Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Microsoft AntiSpyware attacks Norton AV?
From: "Joel R. Helgeson" <joel () helgeson com>
Date: Sat, 11 Feb 2006 01:28:20 -0600

Is anyone else seeing/experiencing this?

A customer of mine stated that Microsoft AntiSpyware updated its signature files between 2/9 and 2/10 to signature 
version 5805.
When it scanned each system it found a Trojan called PWS.Bancos.A (Password Stealer) - Level: Severe

When it quarantined the bug, it also rendered the Symantec Anti-Virus helpless.  The Rtvscan.exe kicks up to 100% CPU 
utilization.
The only way to stop it is try to end process in task master or reboot the computer system.  Either will release the 
CPU however, how the
Symantec Antivirus is corrupt and not usable.  


My take on what has happened:
<speculation>
The PWS.Bancos.A virus was apparently distributed with the Bagle worm, it attacked and shut down Microsoft AntiSpyware 
as well as deleted executable files and killed running processes for anti-virus software. 

It appears that MS AntiSpyware incorrectly identified some parts of Symantec's AntiVirus as being the trojan and then 
went to delete the infection.  Once deleted, It threw Symantec AV into a tailspin causing 100% CPU utilization wherein 
upon reboot or killing the offending task, SAV was rendered useless and needing to be reinstalled.
</speculation>

Microsoft very quickly released signature version 5807 to correct the mistake.

Anyone else seeing this?

Joel
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault