BooBooBear
join:2004-02-11
South Pasadena, CA
| Bloodhound exploit.6 virus???
Ok the strangest thing is happening. Norotn anti virus Pro 2004 is detecting a virus named bloodhound exploit 6 .. it can not fix this file so I am assuming its automatically deleting this virus. has anyone else come across this virus?
Running Norton again shows no virus. what gives?
In Norton logs its shows in this order.. access denied.. then repair failed... 2nd entry shows again acess denied... repair failed... did norton quarantine this virus???/ There is no listing of such... was it auto deleted? I have that option clicked.. |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
1 edit | SARC says it is a proof-of-concept exploit code. I believe it is downloaded into your browser cache as a .htm file, which is why the virus seems to vanish intermittently as your cache is cleared. 
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
BooBooBear
join:2004-02-11
South Pasadena, CA
| Yes, i looked it up. Symantec says its a trojan of "low risk". NOrton Virus Pro detected it twice and from top to bottom says access denied , repair failed. Apparently, it is located in the temp internet file directory.
Am I to safely assume it was auto quarantined ? I have the option checked. I'm not sure why it didnt auto delete it and this virus or trojan is in the update feb 2004. This virus doesn't show up in quarantine. I wish norton runs smoother and has an easier to read logging system
Explorer has all the so called microsoft patches as well the OS. Ran TDS-3 - shows nothing. Running norton again and it isnt showing anymore (whew).
I am pretty sure it came from a program called Clean Cache 2.11. I don't put any sensitive data in the computer anymore. (that is what zip disks or floppies or USB memory card are for these days :0 ) |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
4 edits | reply to BooBooBear
I suspect what happens is, NAV immediately denies access when it detects the virus in a .htm file downloaded into your cache. Do you have IE set to clear the cache when IE is closed? Or do you manually clear the cache? You can look in the "Backup Items" section of Quarantine to see if it is there. EDIT: KAV also detects the .htm file as Exploit.HTML.Mht -- and there may be an associated .chm file detected by KAV as TrojanDownloader.VBS.Psyme.p and by NAV as Trojan Downloader.
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
BooBooBear
join:2004-02-11
South Pasadena, CA | I have it set to auto clear when explorer closes. I also use cookie cop and webroot window washer. I wish explorer would clean the index.dat files too. |
|
ghost16825
Use security metrics
Premium
join:2003-08-26
| reply to BooBooBear
The name should give it away.
You went to a webpage demonstrating an IE 6 exploit.
Even if the page wasn't actual executing proof of concept, NAV saw text that was the same as in actual executing code (ie. real exploit code printed as text instead of "executed") and detected it as a "virus".
If you think this is dumb, I agree. I guess it begs the question - should AVs detect specific browser exploitable HTML code? and Shouldn't they at least detect whether the code is printed rather than read and "executed"? |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| reply to BooBooBear
Ah but say you want to transport the code, you could hide it in an unexecutable place, and then change it or move it out. As in hiding a virus in a password protected .zip file, or a .jpg.
Not scanning something opens vulnerabilities.
Also it might be too complicated to figure you if the code can be executed or not as it passes in.
It is a trade off.
--
(Virus&Hijacking FAQ + Submit suspected malware + Security FAQ |
|
BooBooBear
join:2004-02-11
South Pasadena, CA
| reply to ghost16825
Ahh but I don't think it came from a site. if it did then it must have come from here because I noticed when i tried to click on a certain post here I would get Nav detected bloodhound exploit 6.. unable to fix file message. I am an avid interner user. However, i don't download much or preferably nothing from the internet from siste unknown. i don't even open attachments!
The web page in question then would be form one of the post here. I havent been to many site today except for the usual such as dslreports, symantic, ebay (not a spoofed site)and lava soft to check for updates.
Im pretty sure it came from a program called Clean cache vers 2.11 and it was downloaded from a reputable site!!!!! |
|
mecklaw
Premium
join:2003-12-30
Gastonia, NC
| This popped up on my computer at work, while viewing this thread in the forum; »What the He_l is isearch toolbar.??.
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Bloodhound.Exploit.6
File: C:\Documents and Settings\*******\Local Settings\Temporary Internet Files\Content.IE5\2PQBG415\remark,9892290~mode=flat[2]
Location: Quarantine
Computer: **************
User: *******
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Wed Apr 07 02:49:01 2004 |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England | I received the same notification whilst reading a thread here yesterday. |
|
BooBooBear
join:2004-02-11
South Pasadena, CA | Confirming my suspicions... I tried to read that same post and Norton picks it up as the same virus. |
|
speedy101
join:2001-01-29
united state | reply to BooBooBear
ya i got same virus which couldn't repair or nothing, i did scan with nav, also other.when i go to some sites this virus would come up. everytime, i thikn there some trojan virus which is still in some file . could in cache but i clear everytime |
|
BooBooBear
join:2004-02-11
South Pasadena, CA
| I tried the same post on another computer at the university. The virus doesn;t come up but it does when i try and view the post here... Norton bug?
I clean the cache often and Norton did find the file in prgram files and couldnt repar it but quaranteened the virus. I then proceeded to delete it. |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
1 edit | reply to BooBooBear
If you find the file again, because it seems to be inconsistenly detected, use the submit suspected malware link on the BBR Security Forum main page.
»Security |
|
BooBooBear
join:2004-02-11
South Pasadena, CA | I wouldn't say it's incosistent- it pops up every time I try and open and read a post made by another user. |
|
speedy101
join:2001-01-29
united state
| reply to BooBooBear
i have done steps where u need to shut down the restore off , then have go safe mode, and delete. well after those when i come back at regular mode , i check the document and setting folder, i see adminisiter ds432 something. well it wasn't before there , is it ok to be there or sometihng wrong |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| speedy101  , what AV are you using? And what does "adminisiter ds432" refer to? It would help to know more details before we can say anything definitely about what you have observed.
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
speedy101
join:2001-01-29
united state | reply to speedy101
hello , i am using norton anti virus 2004, adminsiter ds 432.. folder in there pretty much has same application data,desktop ,cookies . to make it clear its in documen and setting foler. |
|
Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
| reply to BooBooBear
Please read this thread, and Zupe 's response at the very end of the thread.
»(FP) VBS.StartPage Trojan |
|
ghost16825
Use security metrics
Premium
join:2003-08-26
| reply to BooBooBear
I don't want to alarm anyone, and I still think your system is clean BooBooBear, but I found this on Securityfocus.
»www.securityfocus.com/archive/1/···-04-11/0
Maybe that's why your AV doesn't care about so many false positives for this signature. |
|
