Why do trojans get past my norton?

[Engineer]

I have Norton NIS and AV 2003, and yesterday I found seven trojans on my system after a scan.

Trojan.ByteVerify x2
Trojan.BackdoorLixy x3
Dummy1
Dummy

What gives, I thought NIS was suppose to block this type of thing.

How do these trojans end up on my system anyway.

BTW, They were located in my temporary internet files folder.
with XP

Engineer

 

[GoNz0]

Trojan.ByteVerify will typically arrive as a component of other malicious content. An attacker could use the compiled Java class file to execute other code. The file will likely exist as VerifierBug.Class. For example, an attacker could create a .html file that uses the Trojan, and then create a script file that will perform other actions, such as setting the Internet Explorer Start Page.
Notification of infection does not always indicate that a machine has been infected; it only indicates that a program included the viral class file. This does not mean that it used the malicious functionality.

have you been sniffing round any dodgy websites ? if there all in temp files, chance is it's not been run or norton would catch it.

 

[Engineer]

Oh my

Curiosity got the better of me and I went exploring around some Russian Sex site. I got a pop up after visiting a humor/comedy site, stupidly followed the pop up and there I was (Russian College Coeds or something like that). I closed the window got several other windows that popped up, closed them all).

That;s likely how I got the trojans. Is is common for a trojan to invite itself into a PC from just visiting a site???

Eng.

 

[Enyo]

Trojan.ByteVerify is pretty common at the moment but Auto-Protect should remove it immediately when its pulled off the website and before execution.

You need to patch your system as this trojan uses a flaw in IE to download and execute itself.

http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html

Yes it is very common for malware to come onto a system in this manor. Generally those who surf dodgy sites should disable scripting and ActiveX totally.

Yes NIS will block it, it will stop the trojan from communicating with the internet once executed, NAV will detect and remove it (or should).

As for lixy:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.lixy.html

lixy uses a BHO (Browser Helper Object) to pull itself off the internet.

The files:

Rlid.exe: For setting up and running other Trojan files.
Lid.exe: Contains the main routine of the backdoor.
Lid.dll: A malicious Browser Helper Object that runs Lid.exe.

are all part of it.

If you still have these files present on your system or in the Quarantine please send them to me

The fact that they were present in temporary internet files would suggest they had been download but had not executed.

 

[Engineer]

ohoh

I quaranteened the trojans then went into the quaranteen section of AV and deleted them. I trust that this has got rid of them.

Eng

 

[Enyo]

Yip they are gone.

 

[Engineer]

Thanks Again Enyo!!!!!!!!!

 

[TheBlueRaja]

Whats your Background Enyo - you seem to be into all this sort off stuff. The reason i ask is that im getting into security stuff quite a bit recently and was thinking about joining up on Astalavista to teach myself about these things.