Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Symantec detecting Bloodhound.exploit.213


  • Please log in to reply
5 replies to this topic

#1 jjohnkim

jjohnkim

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 20 April 2009 - 03:38 AM

Hi,

My Symantec keeps detecting Bloodhound.Exploit.213 on my laptop as a .tmp file (with a filename that starts as "DWH") in my \User\*Name*\AppData\Local\Temp folder. And I frequently get hundreds of notifications saying that the files have been quarantined. I tried running a full virus scan with Symantec and Avira and it doesn't seem to have stopped anything. I've also tried running Malwarebytes and got this result, and yet it still hasn't resolved anything:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 6.0.6001 Service Pack 1

18/04/2009 9:17:16 PM
mbam-log-2009-04-18 (21-17-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 264537
Time elapsed: 4 hour(s), 12 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\John Kim\AppData\Roaming\addon.dat (Malware.Trace) -> Quarantined and deleted successfully.


I hope it's not anything serious - is there anyway I can fix this?

Thank you in advance!

Edited by jjohnkim, 20 April 2009 - 12:09 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,937 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 PM

Posted 20 April 2009 - 12:56 PM

I tried running a full virus scan with Symantec and Avira

Using more than one anti-virus program is not advisable. The primary concern with doing so is due to conflicts that can arise when they are running in real-time mode simultaneously. However, even when one of them is disabled for use as a stand-alone scanner, it can affect the other. Anti-virus software components insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

Each anti-virus will often interpret the activity of the other as a virus and there is a greater chance of them alerting you to a "False Positive". If one finds a virus and then the other also finds the same virus, both programs will be competing over exclusive rights on dealing with that virus. Each anti-virus will attempt to remove the offending file and quarantine it. If one finds and quarantines the file before the other one does, then you encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a virus has been found when that is not the case.

Anti-virus scanners use virus definitions to check for viruses and these can include a fragment of the virus code which may be recognized by other anti-virus programs as the virus itself. Because of this, most anti-virus programs encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. Other vendors do not encrypt their definitions and they can trigger false alarms when detected by the resident anti-virus.

Keep in mind that dual installation is not always possible because most of the newer anti-virus programs will detect the presence of others and may insist they be removed prior to download and installation of another. Nonetheless, to avoid these problems, use only one anti-virus solution. Deciding which one to remove is your choice. Be aware that you may lose your subscription to that anti-virus program's virus definitions once you uninstall that software.

NAV has the ability to detect unknown viruses of various types using heuristic algorithms known as Bloodhound Technology. According to Symantec, files that are detected as Bloodhound.Exploit.213 are a heuristic detection for files attempting to exploit the Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability which may or may not be malicious. Symantec asks that you Submit Virus Samples detected as Bloodhould.Exploit.213 to the Symantec Security Response Team.

Symantec's technology uses an expert system to analyze the cataloged behaviors and assess the likelihood of viral infection. Bloodhound is not the name of a virus, but a message displayed by NAV when it thinks it may have found a new virus which is categorized as Exploit, Packed variants in their defintion files.

Heuristic analysis is the ability of an anti-virus program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others scan the file more intensively, searching line by line inspecting the code in a file to see if it contains virus-like characteristics. If the number of these characteristics/instructions exceeds a pre-defined threshold, the file is flagged as a possible virus.

The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as malicious. With heuristics, there is always a potential risk for a "False Positive" if virus detection technology (AutoProtect Settings) are set to High for Bloodhound and the heuristic analysis flags a file as suspicious or infected that contains no malware. You may want to Reset Bloodhound to default settings and try scanning again.

NAV is doing its job when alerting to a Bloodhound exploit but from personal experience and testing, I have found some of these alerts to be a false positive. You need to investigate further if you continue to get them and follow Symantec's instructions for submitting samples.

Your Malwarebytes Anti-Malware log indicates you are using an outdated database version. Please update it through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install. Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Your database shows 1945. Last I checked it was 2013.Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating, is to install MBAM on a clean computer, launch the program, update through MBAM's interface, copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 jjohnkim

jjohnkim
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 20 April 2009 - 02:20 PM

Hi quietman7,

I've removed Avira off my laptop and am running only Symantect NAV Corporate Edition on my laptop.

Also, I tried submitting an online sample to Symantec, but when I run All_boot.exe, the Boot.dat does not seem to create. I followed the instructions and ran the All_boot.exe in the C:\ root folder, but it does not seem to create Boot.dat. How sould I submit my virus sample to Symantec?

Also, I ran Malwarebytes afterupdating, as you said, and I got this result:

Malwarebytes' Anti-Malware 1.36
Database version: 2015
Windows 6.0.6001 Service Pack 1

20/04/2009 15:17:38
mbam-log-2009-04-20 (15-17-38).txt

Scan type: Quick Scan
Objects scanned: 74260
Time elapsed: 1 hour(s), 0 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And yet, I'm still getting these NAV Auto-Protect updates saying that it's detected Bloodhound.Exploit.213 as a "DWH****.tmp" file

Edited by jjohnkim, 20 April 2009 - 05:26 PM.


#4 jjohnkim

jjohnkim
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 21 April 2009 - 12:33 AM

I think I've figured it out, and after many search attempts, I've come across this: http://service1.symantec.com/SUPPORT/ent-s...pen&seg=ent

There seems to be nothing else wrong with my laptop except for the fact that these DWH****.tmp files keep popping up on Symantec's Auto-protect. Which leads me to believe that the link I posted is exactly what is going on with my laptop.

Could someone more knowleged in these areas confirm?

Thank you in advance!

-John Kim

Edited by jjohnkim, 21 April 2009 - 12:34 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,937 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 PM

Posted 21 April 2009 - 09:41 AM

How sould I submit my virus sample to Symantec?

Check with Symantec/Norton Product Support, let them what occurred when you tried to submit a sample by following their instructions so they can advise you how to fix this issue or an alternative method of submission.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,937 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 PM

Posted 21 April 2009 - 10:51 AM

I received your second email notification after I responded to the previous question so I did not notice your last reply.

I don't use Symantec so I cannot confirm but from what I read it appears to fit your scenario. Though there is no mention of a Bloodhoud exploit detection, they do advise that the files detected by Auto-Detect. Symantec has several workarounds listed in that link which you can try yourself to see if that resolves the issue.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users