Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Symantec AV problem on XP SP2 Simplified Chinese InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Symantec AV problem on XP SP2 Simplified Chinese

Published: 2007-05-18
Last Updated: 2007-05-19 04:30:48 UTC
by Kyle Haugsness (Version: 2)
0 comment(s)
We received a report that Symantec Antivirus was identifying two system files (netapp32.dll and lsass.exe) on the Simplified Chinese version of Windows XP SP2 as a virus (Backdoor.Haxdoor) and deleting them.  This prevents the machines from booting correctly.  News reports are limited at this time, so it's difficult to confirm.  But the following sources are available:

http://sbin.cn/blog/2007/05/18/symantec-anti-virus-software-damages-system-files/
http://blog.xfocus.net/index.php?blogId=1

Update: This was confirmed by several people today.  Apparently it was lsasrv.dll and not lsass.exe.  The fix is to replace the DLL files from a restore CD.

More news:
http://www.cisrt.org/enblog/read.php?100
http://news.163.com/07/0519/01/3EQPHCPV0001124J.html
Keywords:
0 comment(s)
Diary Archives