PPRuNe Forums - View Single Post - Bloodhound.Exploit.131
Thread: Bloodhound.Exploit.131
View Single Post
Old 8th April 2007 | 03:25
  #2 (permalink)  
Tarq57
20 Anniversary
 
Joined: Dec 2005
Posts: 1,694
Likes: 15
From: Wellington,NZ
Not 100% sure.
The Symantec advisory concerning this indicates it is a heuristic detection for the known cursor vulnerability, which was, within the last 3 or 4 days, patched via MS/Windows update.
If your system is fully updated I would think you'd be OK.
Heuristic detections are the best, and perhaps one of the only, defenses against zero-day exploits. Because of the nature of the detection, however, it's more likely to be a false positive than if detected via signature definitions.
Other defence mechanisms include having a good 2 way firewall, so if an unknown application tries to send your data anywhere, or phone for reinforcements (as trojans often do) you have a chance of blocking it.
Navigate to the folder Norton reported this infection, try and find it, and upload it to Virus Total , an online (single file) scanning service.
Of course, using system restore may have invalidated the file, in that it's not there (in your current incarnation of windows) but may be lurking, undetected, or if a fp, benignly, in the system restore.
Personally, not being particularly expert, what I'd do is (1) Check the file, if possible.
(2) Make sure the computer is up to date with the MS update,
(3) Do a full virus scan, and if you have one, and antispyware scan. Superantispyware, AVG antispy, and Asquared are all good.
Check anything found at VirusTotal, and if it looks like malware quarantine it.
(4) If anything was found, scan again in safe mode.
(5) Turn off system restore, all running well, to eliminate past restore points.
The recent MS patches are-I think- part one of three for this issue (cursor vulneralbility. Not too sure, read that somewhere recently. Ceck windows update regularly.
Following the MS update,if your sound manager is Realtec Audio, you may get a "illegal ###.dll moved" error message. MS have a hotfix for that, which apparently works.
The other defense I know of (and use) for this sort of thing is a program with a HIPS or IDS function (Host intrusion Detection System) The one I use is SpywareTerminator, which includes a resident antispy. Freeware.
Tarq57 is offline  
Reply
0