Never touch Norton's again!

  • Thread starter Thread starter Peter
  • Start date Start date
P

Peter

Am receiving copies of a Mytob virus through email at the moment. Norton's
says the attachment is "clean" but NOD32 and AVAST report it as Mytob. I
have submitted emaples to Symantec. Their "robot" keeps sending it back to
me saying it's clean. Often within a minute showing clearly they didn't even
bother to read the accompanying documentation I sent showing the symptons.

I deliberately infected a stand-alone computer to see what happened
(Re-imaged drive afterwards). Immediately noticed lots of Hard drive
activity followed by numerous attempts to send email. In the running
processes I noticed wfdmgr.exe plus references in the registry to reload it
on startup.

What do you have to do to get Symantec to wake up that there is a Mytob
variant they are not covering?

Attempt to get around Norton's robot result in being charged $77 for a
direct phone contact consultation.

Customer support....what a laugh.

Peter
 
It doesn't help they also *remove* virus definitions from their
database as well. That's what made almost all respect I had for them
overnight.
 
Peter said:
Am receiving copies of a Mytob virus through email at the moment. Norton's
says the attachment is "clean" but NOD32 and AVAST report it as Mytob. I
have submitted emaples to Symantec. Their "robot" keeps sending it back to
me saying it's clean. Often within a minute showing clearly they didn't
even bother to read the accompanying documentation I sent showing the
symptons.

I deliberately infected a stand-alone computer to see what happened
(Re-imaged drive afterwards). Immediately noticed lots of Hard drive
activity followed by numerous attempts to send email. In the running
processes I noticed wfdmgr.exe plus references in the registry to reload
it on startup.

What do you have to do to get Symantec to wake up that there is a Mytob
variant they are not covering?

Attempt to get around Norton's robot result in being charged $77 for a
direct phone contact consultation.

Customer support....what a laugh.
Click to expand...

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
Only took me 20 seconds to find it :
W32 Mytob C mm (wfdmgr.exe)
(Number 10 of the 55 results)
 
idbeholda said:
It doesn't help they also *remove* virus definitions from their
database as well. That's what made almost all respect I had for them
overnight.
Click to expand...

Urban myth, or do you have a reference that I can peruse ?
 
Peter said:
Am receiving copies of a Mytob virus through email at the moment. Norton's
says the attachment is "clean" but NOD32 and AVAST report it as Mytob. I
have submitted emaples to Symantec. Their "robot" keeps sending it back to
me saying it's clean. Often within a minute showing clearly they didn't even
bother to read the accompanying documentation I sent showing the symptons.

I deliberately infected a stand-alone computer to see what happened
(Re-imaged drive afterwards). Immediately noticed lots of Hard drive
activity followed by numerous attempts to send email. In the running
processes I noticed wfdmgr.exe plus references in the registry to reload it
on startup.

What do you have to do to get Symantec to wake up that there is a Mytob
variant they are not covering?

Attempt to get around Norton's robot result in being charged $77 for a
direct phone contact consultation.

Customer support....what a laugh.

Peter
Click to expand...

Perhaps your Mail Service or ISP automatically 'cleaned' the virus you sent to
them.
If you actually were charged $77, I would sure email and call (toll-free) and
complain to them more.
Explain again why you called and that the money should be refunded.

Norton's virus definitions on Intelligent Updater on 25APR05 covered that virus.
Norton's virus definition on the LiveUpdate on 27APR05 coverd that virus.
Either your definitions were not up to date, or you checked that file before the
above dates.
 
Actually, I do have a reference. I'll have it posted for your download
pleasure tomorrow.
 
And what's even more disturbing is that came from their update
information in an install package.
 
Peter said:
Am receiving copies of a Mytob virus through email at the moment. Norton's
says the attachment is "clean" but NOD32 and AVAST report it as Mytob. I
have submitted emaples to Symantec. Their "robot" keeps sending it back to
me saying it's clean. Often within a minute showing clearly they didn't even
bother to read the accompanying documentation I sent showing the symptons.

I deliberately infected a stand-alone computer to see what happened
(Re-imaged drive afterwards). Immediately noticed lots of Hard drive
activity followed by numerous attempts to send email. In the running
processes I noticed wfdmgr.exe plus references in the registry to reload it
on startup.

What do you have to do to get Symantec to wake up that there is a Mytob
variant they are not covering?

Attempt to get around Norton's robot result in being charged $77 for a
direct phone contact consultation.

Customer support....what a laugh.

Peter
Click to expand...

I ran Norton AV for a while and I was reasonably pleased with the
function of the product... never had an infection over a one year
period. However, it did take some doing to remove all traces of it from
the system.

Then decided I would try McAfee AV. I really did not like the way their
AV product worked. Updates always seemed to be problematic.

Then I thought I would give one of the free products a go and settled on
Avast! I will occasionally use one of the online scanners just to give
me the warm fuzzies nothing is escaping Avast!, so far found nothing and
I like Avast better than both Norton or McAfee... who try to generate a
steady revenue stream with their yearly subscriptions.

Didn't take the software vendors long to discover that once a customer
purchased a package that was the end of their revenue for a while... so
they corrected that with these yearly subscription/update fees.
 
Them saying what one variant is and actually identifying the variant when
scanned appears to be two different things.
 
Wish it were so. It is obviously a variant they haven't covered. I'm Sys
Admin for a college network using four individual networks of over 300
computers. We use NAV on all servers (Corporate edition but different
versions). Virus defs are 2/May/05 latest version.
None of these will pick it up including my 2004 Home edition. The virus
exists with an atachment size of 46Kb. It is active.
The $77AUS is a standard service charge. Wouldn't guarantee they will
refund.
 
Peter said:
Wish it were so. It is obviously a variant they haven't covered. I'm Sys
Admin for a college network using four individual networks of over 300
computers. We use NAV on all servers (Corporate edition but different
versions). Virus defs are 2/May/05 latest version.
None of these will pick it up including my 2004 Home edition. The virus
exists with an atachment size of 46Kb. It is active.
The $77AUS is a standard service charge. Wouldn't guarantee they will
refund.
Click to expand...

Thanks for the enlightenment.
I use Norton and I updated it late yesterday morning and again this morning,but
the virus defs are 2May05 so I guess it must have come out late yesterday.
Last year I checked a suspicious attachment to an email with Norton and even
used their Intelligent Updater to get the very latest and it found no virus.
So, I opened it and discovered it was indeed a virus. I caught it by doing an
Internet search on a file it installed and found that it was truely a virus.
Norton didn't have it covered for a couple more days.
I hadn't rebooted yet so I easily cleaned it off my system.
Seeing how they really 'blew' it this time with you, I don't know how they can
refuse to not only refund your money, but give you an apology.
Keep trying.
Best of luck,
Buffalo
 
Peter said:
Am receiving copies of a Mytob virus through email at the moment. Norton's
says the attachment is "clean"
Click to expand...

ARRGGH!!

I'm willing to bet that isn't what was declared. "No virus found" !=
"clean" and it is important for users to realize this fact.
 
Last year I checked a suspicious attachment to an email with Norton and even
used their Intelligent Updater to get the very latest and it found no virus.
So, I opened it...
Click to expand...

You opened it because the AV allayed your suspicion when it stated "no
virus found"? This is an all too common misconception about what an AV
can tell you. Despite the wording they may use, all they can really tell
you is that:

1) I think I found something (then you need to eliminate the posibility
of a false positive detection)
2) I didn't find anything (then you need to either wait for the
definitions to catch up to the malware, scan with yet another scanner,
or both)

They can (almost) never say that a file is clean, only that they didn't
find anything - which is a very different thing altogether.

AV is a tool to HELP you and not a program to SAVE you.

Another point to make is that updating immediately prior to scanning is
NOT recommended - what IS recommended is letting new material sit in a
waiting directory for several AV update cycles to try to avoid your
being the canary in the coal mine.

If you scan new malware, and then execute it, you have only wasted your
time with the scanning
 
Roger Wilco said:
You opened it because the AV allayed your suspicion when it stated "no
virus found"? This is an all too common misconception about what an AV
can tell you. Despite the wording they may use, all they can really tell
you is that:

1) I think I found something (then you need to eliminate the posibility
of a false positive detection)
2) I didn't find anything (then you need to either wait for the
definitions to catch up to the malware, scan with yet another scanner,
or both)

They can (almost) never say that a file is clean, only that they didn't
find anything - which is a very different thing altogether.

AV is a tool to HELP you and not a program to SAVE you.

Another point to make is that updating immediately prior to scanning is
NOT recommended - what IS recommended is letting new material sit in a
waiting directory for several AV update cycles to try to avoid your
being the canary in the coal mine.

If you scan new malware, and then execute it, you have only wasted your
time with the scanning
Click to expand...

The point I was trying to make was not my stupidity in opening it.
I was trying to say that Norton was behind the other antivirus companies at that
time for several days, just like they are now.
 
The point I was trying to make was not my stupidity in opening it.
Click to expand...

Actually, you were lucky it wasn't something worse than a worm. You
apparently stopped the installation of a worm, but if it had been
another kind of virus or a damaging trojan the damage might not have
been so easily reversible. You had your suspicions, scanned the file,
and then let the AV sort of overrule your better judgement - and this is
not the way it should be.
I was trying to say that Norton was behind the other antivirus companies at that
time for several days, just like they are now.
Click to expand...

And my point was that days or even weeks may not be long enough a
waiting period. I wasn't intimating that you did anything stupid, only
that it is a common misconception about AV scanners. A misconception
furthered by the marketing departments of the AVs with claims of being a
"solution" and the inflated 'value' of quick updates. Sure, it is
'value' to have timely def updates, but by having them hourly they imply
that waiting periods aren't needed.

It's like convincing people with open sores it is okay for them to swim
in cesspools because they offer a health 'solution' consisting of
adhesive bandages and antibiotics, when the real health solution is to
swim elsewhere.
 
Peter said:
Am receiving copies of a Mytob virus through email at the moment. Norton's
says the attachment is "clean" but NOD32 and AVAST report it as Mytob. I
have submitted emaples to Symantec. Their "robot" keeps sending it back to
me saying it's clean. Often within a minute showing clearly they didn't even
bother to read the accompanying documentation I sent showing the symptons.
Click to expand...

I have submitted samples as described below and have not had any
problems getting a proper response. You have to send the sample in a ZIP
file, so it won't be detected and removed. I have never paid a $77 fee.


To send a zipped, password protected copy of the suspicious file or
files as an email attachment:

1. Create an email.
2. Type Submission in the Subject field.
3. Include the following information in the body of the email

* Operating System
* Name
* Address
* City
* State
* Zip/Country code
* Province
* Country
* Phone number
* A detailed description of the symptoms that you observed.


To create a password-protected zip file
Do the following to create a password-protected zip file that contains
the suspicious file/files. It is important that potentially infected
files be zipped and password protected to prevent the potential new
virus from being mistakenly sent to others. This process is part of the
Symantec best practices procedure when working with potentially infected
files. If you are running Norton AntiVirus or Symantec AntiVirus in a
corporate environment, then zipping and password protecting a
potentially infected file will also allow the file to be sent through
your network security system without being removed.
Note: These steps apply to Winzip. If you have another zip utility,
consult your program documentation for help zipping and password
protecting the potentially infected file.

1. Open Windows Explorer.
2. Locate the suspicious file or files.
3. If there is only one file, then right-click the file, and then
click "Add to zip."
4. Click I agree.
5. Click New.
6. Change the "Create" location to Desktop, type Submission and then
click OK.
7. Click Options and then Password.
8. Type infected and then click OK. Reenter the same password, and
then click OK again.
9. You should see a zip file named Submission.zip on the Desktop.
10. If you want to submit more than one file, then do the following
for each file.
11. Locate the file and then right-click the file, and click "Add to
zip."
12. Click I agree.
13. Click Open.
14. Change the "Create" location to Desktop, locate and click
Submission.zip and then click Open.
15. Click Add.


To attach the zip file to the email and send the email to Security Response

1. Attach the Submission.zip file to the email and send it to
(e-mail address removed).
2. The submitted file will be scanned by the Symantec automated
response system and you will receive an email response with a tracking
number.
Note: Be patient. It is possible for the automated reply to take
up to 24 hours, depending on how many submissions have been received.
 
Include the "password" in the e-mail ?

To send a zipped, password protected copy of the suspicious file or files
as an email attachment:

1. Create an email.
2. Type Submission in the Subject field.
3. Include the following information in the body of the email

* Operating System
* Name
* Address
* City
* State
* Zip/Country code
* Province
* Country
* Phone number
* A detailed description of the symptoms that you observed.


To create a password-protected zip file
Click to expand...
<snip>
 
Sunny said:
Include the "password" in the e-mail ?
Click to expand...

Netuser stated:

"It is important that potentially infected files be zipped and password
protected to prevent the potential new virus from being mistakenly sent
to others."

If you include the password in the e-mail body - it sort of defeats the
purpose, no?

The password is "infected" (without the quotes) and it is assumed the
your auntie Matilda doesn't know this. :)
 
Ta :-)

Roger Wilco said:
Netuser stated:

"It is important that potentially infected files be zipped and password
protected to prevent the potential new virus from being mistakenly sent
to others."

If you include the password in the e-mail body - it sort of defeats the
purpose, no?

The password is "infected" (without the quotes) and it is assumed the
your auntie Matilda doesn't know this. :)
Click to expand...
 
Back
Top