/malware-removal-forum-recommendations

好评0

Re: Trojan.Swifi?

Had one occasion of same - appeared when on e-bay - opened an item & Norton checked & quarantined this particular vip_117. Also picked up a couple of other items, one been on computer 3 years, one since July this year - never been picked up before - Norton been changing ratings ?

好评0

Re: Trojan.Swifi?

mgirons:

 - Norton been changing ratings ?

I hope they're not loafing at the water cooler 

好评0

Re: Trojan.Swifi?

Trojan.Swifi been picked up 3 times - all in e-bay at time

好评0

Re: Trojan.Swifi?

BJM_

Running Windows 8.1 with NIS 21.6.0.32

好评0

Re: Trojan.Swifi?

Malware has been known to recycle.  Active for a time...dormant ...surface for a sneak attack looking for vulnerabilities.  Trojan.Swifi is a Trojan horse that may be downloaded from a Web site and exploits a vulnerability in Adobe Flash Player.
Someone may be trolling for an open door in an un-patched app.
You're running current Flash etc ?  Have you check with PSI
Have you run scans as prompted.  Either you have a magnet or ebay has a nasty hitchhiker.
Until advised to the contrary...prudent to presume info is still accurate.

好评0

Re: Trojan.Swifi?

I've also had a download attempt of trojan.swifi on my laptop this evening, at least five times. I ran several scans and found nothing suspicious on my system. During the final attack attempt I had Adobe Flash disabled. At the time I only had facebook open on my browser and I had skype running in the background. Does anyone know where this attack could have been coming from? Should I be worried? 

好评0

Re: Trojan.Swifi?

This just hit me today while surfing the web.  I've had the notice about 7 times today !!?!?!?!?  I've ran live update and full system scan 3 times and I keep getting this message. 

File: vip_117[1].swf   removed

好评0

Re: Trojan.Swifi?

@ Thread ~ google ~ vip_117[1].swf

apparently U R not alone ~ see this Symantec site http://www.symantec.com/connect/forums/trojanswifi

<< I wish it was so easy ;) The 9.0.115.0 version you state is taken from an article linked to from the 2009 outdated signature description. Like you said, Symantec updated their signature November 29th, but not the description.

I guess I have to refresh the virustotal site and wait for some other antivirus vendor to release a signature with cve values to know for sure:)

I also think we should be happy that out of 56 malware vendors Symantec seems to be one of the few that actually detects this threat>>

So, for now you have a detection flag that is either a known threat as the sig def was updated 29th or you have a false positive.
Find the event(s) in your History and submit to Norton if the option is there and submit https://community.norton.com/forums/how-report-false-positives

好评0

Re: Trojan.Swifi?

My partner has also just had the same attack so its certainly doing the rounds, hopefully just a false positive.

好评0

Re: Trojan.Swifi?

Any one interested may see the text details here Permalink

好评0

Re: Trojan.Swifi?

3 times for me today as well.

好评0

Re: Trojan.Swifi?

I have Windows 8.1 with N360 version 21.6.0.32 & the exact same thing is happening to me as first reported gablegal and now others.This does have the feel of N360 maybe doing a false positive on cookies. I hope someone from Symantec looks into this soon.

好评0

Re: Trojan.Swifi?

Norton protected you...what else would you want Norton to look into.
Users get these events ...means Norton is doing as it should. 

@ Thread see this earlier reply Permalink

So, for now you have a detection flag that is either a known threat as the sig def was updated 29th or you have a false positive.
Find the event(s) in your History and submit to Norton if the option is there and submit https://community.norton.com/forums/how-report-false-positives

I am as confused as everyone else as the posted text does not show an Identifier hash  Permalink
Look in your History and Export the More Details text to Notepad.   See if anyone has a bunch of characters at the bottom. 

好评0

Re: Trojan.Swifi?

Had 4 attempted downloads/installs of Trojan.SwiFi yesterday, all via "safe" websites, including a Yahoo News Video. It seems that some contents of "safe" websites have been hacked and infected. But, NIS 21.6.0.32 did its job well by scanning the uninvited & unexpected downloads, by identifying them as a Bad app and by immediately quarantining & removing them from the temp folder. Follow-up full-system scans by NIS & MBAM confirmed no remaining local infection. And, a look into Program Folders, Task Manager Processes, Services, etc. where I've previously found PUPS/PUAS, shows nothing unexpected, either.

好评0

Re: Trojan.Swifi?

Hey yeah...THANKS for the FEEDBACK...does more details > copy to clipboard show
File Thumbprint SHA / MD5

好评0

Re: Trojan.Swifi?

I was hit with Trojan.Swifi yesterday after going on ebay ; Norton sees it and auto-removes it.

I'm up to 20 removals.

It comes back every time I go on-line; all to safe sites (and Norton removes it).

It doesn't seem to come back if I stay on line; it just comes back if I log-off and go back on.

I'm running Windows 7 with Norton Internet Security.

I've turned off System Restore, and scanned in safe mode with Norton, Spy-bot and Malware bytes.

Nothing I've tried finds Trojan.Swifi, but Norton auto-removes it when I first go on-line.

Another related (?) problem that occurred with this infection is that Windows Action center is telling me that Windows and Norton firewalls are both off.  I cannot turn either one on in Action Center, but Norton already shows that it's smart Firewall is on?????

Any else have this problem with the firewall?

Any suggestions or recommendations?

Thanks a lot!

mtm

好评0

Re: Trojan.Swifi?

As you can see here the defs were updated on the 28th and today.  Norton as always is monitoring Telemetry and updating accordingly.  Make sure you have Community Watch ~ On.  Some users turn this off thinking Privacy.  No identifiable info is submitted to Norton.  Norton also monitors these boards.  
Telemetry is what enables Norton to protect you. 
Check that all your apps have security patches with PSI free (link is external)

@mtm21 ~ suggest Firewall Reset
Settings > Network > Smart Firewall > Advanced Settings > Configure > Firewall Reset > open browser > check FW Program Rules > this will confirm FW is On (this is NIS path)

好评0

Re: Trojan.Swifi?

I have 2 systems with this that has been logged, spotted what is going on,  The beauty of logging.

Quads

好评0

Re: Trojan.Swifi?

Found some previous stuff on net referring to Flashplayer. Windows 8.1 Update middle last week for latest update to Flashplayer which was installed. Was having threats on e-bay in IE 11. Did not update Firefox at that time. After updating Flashplayer in Firefox, threat appears to have disappeared. Originally quarantined as Download Insight picking up threat when on e-bay - since then all clear - co-incidental ? - help this helps.

好评0

Re: Trojan.Swifi?

From what I found online, Flash Player had a patch released last week. My computer automatically installed it on November 26th, and I started getting notifications for this Trojan three days later. I don't know what website was being viewed when it first appeared, it's my mother's computer, but I can guarantee it wasn't eBay. It may have been a news site, she was watching videos...but every news site she visited was safe. I've drilled that into her head!

My thought was maybe the Flash Player patch didn't install properly. I'm not a computer whiz, but it seems to link to that, especially as this was the second Flash update to occur in November. It seems like Flash is having problems with holes and people taking advantage. I didn't search further, but I'm glad to read it's not just me!

好评0

Re: Trojan.Swifi?

gablegal:

From what I found online, Flash Player had a patch released last week. My computer automatically installed it on November 26th, and I started getting notifications for this Trojan three days later.

maybe related maybe not...I waited till yesterday to update Flash.  Prefer to see if any chatter about an update.  My initial download installers would not respond. Okay, bad download?  Scanned both with virustotal ~ flagged as Bundleware.  Obviously a false positive as I uncheck Offer.  Tossed those in the Recycle.   Waited hours and downloaded fresh installers.  Scanned with virustotal ~ clean.  Installers responded / installed Flash.  

好评0

Re: Trojan.Swifi?

This has been happening to me as well the last two days. I do recall a Flash Player install recently, maybe you are on to something? It's the Auto-scan that's catching this, the full scan that's been running for 6 hours hasn't caught it yet, i did update my virus definitions, using Symantec Endpoint Protection v12.1.1101.401 (Release), RU1 MP1. Here's a screen shot;

There's been probably 20 notifications in the last two days. I already deleted my IE items.

Let me know if there's a complete solution.

好评0

Re: Trojan.Swifi?

dwixson:

There's been probably 20 notifications in the last two days. I already deleted my IE items.
Let me know if there's a complete solution.

fwiw ~ This is the Norton Community ~ Retail products ~ This is Symantec http://www.symantec.com/connect/security/forums/endpoint-protection-antivirus Community
 

好评2 Stats

Re: Trojan.Swifi?

bjm_:

Hey yeah...THANKS for the FEEDBACK...does more details > copy to clipboard show
File Thumbprint SHA / MD5

Further to bjm_'s request, has anyone been able to find the SHA hash for these detections?  If the detected file has been quarantined or removed, go into your security history (Advanced | History | Show | Resolved Security Risks), double-click the entry for Trojan.Swifi, click the Copy to Clipboard link at the bottom of the window, and then paste the details into a text editor like Notepad.

Look for the SHA hash in the details - here's a sample SHA hash (unique fingerprint) for an old Trojan.Klovbot detection I had several months ago as an example:
     File Thumbprint - SHA:
     a286e9d127ad6a704e98d932f9e77bcc006972e29caeaa29daea944799b92a33

When I go to VirusTotal.com, click the Search tab and search for this Trojan.Klovbot SHA hash (a286e9d127ad6a704e98d932f9e77bcc006972e29caeaa29daea944799b92a33) I'm taken to an analysis page here that shows that 40/55 antivirus programs also detect this file as suspicious/malicious.

If someone who had a recent Trojan.Swifi detection can follow the same steps and submit the Trojan.Swifi SHA hash to VirusTotal.com for analysis, a high detection rate would confirm that multiple antivirus programs agree that this is a malicious file.  If there is a low detection rate (e.g., 1/55 and only Symantec detects this file as malicious) that might indicate that the 28-Nov-2014 update to the virus definition for Trojan.Swifi (see the write-up here on the Symantec Security Response site) could be causing false positive detections.
-------------
32-bit Vista Home Premium SP2 * Firefox 34.0.5 * NIS 2013 v. 20.5.0.28
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

好评0

Re: Trojan.Swifi?

As always  Kudos

好评3 Stats

Re: Trojan.Swifi?

SHA256: F3D35B464A418F7C2D5ADF63E4355828D673877E83E69F7C3F34FB34AB6943DC reported to virustotal.com;

File name:vip_117.swf

Detection ratio:2 / 55

Analysis date:2014-12-02 18:45:04 UTC ( 2 hours, 33 minutes ago )

Here are the two;

Antivirus                           Result                                          Update

TrendMicro-HouseCall     Suspicious_GEN.F47V1130      20141202

McAfee-GW-Edition          BehavesLike.Flash.Exploit.mg  20141202

好评0

Re: Trojan.Swifi?

Thanks dwixson

好评0

Re: Trojan.Swifi?

dwixson:

SHA256: F3D35B464A418F7C2D5ADF63E4355828D673877E83E69F7C3F34FB34AB6943DC reported to virustotal.com;
File name:vip_117.swf
Detection ratio:2 / 55

Kudos to dwixson for the VirusTotal analysis.

A low detection rate of 2/55 makes me suspect that this is a false positive, although it's still possible that this vip_117.swf  vector graphic animation file is showing some sort of malicious behaviour when Adobe Flash tries to play this file in your browser.  See the wiki article SWF  for more background information on the Adobe Flash Small Web Format (SWF) file format - chances are this detection is for some sort of free browser game or animation being posted on eBay, Facebook, etc.

Per bjm_'s suggestion here, has anyone tried to submit this vip_117.swf  (or vip_117[1].swf) file to Symantec for a false positive analysis?  See Symantec employee Tony Weiss' instructions in the post How to report false positives.  Symantec normally requires that you attach a copy of the file to your submission report, but if you are not comfortable restoring this vip_117.swf file from quarantine (a link to instructions on restoring files is included on the submission form) you can also provide the SHA256 hash and other details from the clipboard of the quarantine detection (again, a link to instructions is included) and/or provide the URL of the website you were visiting when the detection occurred.

Quads is a trained malware removal specialist so hopefully he'll be able to provide an update once he's had a chance to examine the vip_117.swf file for himself.
-------------
32-bit Vista Home Premium SP2 * Firefox 34.0.5 * NIS 2013 v. 20.5.0.28
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

好评0

Re: Trojan.Swifi?

There is at least three machines with Trojan.Swifi detections on Quads' forum also infected with Poweliks.  I don't think it is a false positive.

http://qmalwareremoval.freeforums.net/thread/1060/poweliks-issue-powersh...

http://qmalwareremoval.freeforums.net/thread/1069/powerlik-adclicker-tro...

http://qmalwareremoval.freeforums.net/thread/1072/trojan-swifi

A little bit of knowledge is... well a little bit of knowledge.
好评0

Re: Trojan.Swifi?

When in doubt always go to Quads ~ Thanks Krusty13

好评1 Stats

Re: Trojan.Swifi?

Further to my previous post, Symantec employee RajR posted in a thread in the Symantec Endpoint Protection (SEP) forum at http://www.symantec.com/connect/forums/trojanswifi that vip_117.swf file (MD5: 1C10326DB79BBA5BCCFD34582EC3BFBC; SHA256: F3D35B464A418F7C2D5ADF63E4355828D673877E83E69F7C3F34FB34AB6943DC) is a false positive.  I believe that SEP (Symantec's antivirus for small businesses) uses the same virus definition set as the Norton line of products for home users, so if this is confirmed as a false positive Symantec will release an updated virus definition for Trojan.Swifi in the next few days via Automatic LiveUpdate that will stop these detections.  According to one comment in that thread, the updated definitions released 01-Dec-2014 solved this problem for SEP customers so post back if you have run a LiveUpdate today and are still seeing Trojan.Swifi detections for vip_117.swf with your Norton product.

If you'd still like to submit a false positive report at https://submit.symantec.com/false_positive/ Symantec should contact you directly and confirm whether this is a false positive or not.
-------------
32-bit Vista Home Premium SP2 * Firefox 34.0.5 * NIS 2013 v. 20.5.0.28
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

好评0

Re: Trojan.Swifi?

Takes a Community ~

好评0

Re: Trojan.Swifi?

A little bit of knowledge is... well a little bit of knowledge.
好评0

Re: Trojan.Swifi?

My computer was hit with Trojan.Swifi on 11/30 and Norton quarantined it.  It was also submitted to Norton Community Watch on the same day:  Statistical Submission:  Trojan.Swifi.

Today I noticed that it disappeared from Quarantine.  I looked into Norton Community Watch and it showed the following as submitted today:  Statistical Submission Trojan.Swifi (Presence). 

My question:  Does anyone know why it has disappeared from Quarantine?  It was there yesterday.  Is it because after the file was analyzed, Norton deleted it from Quarantine?

I ran a full system scan and Malwarebytes and the scans were clean.

好评0

Re: Trojan.Swifi?

Hi there, I just wanted to say that exactly the same thing happened to me.  Trojan Swift has disappeared from quarantine when I checked today 3rd Dec. Does anyone know is this normal?

好评0

Re: Trojan.Swifi?

Apologies for the incorrect possible solution tag, I,m a new user to the forum.

Sorry

好评0

Re: Trojan.Swifi?

3 Instances still in Quarantine first thing this morning - subsequently 'disappeared' likewise - assume now been given OK?

好评2 Stats

Re: Trojan.Swifi?

Hi mgirons:

I'm not sure why Quads is seeing users with both Trojan.Swifi and Trojan.Poweliks infections on his malware removal board at http://qmalwareremoval.freeforums.net/board/2/malware-removal-protected, but if the Trojan.Swifi detections of the past few days were actually false positives it's possible that a few users also picked up a Trojan.Poweliks infection while they were browsing eBay, Facebook, etc. this weekend.

If your Trojan.Swifi detections have stopped and your computer seems to be running normally after running a Full System Scan with Norton, you can run an on-demand scan with the free Malwarebytes Anti-Malware to check for any PUPs (potentially unwanted programs), PUMs (potentially unwanted modifications) or malware that might have been missed by Norton.  Decline the 14-day trial of the Premium (real-time protection) features during installation, and start with a standard Threat Scan with the default settings.  Move on to a deeper Custom Scan of all hard drives if the Threat Scan does not report a detection.

If your Trojan.Swifi detections have stopped but your computer seems to be running slowly or behaving erratically or you have any concerns that you might still be infected by malware that is not detected by Norton and MBAM, I would register at one of the free malware removal forums recommended by delphinium in the thread Malware Removal Forum Recommendations as bjm_ previously suggested here.  Whatever site you choose, please read and follow their guidelines for posting and then work with the malware removal specialist one-on-one until they give your the "all clear" and confirm that your system is clean.

If anyone is concerned that they might have an undetected Trojan.Poweliks infection, see the article Trojan.Poweliks: A threat inside the system registry in the Symantec Security Response blog for more information.  Users infected with this trojan often report that they experience a significant decrease in system performance and see multiple instances of dllhost.exe running in their Windows Task Manager.
-------------
32-bit Vista Home Premium SP2 * Firefox 34.0.5 * NIS 2013 v. 20.5.0.28 * MBAM Premium 2.0.4
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

好评0

Re: Trojan.Swifi?

As always ~ Kudos

好评1 Stats

Re: Trojan.Swifi?

Blue452:

Today I noticed that it disappeared from Quarantine.  I looked into Norton Community Watch and it showed the following as submitted today:  Statistical Submission Trojan.Swifi (Presence)... My question:  Does anyone know why it has disappeared from Quarantine?  It was there yesterday.  Is it because after the file was analyzed, Norton deleted it from Quarantine?

Hi Blue452:

Could you check your security history at Advanced | History | Show | Resolved Security Risks and confirm that the Status (file activity performed) for Trojan.Swifi was "Quarantined" and not "Removed".  It's possible the vip_117.swf file never actually made it into quarantine and was permanently removed from your system.  The potentiallyunwanted.exe file shown in the image below is a simulated malware test file I downloaded from the Anti-Malware Testing Standards Organization (AMTSO) site and I sometimes find that the Status in the Resolved Security Risks log isn't always consistent with the way the file is actually handled by Norton when you copy and paste the details of the detection into a text editor like Notepad - see my comments here for one example.

I don't believe it's normal for Norton to remove a suspected file from quarantine unless the user specifically chooses to delete or restore the quarantined file, even if it's been submitted via Norton Community Watch (NCW) and/or confirmed as an harmless false positive, but I could be wrong about that since I have NCW disabled.  If one of the other participants in this thread can't provide a definitive answer you might have to ask Norton Customer Support via Live Chat at www.norton.com/chat for clarification.
-------------
32-bit Vista Home Premium SP2 * Firefox 34.0.5 * NIS 2013 v. 20.5.0.28 * MBAM Premium 2.0.4
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

好评0

Re: Trojan.Swifi?

Same with me -  was quarantined in Resolved Security Risks - now disappeared. Read somewhere in user guide or forums, that if a threat is a false positive or no longer considered a threat, Norton reinstates it by removing from quarantine automatically - strange way to go - thought it would be user option.

好评0

Re: Trojan.Swifi?

I just checked my Security History and my 3 instances of Trojan.Swifi has disappeared from Quarantine. It also has disappeared from Resolved Security Risks. The only thing I can find now is in Download Insight which says it has been removed.

好评0

Re: Trojan.Swifi?

poppy052 - Same here - 'Removed' 8:57 this morning - 'More Details' says it has been repaired - locate takes you to internet cache where it is notated as a Shockwave Flash Object

好评0

Re: Trojan.Swifi?

Update and run full scan with your Norton product

好评0

Re: Trojan.Swifi?

Imacri, 

1.  Checked Resolved Security Risk - If it was there, it's now gone.

2.  Download Insight shows this:   Activity - Download Insight analyzed vip_117[1].swf  / Status - Removed.  When I go to More Details under Activity, it shows: Infected file:  c:\users\ . . . microsoft\Windows\inetcache\Low\IE\ . . . Repaired.

3.  Under Performance - File Insight - it shows:  Date: 11/30/14, Number of Downloads: 1, vip_117[1].swf

My situation seems similar to poppy052 and mgirons.

Scanned my system again - full system scan and malwarebytes - and both times no threat noted.  I guess I'll just assume my system is clean.

Windows 8.1, IE11, NIS 21.6.032

This thread is closed from further comment. Please visit the forum to start a new thread.