Norton found virus! Bloodhound.Exploit.6, but ran a scan and didn't find it...

[DualMonitors]

Norton found virus! Bloodhound.Exploit.6, but ran a scan and didn't find it...

--------------------------------------------------------------------------------

out of the blue, while surfing on Internet Explorer, Norton Internet Security 2003 or Norton AntiVirus (i can't figure out which one did it) popped up a small window that said:

C:\Documents and Settings\.........

Virus found: Bloodhound.Exploit.6

Action Taken: unable to repair this file.

i can't figure out how that happened. the only thing i can think of is that earlier today, i downloaded amplify.com's websurfing favorites "manager" software, which i saw in PC Magazine's Editor's Choice!! after i saw this scary warning, i immediately went to add/remove programs and removed amplify.com's software (i looked at how to uninstall BEFORE i installed amplify.com's software). i then rebooted. then i immediately ran Norton AntiVirus/Norton Internet Security 2003's virus scan for the whole computer system. BUT, guess what, it found nothing!

i'm totally baffled and confused. i was a little worried when i was using amplify.com's software (only for like a couple of hours today, since i just downloaded it today), Norton asked if i should let amplify.exe have access to the internet. i felt that i HAD to say yes and checked the box, use this action always. i rarely do this but thought that a piece of software like amplify.com, which manages you online web favorites, cannot possibly function if you don't let it access the internet constantly. it sounded like it would be an endless hassle to each and every time say "allow access" to Norton when amplify.com asks for permission.

any ideas on what happened? does my computer have the Bloodhound.Exploit.6 virus?

confused...

 

[redbeard1]

Isn't bloodhound part of their scanning engine. I wonder if it saw a hueristic of an unnamed virus trying to get installed from the web?

 

[shadowfaX]

according to symantec.com, http://securityresponse.symant...odhound.exploit.6.html,

yes, it is just a heuristic detection for exploits. seems like running windows update solves the problem...?

 

[mechBgon]

Look at your Norton settings. What does it do with files if it can't clean them? If it's set to Clean-then-silently-delete, then that might be why you can't find the file; it got deleted. If it's set to Clean-then-quarantine, then look in the Quarantine for it. I believe Norton keeps logs too.

 

[LeetestUnleet]

It could have also been a temporary internet file, which may have been cleared or overwritten later in the day.

 

[DualMonitors]

i ran Norton system scan again, nothing.

i ran both spybot and ad-aware. in spybot, i got rid of the cookies that it indicated were undesirable, but nothing looked malicious. in ad-aware, i didn't know what to do. nothing looked horrible, but i'm absolutely no expert, so didn't really know what to do or know what to look for or interpret the results.

i'm sure that someone else would be able to interpret the results much better.

Norton no longer can find the "virus" anymore. i also don't know what heuristic means. sort of remember what it meant back when i was studying engineering, but has since forgot about what it meant.

should i continue to be concerned? i don't want this to linger. someone told me that this Bloodhound.Exploit.6 thing looks for passwords and sends them out! yikes!

Symantec/Norton refers to the Microsoft page saying that i'm supposed to download something for Outlook Express. I do NOT have Outlook Express (might have it somewhere in my hardrive but i never use it because I use Outlook/Office 2003).

I thought that there's no reason to download a patch for Outlook Express (a totally different program from Outlook/Office 2003) if I don't ever use or open Outlook Express, is that correct?

then, if i don't download the patch for Outlook Express, there's NOTHING else that the Microsoft page recommends!! What should one do? that Microsoft page seems very unhelpful...is this Bloodhound.Exploit.6 THAT difficult and hard to get rid of?

Here's the link to that Microsoft page:
http://www.microsoft.com/techn...bulletin/ms04-013.mspx

Here's the link to that Symantec page which basically refers people to the abovementioned Microsoft page:
http://securityresponse.symant...odhound.exploit.6.html

Oddly, McAfee's site refers to the Symantec site(!):
http://us.mcafee.com/virusInfo...ion&virus_k=101033

Anyone with an idea of what to do? Many thanks!

 

[DualMonitors]

forgot to mention that i again deleted cookies and temp internet files, yesterday. i did that last week already. ugh.

 

[Schadenfroh]

post your hijackthis log for analysis to see if it is executing or anything else is executing that should not be there on startup

link to download hijackthis is in my sig

 

[mechBgon]

Let me ask this again: what is Norton doing with files that aren't cleanable? Deleting, quarantining, ordering pizza, ignoring them, or what?

To be succinct, max out Norton's options and don't set it to ask you what to do with infected stuff, set it to act automatically. Heuristics allow the scan engine to detect some threats even if they are not in the antivirus definitions (yet), so max them out... they've saved you once already.

