Bloodhound.Exploit.24 Trojan or Virus Just discovered by Norton
Tuesday, February 15, 2005 by Darco | Discussion: Industry
Just did a virus scan with Norton's AV on Sat. Feb 12th with updated virus definitions from Feb.09. Wanted to let you know they found 20 virus in png. files that were in my Stardock\ObjectDock\WinCustomize folder. This virus was just discovered by Symantec on Feb.06, 2005. It is called Bloodhund.Exploit.24, I do a scan about every two weeks and these png files have been on this computer for at least 9 months. I can't remember the last time I downloaded Dock Icons it has been that long. I didn't know they could put a trojan in a png. file. Some where still in the zip file. Has anyone else had this happen to them. Some might want to do a scan being this was just discovered.
Nakor
Reply #3 Wednesday, February 16, 2005 11:15 AM
Reply #3 Wednesday, February 16, 2005 11:15 AM
What version of Norton is this and what files? Your comments suggest some might be a zip with dock images.
KarmaGirl
Reply #4 Wednesday, February 16, 2005 11:24 AM
Reply #4 Wednesday, February 16, 2005 11:24 AM
I have hundreds of .png files as well as other graphic files and skins on this PC. I run Norton systemworks (auto updates definitions) and have never had a virus, trojan, worm or anything of the like infect a graphics file. That's an odd case indeed.
Darco
Reply #5 Wednesday, February 16, 2005 12:01 PM
Reply #5 Wednesday, February 16, 2005 12:01 PM
KarmaGirl,
Check out post #1 Developer yrag's link. I don't us MSM Messenger or have Office XP, these were png.files that have been in my ObjectDesktop folder for months and Norton's just discovered it Feb.06, 2005. I have scanned this computer many times and nothing was ever found until Saturday. I have Norton System Works 2003, current subscription renewed with the latest updates. Some of them were in zip files, Norton scans them also. Obviously the virus writer was way ahead of Norton. Just wanted to give you a heads-up.
Check out post #1 Developer yrag's link. I don't us MSM Messenger or have Office XP, these were png.files that have been in my ObjectDesktop folder for months and Norton's just discovered it Feb.06, 2005. I have scanned this computer many times and nothing was ever found until Saturday. I have Norton System Works 2003, current subscription renewed with the latest updates. Some of them were in zip files, Norton scans them also. Obviously the virus writer was way ahead of Norton. Just wanted to give you a heads-up.
aufisch
Reply #6 Wednesday, February 16, 2005 12:45 PM
Reply #6 Wednesday, February 16, 2005 12:45 PM
would you be able to tell us in which files you have found this trojan? That way an admin can check the original on the server and remove it if necessary.
KarmaGirl
Reply #7 Wednesday, February 16, 2005 1:12 PM
Reply #7 Wednesday, February 16, 2005 1:12 PM
| Check out post #1 Developer yrag's link |
What he linked to is nothing new. MS stopped posting knowledge of exploits until after there was a fix for them. What happened in that last instance was that trusted people posted the proof of concept allowing virus writers to get the virus out before the exploit was resolved. Same stuff, just a different problem with it.
If you really want to help people, please let us know what the files were that were infected. That way it can be looked into.
yrag
Reply #8 Wednesday, February 16, 2005 1:36 PM
Reply #8 Wednesday, February 16, 2005 1:36 PM
The 'purpose' of the link was that you're probably getting a false-positive from Norton. The update referenced is for Messenger, XP Office and Media Player. If you install the update you should get a clean scan. If not, then you need, as KG and Nakor stated, to let Stardock know what files they are so that they can ascertain if there is a problem.
Darco
Reply #9 Wednesday, February 16, 2005 2:43 PM
Reply #9 Wednesday, February 16, 2005 2:43 PM
Developer yrag,
The files were deleted by Norton's AV and I deleted the backup from the log. But I copied the description on each of the png.files. Some were in a folder I named WinCustomize that was in my Stardock\ObjectDock\folder, and some were on my F disk in another folder.
