[Dshield] Latest A/V update from Symantec detects RockXP 3.0 as having Infostealer.Bancos.gen
Robert Nelson
nelsrob at mts.net
Sun Feb 17 23:32:40 GMT 2008
I noted a similar issue with Norton AV 2008 and that same file. RAS.exe inside RockXP3.exe was the offending file for me last week.
Norton also had issue with Shutdown.exe inside a Winamp 5 skin - used by the skin for shutting down the PC after you've lulled
yourself to sleep with tunes... It figured that was Trojan.Zlob.
Norton isn't the only AV program that finds something in RockXP. Just for fun, I ran the RockXP3.exe file at VirusTotal and quite a
few programs found something in there as well.
Robert
-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org] On Behalf Of John B. Holmblad
Sent: February 17, 2008 12:43 PM
To: General DShield Discussion List
Subject: [Dshield] Latest A/V update from Symantec detects RockXP 3.0 as having Infostealer.Bancos.gen
All,
I don't know if anyone else has seen this but I have a case where, on an
XP SP2 system, Symantec Norton A/V with the latest signature files
(dated 2/15/08) caught and eradicated
Infostealer.Bancos.gen
inside of a .exe file,
RockXP3.exe.
For those not familiar RockXP is a tool for extracting product keys and,
apparently, passwords.
Here is some commentary on this (apparently) false positive phenomenon:
http://www.majorgeeks.com/download4138.html
and here is the url to the www page at the Symantec www site that
describes the malware:
http://www.symantec.com/security_response/detected_writeup.jsp?name=Infostealer%2EBancos%2Egen
The interesting thing is that the RockXP.exe file had been sitting on
this system for over 2 years (unused I think).
Here is the url to the rockxp www site:
http://www.rockxp.org/
--
Best Regards,
John Holmblad
Televerage International
GSEC Gold, GCWN Gold, GAWN, GGSC-0100, NSA-IAM, NSA-IEM
Information security, telecommunications, and information technology
consulting
(M) 703 407 2278
(F) 703 620 5388
primary email address: jholmblad at aol.com
backup email address: jholmblad at verizon.net
More information about the list
mailing list