You should patch your computer for all vulnerabilities: Windows, Internet Explorer, Outlook Express, Windows Media Player, IIS, Office, the works. Start by installing everything Windows Update and Office Update have to offer you, then run Microsoft Baseline Security Analyzer 1.2.1 and see what you've missed. Enable Automatic Updates and run MBSA every month or so to see what else you might need as time goes by.

I would also enable Data Execution Prevention for all software after you get SP2 for WinXP installed. Instructions on how to do that are here under the Ongoing prevention part.

 

[DualMonitors]

i went to Norton and looked up where that "virus" was (Bloodhound.Exploit.6). it was in some IE temp files folder. So since i took the advice of deleting that very early on after Norton found it, I might just have gotten rid of it already. don't really know, but certainly a possiblity.

thanks for helping! i'm hoping that this might be the end of it.

 

[imported_peterk]

We have Norton AntiVirus Corporate Edition here at work. I just ran across this same situation (Bloodhound.Exploit.6) today and Norton quarantined the virus.

Interestingly, I encountered the virus as a result of just visiting a web page via a Google search. I have verified that visiting the web page generates the pop-up warning from Norton. Incidentally, I'm running Windows 2000 and my last update of all critical patches was yesterday. Clearly, that did not protect my system from this exploit.

In case anyone is interested in exploring this, the URL (web page) in question is:

http://www.nibbleguru.com/probs/134/1559

I'd suggest you do NOT visit it if your system is not protected.

 

[LeetestUnleet]

Meh, it probably doesn't do anything - it's probably just the text of the webpage setting it off because Norton is scanning your temp inet files as they're downloaded, sees the infected area, and complains without realizing that it's not actually being executed. AVG didn't catch anything and I didn't get any ZA or TeaTimer/Ad-Watch warnings.

 

[waitman]

Originally posted by: mechBgon
Let me ask this again: what is Norton doing with files that aren't cleanable? ordering pizza, ignoring them, or what?

LOL :beer::laugh:

 

[LeetestUnleet]

Heh, strangely enough, I just reformatted my computer and reinstalled everything, then ran 4 different virus scanners (AVG, Trend Micro, Panda, and Norton) and Norton found this "virus" in my temporary internet files also. It was the *ONLY* scanner that found it, just like AVG was the *ONLY* scanner that found a Java/ByteVerify virus (which doesn't affect systems after the SP1a patch, and I have SP2). I think that this supposed "virus" is harmless and it's probably just some questionable code found in some website you and I both happen to visit.

 

[Whatisthat]

i had the same thing happen as him, but i have outlook express6 and whenever i download the patches they alyways say i dont have outlook 6. I'm confused??. This virius is getting on my nerves.:|

If you dont sucsceed you run the risk of failure--Dan Quale

 

[mechBgon]

Originally posted by: Whatisthat
i had the same thing happen as him, but i have outlook express6 and whenever i download the patches they alyways say i dont have outlook 6. I'm confused??. This virius is getting on my nerves.:|

If you dont sucsceed you run the risk of failure--Dan Quale

I frequently use a batchfile to install about 40-50 Microsoft patches in one shot. If you have already patched the vulnerability, the patches may say something like this: http://pics.bbzzdd.com/users/m..._installed_message.gif

You can download Microsoft Baseline Security Analyzer 1.2.1 from here and see how you're doing on patching, as well as other security areas like weak/blank passwords, hazardous shares, and even MS Office patches if you have Office2000 or later.

 

[imported_Bartender]

Same thing happened to me today... Apperently this was fixed in the Febuary Windows update... And yet I just bought this laptop a month ago. Anyways After this happened I downloaded the newest windows update... Yeah nice timing :thumbsup:

Anyways if anyone has any more information on this virus/trojan w/e it is I would realy like to know. I already updated all my norton option to highest protection/automatic protection... Ran a various amount of spyware programs etc... Still can't locate this file the virus is supposed to be in and Norton still isn't picking it up in the routine scans.

 

[mechBgon]

Originally posted by: Bartender
Same thing happened to me today... Apperently this was fixed in the Febuary Windows update... And yet I just bought this laptop a month ago. Anyways After this happened I downloaded the newest windows update... Yeah nice timing :thumbsup:

Anyways if anyone has any more information on this virus/trojan w/e it is I would realy like to know. I already updated all my norton option to highest protection/automatic protection... Ran a various amount of spyware programs etc... Still can't locate this file the virus is supposed to be in and Norton still isn't picking it up in the routine scans.

What are your Norton settings for dealing with threats? Example screenshot of Norton's AutoProtect action options. If it's set up like mine, then look in Quarantine. Or maybe it considers that it did a successful de-contamination of the file. You can also look at Norton's logs, click Reports in Norton's main panel and choose View Activity Log.

