hacktool.rootkit
in [Windows Viruses]
|
Prev: HotPOP.com infected
Next: locate.exe
From: David H. Lipman on 23 Oct 2005 12:46 From: <easyone(a)onetel.com> | | David | | Thanks for your suggestion of Virus Total - their reply below: | | Results of a file scan | This is a report processed by VirusTotal on 10/23/2005 at 17:01:44 | (CET) after scanning the file "SVKP.sys.zip" file. | Antivirus Version Update Result | AntiVir 6.32.0.6 10.22.2005 no virus found | Avast 4.6.695.0 10.21.2005 no virus found | AVG 718 10.21.2005 no virus found | Avira 6.32.0.6 10.22.2005 no virus found | BitDefender 7.2 10.22.2005 no virus found | CAT-QuickHeal 8.00 10.22.2005 no virus found | ClamAV devel-20050917 10.21.2005 no virus found | DrWeb 4.32b 10.23.2005 no virus found | eTrust-Iris 7.1.194.0 10.23.2005 no virus found | eTrust-Vet 11.9.1.0 10.21.2005 no virus found | Fortinet 2.48.0.0 10.22.2005 no virus found | F-Prot 3.16c 10.20.2005 no virus found | Ikarus 0.2.59.0 10.21.2005 no virus found | Kaspersky 4.0.2.24 10.23.2005 no virus found | McAfee 4610 10.21.2005 no virus found | NOD32v2 1.1263 10.21.2005 no virus found | Norman 5.70.10 10.21.2005 no virus found | Panda 8.02.00 10.23.2005 no virus found | Sophos 3.98.0 10.22.2005 no virus found | Symantec 8.0 10.22.2005 no virus found | TheHacker 5.8.4.127 10.21.2005 no virus found | VBA32 3.10.4 10.23.2005 Virtool.SVKProtector | | Hope some help. | | Grateful if you would advice what I should do with VBA32 | | Thanks a lot | | Tony Tony: The question here is it a False Positive or is a new detection ? The following web page has the URLs and email addresses of many AV vendors uncliding VBA (VirusBlokAda) At the very minimum submit a copy of the suspect file to; Kaspersky, Sophos and VBA. Include the Virus Total report you provided here. Kaspersky is very quick to analyze a submission. Or you can email me a copy of SVKP.sys and I will investigate it for you. Just remove ~nospam~ from one or both of the following addresses. DLipman~nospam~@Verizon.Net David_H_Lipman~nospam~@Yahoo.Com -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: easyone on 23 Oct 2005 13:02 easy...(a)onetel.com wrote: > David H. Lipman wrote: > > From: "Shawn E. Hale" <SEHaleNOSPAM1(a)comcast.net> > > > > | Interesting but I am not seeing that here. I read conflicting info on that > > | SVKP.sys file - sometimes it is good and sometimes not. I am using TweakUI > > | 2.10 for XP on 3 computers (including the one that had the original problem > > | that started this thread). The others did not have any SVKP files or > > | registry entries - only the one with the reported problem. I removed the > > | SVKP.sys file and registry entries on the original computer and Tweak runs > > | fine on it still. I am not using the File Shredder Tweak though. I am > > | pretty sure though that the definitions in that 10/19 Norton download is the > > | problem though. If you look at what was added in that definition package, > > | there is a reference to SVKP.sys in the W32.loxbot.A description. > > > > That's right. One can NOT simply go by a file name. It is often the objective to use the > > name of a legitimate file to obfuscate the its malicious purpose. > > > > > > Please submit a sample of any suspicious file to Virus Total -- > > http://www.virustotal.com/flash/index_en.html > > The submission will then be tested against many different AV vendor's scanners. > > That will give you an idea what it is and who recognizes it. In addition, unless told > > otherwise, Virus Total will provide the sample to all participating vendors. > > > > When you get the report, please post back the exact results. > > > > > > -- > > Dave > > http://www.claymania.com/removal-trojan-adware.html > > http://www.ik-cs.com/got-a-virus.htm > > David > > Thanks for your suggestion of Virus Total - their reply below: > > Results of a file scan > This is a report processed by VirusTotal on 10/23/2005 at 17:01:44 > (CET) after scanning the file "SVKP.sys.zip" file. > Antivirus Version Update Result > AntiVir 6.32.0.6 10.22.2005 no virus found > Avast 4.6.695.0 10.21.2005 no virus found > AVG 718 10.21.2005 no virus found > Avira 6.32.0.6 10.22.2005 no virus found > BitDefender 7.2 10.22.2005 no virus found > CAT-QuickHeal 8.00 10.22.2005 no virus found > ClamAV devel-20050917 10.21.2005 no virus found > DrWeb 4.32b 10.23.2005 no virus found > eTrust-Iris 7.1.194.0 10.23.2005 no virus found > eTrust-Vet 11.9.1.0 10.21.2005 no virus found > Fortinet 2.48.0.0 10.22.2005 no virus found > F-Prot 3.16c 10.20.2005 no