[Dshield] Potential new virus

Keith Bergen keith at keithbergen.com
Tue Feb 3 23:28:27 GMT 2004

I just received a PIF that Norton did not detect. I suspect that it was a
virus, but my (up-to-date) Norton A/V did not flag it as such.

I have sent it to Norton per the instructions listed below, but thought that
I'd warn the group about it.

The email came looking like this with the attachment "occasie.txt.pif":

>From: Dozal, Tim [mailto:tdozal at sw2000.com] 
>Sent: Tuesday, February 03, 2004 12:35 PM
>To: undisclosed-recipients:
>Subject: RE: more info on a hopefully unsuccessful compromise
>You may be able to create a new account on the host and set it with full
>administrator privileges on the local machine (and domain if present) then
>disable/remove the administrator account you're having problems with.  I
>the reason you're unable to disable/remove the current admin account is Wi

Here are the instructions on how to email Norton a potential virus:

To send a zipped, password protected copy of the suspicious fileor files as
an email attachment

To create an email 
Create an email. 
Type Submission in the Subject field. 
Include the following information in the body of the email 
Operating System 
Zip/Country code 
Phone number 
A detailed description of the symptoms that you observed.

To create a password-protected zip file
Do the following to create a password-protected zip file that contains the
suspicious file/files. It is important that potentially infected files be
zipped and password protected to prevent the potential new virus from being
mistakenly sent to others. This process is part of the Symantec best
practices procedure when working with potentially infected files. If you are
running Norton AntiVirus or Symantec AntiVirus in a corporate environment,
then zipping and password protecting a potentially infected file will also
allow the file to be sent through your network security system without being

Note: These steps apply to Winzip. If you have another zip utility, consult
your program documentation for help zipping and password protecting the
potentially infected file.


Open Windows Explorer. 
Locate the suspicious file or files. 
If there is only one file, then right-click the file, and then click "Add to
Click I agree. 
Click New. 
Change the "Create" location to Desktop, type Submission and then click OK. 
Click Options and then Password. 
Type infected and then click OK. Reenter the same password, and then click
OK again. 
You should see a zip file named Submission.zip on the Desktop. 
If you want to submit more then one file, then do the following for each
Locate the file and then right-click the file, and click "Add to zip." 
Click I agree. 
Click Open. 
Change the "Create" location to Desktop, locate and click Submission.zip and
then click Open. 
Click Add.

To attach the zip file to the email and send the email to Security Response 
Attach the Submission.zip file to the email and send it to
AVSubmit at symantec.com. 
The submitted file will be scanned by the Symantec automated response system
and you will receive an email response with a tracking number. 

Note: Be patient. It is possible for the automated reply to take up to 24
hours, depending on how many submissions have been received.


"Life is like an analogy" 

More information about the list mailing list