Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-05-18 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Symantec AV problem on XP SP2 Simplified Chinese

Published: 2007-05-18
Last Updated: 2007-05-19 04:30:48 UTC
by Kyle Haugsness (Version: 2)
0 comment(s)
We received a report that Symantec Antivirus was identifying two system files (netapp32.dll and lsass.exe) on the Simplified Chinese version of Windows XP SP2 as a virus (Backdoor.Haxdoor) and deleting them.  This prevents the machines from booting correctly.  News reports are limited at this time, so it's difficult to confirm.  But the following sources are available:

http://sbin.cn/blog/2007/05/18/symantec-anti-virus-software-damages-system-files/
http://blog.xfocus.net/index.php?blogId=1

Update: This was confirmed by several people today.  Apparently it was lsasrv.dll and not lsass.exe.  The fix is to replace the DLL files from a restore CD.

More news:
http://www.cisrt.org/enblog/read.php?100
http://news.163.com/07/0519/01/3EQPHCPV0001124J.html
Keywords:
0 comment(s)
Diary Archives