virus found > Ikarus 0.2.59.0 10.21.2005 no virus found > Kaspersky 4.0.2.24 10.23.2005 no virus found > McAfee 4610 10.21.2005 no virus found > NOD32v2 1.1263 10.21.2005 no virus found > Norman 5.70.10 10.21.2005 no virus found > Panda 8.02.00 10.23.2005 no virus found > Sophos 3.98.0 10.22.2005 no virus found > Symantec 8.0 10.22.2005 no virus found > TheHacker 5.8.4.127 10.21.2005 no virus found > VBA32 3.10.4 10.23.2005 Virtool.SVKProtector > > Hope some help. > > Grateful if you would advice what I should do with VBA32 > > Thanks a lot > > Tony Sorry meant to say @Grateful if you would tell me what to do with virtool.SVK Protector. Note Symantec didn't report a virus above, though they do on my computer ie c;\windows\system32\SVKP.sys is infected with the Hacktool.Rootkit virus. Have noted other people have reported getting the Hacktool.Rootkit getting Microsoft updates (I did these only after getting the virus. I hadn't done them for some months before. For the other people it could be a coincidence. Tony
From: David H. Lipman on 23 Oct 2005 14:03 | David | Thanks for your suggestion of Virus Total - their reply below: < snip > | VBA32 3.10.4 10.23.2005 Virtool.SVKProtector | Hope some help. | Grateful if you would advice what I should do with VBA32 | Thanks a lot I'd say that the VBA detection was a False Positive. ------------- From Kaspersy... Hello. Attached file is legal component of legal SVKP protection software. No detection needed. Sincerely yours, Pavel Zelensky Virus analyst Kaspersky Lab Ltd Moscow, Russia ------------- From Computer Associates.... Dear customer, Thank you for emailing CA Security Advisor. This is to notify you of the results of your submission, issue number 633330. Please keep this issue number for future reference. Please see below for the final results of our analysis of your file submission. We successfully received the following files: FILE SIZE CONCLUSION ------------------------------------------------------------------------ SVKP.sys 2368 confirmed clean ------------------------------------------------------------------------ ------------- From Symantec..... Dear David Lipman, We have analyzed your submission. The following is a report of our findings for each file you have submitted: filename: SVKP.sys machine: Machine result: This file is clean Developer notes: SVKP.sys is a clean file. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: easyone on 23 Oct 2005 15:17 David Thankyou for your quick action. All of your verifications seem clean. This would lead one to think Symantec has wrongly identified a Virus Hacktool.Rootkit on my computer (after thheir update 19.10.05). I wonder if similar reports of Hacktool.Rootkit are a result of Norton noting SPKP.sys in software on other people's computers. Thanks again for giving me peace of mind. ps Whilst doing scans from various other companies I think SpywareDoctor, on my computer Ezula was reported. Norton has never reported this. Any advice on better virus protection to Norton much appreciated. Cheers Tony
From: David H. Lipman on 23 Oct 2005 15:34
From: <easyone(a)onetel.com> | David | | Thankyou for your quick action. | | All of your verifications seem clean. | | This would lead one to think Symantec has wrongly identified a Virus | Hacktool.Rootkit on my computer (after thheir update 19.10.05). | | I wonder if similar reports of Hacktool.Rootkit are a result of Norton | noting SPKP.sys in software on other people's computers. | | Thanks again for giving me peace of mind. | | ps Whilst doing scans from various other companies I think | SpywareDoctor, on my computer Ezula was reported. Norton has never | reported this. | Any advice on better virus protection to Norton much appreciated. | | Cheers Tony Tony: I am glad to help ! ;-) Note that all AV applicvations will suffer False Positive declarations from time to time. Therefore if you are happy with what you have, stick with it. Just make sure files declared to be infected are quarantined until proven to be a Flase positive declaration. This way the so-called infected file will not be auto-deleted but it will be quarantined such that it can be restored if need be. Usually you won't have to quarantine a file for more than a week or so. as you have sen through this dialogue, there are ways to prove if a file is truly infected or not. Once the AV vendor recognizes that they have faulty definitions, one just has to download the corrected signatures and the restore the file from quarantine. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |