Why do trojans get past my norton?

Discussion in 'Windows Desktop Systems' started by Engineer, Oct 23, 2003.

  1. Engineer

    Engineer OSNN Addict

    I have Norton NIS and AV 2003, and yesterday I found seven trojans on my system after a scan.

    Trojan.ByteVerify x2
    Trojan.BackdoorLixy x3

    What gives, I thought NIS was suppose to block this type of thing.

    How do these trojans end up on my system anyway.

    BTW, They were located in my temporary internet files folder.
    with XP

  2. GoNz0

    GoNz0 NTFS Stoner

    the year 2525
    Trojan.ByteVerify will typically arrive as a component of other malicious content. An attacker could use the compiled Java class file to execute other code. The file will likely exist as VerifierBug.Class. For example, an attacker could create a .html file that uses the Trojan, and then create a script file that will perform other actions, such as setting the Internet Explorer Start Page.
    Notification of infection does not always indicate that a machine has been infected; it only indicates that a program included the viral class file. This does not mean that it used the malicious functionality.

    have you been sniffing round any dodgy websites ? if there all in temp files, chance is it's not been run or norton would catch it.
  3. Engineer

    Engineer OSNN Addict

    Oh my

    Curiosity got the better of me and I went exploring around some Russian Sex site. I got a pop up after visiting a humor/comedy site, stupidly followed the pop up and there I was (Russian College Coeds or something like that). I closed the window got several other windows that popped up, closed them all).

    That;s likely how I got the trojans. Is is common for a trojan to invite itself into a PC from just visiting a site???

  4. Enyo

    Enyo Moderator

    Trojan.ByteVerify is pretty common at the moment but Auto-Protect should remove it immediately when its pulled off the website and before execution.

    You need to patch your system as this trojan uses a flaw in IE to download and execute itself.


    Yes it is very common for malware to come onto a system in this manor. Generally those who surf dodgy sites should disable scripting and ActiveX totally.

    Yes NIS will block it, it will stop the trojan from communicating with the internet once executed, NAV will detect and remove it (or should).

    As for lixy:


    lixy uses a BHO (Browser Helper Object) to pull itself off the internet.

    The files:

    Rlid.exe: For setting up and running other Trojan files.
    Lid.exe: Contains the main routine of the backdoor.
    Lid.dll: A malicious Browser Helper Object that runs Lid.exe.

    are all part of it.

    If you still have these files present on your system or in the Quarantine please send them to me :)

    The fact that they were present in temporary internet files would suggest they had been download but had not executed.
  5. Engineer

    Engineer OSNN Addict


    I quaranteened the trojans then went into the quaranteen section of AV and deleted them. I trust that this has got rid of them.

  6. Enyo

    Enyo Moderator

    Yip they are gone.
  7. Engineer

    Engineer OSNN Addict

    Thanks Again Enyo!!!!!!!!!:)
  8. TheBlueRaja

    TheBlueRaja BR to Some

    Whats your Background Enyo - you seem to be into all this sort off stuff. The reason i ask is that im getting into security stuff quite a bit recently and was thinking about joining up on Astalavista to teach myself about these things.