Message-ID: <00ac01c62edc$bc62eb40$1400a8c0@appiant>
Date: Sat Feb 11 07:28:37 2006
From: joel at helgeson.com (Joel R. Helgeson)
Subject: Microsoft AntiSpyware attacks Norton AV?

Is anyone else seeing/experiencing this?

A customer of mine stated that Microsoft AntiSpyware updated its signature files between 2/9 and 2/10 to signature version 5805.
When it scanned each system it found a Trojan called PWS.Bancos.A (Password Stealer) - Level: Severe

When it quarantined the bug, it also rendered the Symantec Anti-Virus helpless.  The Rtvscan.exe kicks up to 100% CPU utilization.
The only way to stop it is try to end process in task master or reboot the computer system.  Either will release the CPU however, how the
Symantec Antivirus is corrupt and not usable.  


My take on what has happened:
<speculation>
The PWS.Bancos.A virus was apparently distributed with the Bagle worm, it attacked and shut down Microsoft AntiSpyware as well as deleted executable files and killed running processes for anti-virus software. 

It appears that MS AntiSpyware incorrectly identified some parts of Symantec's AntiVirus as being the trojan and then went to delete the infection.  Once deleted, It threw Symantec AV into a tailspin causing 100% CPU utilization wherein upon reboot or killing the offending task, SAV was rendered useless and needing to be reinstalled.
</speculation>

Microsoft very quickly released signature version 5807 to correct the mistake.

Anyone else seeing this?

Joel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060211/f1f2b4a1/attachment.html

Powered by blists - more mailing lists