 

[imported_Bartender]

Well I'll start with the view activity log... It showed the two times it brought up the warning (First was exactly the same as the creator of this thread.) The second was the same except "Action Taken: Access Denied."

As for the auto-protect "When Virus is Found" mine is set to: auto-repair infected file

 

[mechBgon]

I'm downloading today's Intelligent Updater from Symantec so I have the latest definitions, and then I'll try to capture a copy of it and submit it to Network Associates' WebImmune online analyzer to see what McAfee calls it.

A while back I was using Grisoft AVG Free Edition and it detected an attack while I was visiting one of my Web-based emails. I forget what the attack was called by Grisoft, but since I couldn't get any more info on it, I heaved it at McAfee and they ID'ed it as Free-Scratch-Cards, some kind of adware program that installs with an ActiveX popup. If you update with WinXP SP2, then you should be free of ActiveX popups except at your own discretion. On Win2000, you can run as a Restricted User and you won't get ActiveX popups either.

53% done with my download Grrr, stupid 56k modem...

 

[imported_Bartender]

Originally posted by: mechBgon

If you update with WinXP SP2, then you should be free of ActiveX popups except at your own discretion.

Whats WinXP SP2?

That and i dont get pop-ups I have a blocker on, that came with my firewall. Haven't had a pop-up yet.

 

[mechBgon]

Originally posted by: Bartender

Originally posted by: mechBgon

If you update with WinXP SP2, then you should be free of ActiveX popups except at your own discretion.

Whats WinXP SP2?

That and i dont get pop-ups I have a blocker on, that came with my firewall. Haven't had a pop-up yet.

I meant Service Pack 2 for WinXP. There's a link to the full SP2 download on this page if you would like to get the whole thing and record it to CD, or you can hit Windows Update to get a streamlined version of it. It adds its own popup blocking, puts a lid on the ActiveX stuff, and seems to be designed to raise security awareness among home users.

The page I linked to also has some advice about preventing viruses and spyware/adware, I put it under the Ongoing prevention header there. Microsoft Baseline Security Analyzer is a cool tool that will reveal if you have weak or blank passwords that are leaving your system's administrative shares wide-open, for example... you might want to run that.

 

[mechBgon]

Aha, it quarantined the file. Now to see what McAfee WebImmune says about it.

 

[imported_Bartender]

okay yea then I already got that.

 

[mechBgon]

Hmm, well it's diligent about putting them in Quarantine. If I restore the files to their original location, Norton disinfects them first, so I can't send them to McAfee WebImmune and expect them to detect a threat if they've been disinfected.

At any rate, if they're being quarantined, that answers the mystery of where they went and why they're not being detected on regular scans, for that particular site. I did use Norton's "submit for analysis" feature and they said this:

We have analyzed your submission. The following is a report of our
findings for each file you have submitted:

filename: C:\Documents and Settings\mechBgon\Local Settings\Temporary Internet Files\Content.IE5\6PZXY894\1559[2]
machine: TRASH
result: See the developer notes

Developer notes:
C:\Documents and Settings\mechBgon\Local Settings\Temporary Internet Files\Content.IE5\6PZXY894\1559[2] applies to the 20 current Bloodhound detections in the engine

Some or all of the files have been detected as 'expanded threats'. For Symantec products that support expanded threats, the currently published LiveUpdate definitions (or attached definition file) are capable of detecting these threats. For more information on expanded threats, please visit http://securityresponse.symant...ded_threats/index.html
----------------------------------------------------------------------
This message was generated by Symantec Security Response automation

So it looks like there are 20 different threats that fall under Bloodhound.Exploit.6. Edit: and if you follow the link they give, it says this:

Symantec AntiVirus products allow users to protect themselves from a variety of potential software and Internet threats. These include malicious code such as viruses and Trojans, as well as Expanded Threats, which include Spyware, Adware, and Dialers.

General Criteria for Expanded Threats

An expanded threat is an application or software-based executable that is either independent or inter-dependent on another software program, and meets one or more of the following criteria:

1) Is considered to be non-viral in nature (i.e., does not spread on its own using a virus-like mechanism, or meet the definition below of a worm or Trojan Horse) yet conforms in a significant way to the general definition of a category of expanded threat defined below; and/or,

2) Has been submitted to Symantec by a critical number of either corporate or individual users within a given timeframe. The timeframe and number may vary by category, and by threat; and/or,

3) Can be shown to create a general nuisance related to one of the specified threat categories, or exhibiting behavior that is as yet undefined under a broader category of expanded threat.

NOTE: Expanded threats may exhibit behavior described in more than one category.
[/b]

Betcha it's something along the lines of that Free-Scratch-Cards thing.