Vundo disabled Norton 360

I had a full day of battle with Vundo.H Trojan last Sunday trying to get my dad’s infected computer cleaned up.  The parasite was occasionally popping this message:

“Your system is infected with dangerous virus! Note: Strongly recommend to install antispyware program to clean your system and avoid total crash of your computer!”system-error

As well, it’s the root cause of a subsequent DoS (more later).

One of the registry keys that was infected was the  AppInit_DLLs key, which Raymond Chen once wrote about in a blog entry aptly entitled  AppInit_DLLs should be renamed Deadlock_Or_Crash_Randomly_DLLs.

Anyway,  kudos to Malwarebytes' Anti-Malware for being a very useful tool.  But for a while there, as I sat and watched explorer.exe puts back this registry value no sooner than I deleted it, I felt like I was in the late 80s, early 90s, where viruses freely infected MS-DOS in similar manners.  I finally woke up and demoted my dad to non-administrative user level, which brings me to the next point about  antivirus.

In addition to the annoying popup, Vundo also messed up the antivirus software.  My dad had Norton 360 installed on his system, with at least 30 days remaining in his update subscription.  Yet, Vundo managed to sneak through, and somehow confused it enough to DoS my attempt to access the Internet—not only port 80, but all ports were being blocked.  One note of interest: for a while there it was refusing Firefox but lets IE through, but after a while, even IE was returning the  “Web page cannot be found” message.  Anyway,  I uninstalled Norton after cleaning Vundo and was then able to surf the web again.

 

There seems to be some controversy about using antivirus software over running Windows under a  non-admin account.  Apparently, over 92% of Windows security vulnerabilities reported last year could have been prevented if users were not using admin accounts.

I know that for me, running as a non-admin user will probably never fly in a software development environment where running a build requires elevated privilege in order to do COM registrations. As for my dad, non-admin account might suffice for now, but I wonder if it will prevent him from inadvertently falling victim to  phishing scams, which some antivirus software is able to prevent.

3 comments:

Raymond said...

"requires elevated privilege in order to do COM registrations."

Use per-user COM registrations (use HKCU\Software\Classes instead of HKCR) or registration-free COM.

I have never run as an administrator and I've built lots of products...

Anonymous said...

looks like Symantec have closed the gap with v3.0 beta picking up the antibot that the 2009 products have.

Thanh Hai Tran said...

@Raymond: thanks for the tip. Will read up on HKCU\Software\Classes. I wonder how that would work if I want my product to be installed for ALL USERS on the same machine.

@Anonymous: I've since installed BitDefender on my dad's computer. Running as non-admin is good, but non-admin + antivirus is better. :-)