I have scanned after that and got a clean scan. The only thing I don't understand is I have no file on my F disk named Stardock. I just use it for storage. Let me just state this, 95% of my downloads are from WinCustomize, but 5% were from other places like SkinBase or deviantART, I am placing no blame just wanted to give a heads up. I hope it was a false positive. Here is the list:
The file C:\Program Files\Stardock\ObjectDock\WinCustomize Icons\winamp.png is infected with the Bloodhound.Exploit.24 virus.
The compressed file ie.png within F:\Stardock\ObjectDock\WinCustomize Icons\iepack.zip is infected with the Bloodhound.Exploit.24 virus
The compressed file ie2.png within F:\Stardock\ObjectDock\WinCustomize Icons\iepack.zip is infected with the Bloodhound.Exploit.24 virus.
The compressed file ie2.png within C:\Program Files\Stardock\ObjectDock\WinCustomize Icons\iepack.zip is infected with the Bloodhound.Exploit.24 virus.
The compressed file ie3.png within F:\Stardock\ObjectDock\WinCustomize Icons\iepack.zip is infected with the Bloodhound.Exploit.24 virus
The compressed file ie4.png within F:\Stardock\ObjectDock\WinCustomize Icons\iepack.zip is infected with the Bloodhound.Exploit.24 virus.
The compressed file ie5.png within C:\Program Files\Stardock\ObjectDock\WinCustomize Icons\iepack.zip is infected with the Bloodhound.Exploit.24 virus.
The compressed file ie6.png within C:\Program Files\Stardock\ObjectDock\WinCustomize Icons\iepack.zip is infected with the Bloodhound.Exploit.24 virus.
The compressed file ie6.png within C:\Program Files\Stardock\ObjectDock\WinCustomize Icons\iepack.zip is infected with the Bloodhound.Exploit.24 virus.
The file C:\Program Files\Stardock\ObjectDock\WinCustomize Icons\winamp2.png is infected with the Bloodhound.Exploit.24 virus.
The file C:\Program Files\Stardock\ObjectDock\WinCustomize Icons\winamp3.png is infected with the Bloodhound.Exploit.24 virus
The file F:\Stardock\ObjectDock\WinCustomize Icons\winamp3.png is infected with the Bloodhound.Exploit.24 virus.
The file C:\Program Files\Stardock\ObjectDock\WinCustomize Icons\winamp4.png is infected with the Bloodhound.Exploit.24 virus.
The file F:\Stardock\ObjectDock\WinCustomize Icons\winamp4.png is infected with the Bloodhound.Exploit.24 virus.
I hope this helps
The files were deleted by Norton's AV and I deleted the backup from the log. But I copied the description on each of the png.files. Some were in a folder I named WinCustomize that was in my Stardock\ObjectDock\folder, and some were on my F disk in another folder.
I have scanned after that and got a clean scan. The only thing I don't understand is I have no file on my F disk named Stardock. I just use it for storage. Let me just state this, 95% of my downloads are from WinCustomize, but 5% were from other places like SkinBase or deviantART, I am placing no blame just wanted to give a heads up. I hope it was a false positive. Here is the list:
The file C:\Program Files\Stardock\ObjectDock\WinCustomize Icons\winamp.png is infected with the Bloodhound.Exploit.24 virus.
The compressed file ie.png within F:\Stardock\ObjectDock\WinCustomize Icons\iepack.zip is infected with the Bloodhound.Exploit.24 virus
The compressed file ie2.png within F:\Stardock\ObjectDock\WinCustomize Icons\iepack.zip is infected with the Bloodhound.Exploit.24 virus.
The compressed file ie2.png within C:\Program Files\Stardock\ObjectDock\WinCustomize Icons\iepack.zip is infected with the Bloodhound.Exploit.24 virus.
The compressed file ie3.png within F:\Stardock\ObjectDock\WinCustomize Icons\iepack.zip is infected with the Bloodhound.Exploit.24 virus
The compressed file ie4.png within F:\Stardock\ObjectDock\WinCustomize Icons\iepack.zip is infected with the Bloodhound.Exploit.24 virus.
The compressed file ie5.png within C:\Program Files\Stardock\ObjectDock\WinCustomize Icons\iepack.zip is infected with the Bloodhound.Exploit.24 virus.
The compressed file ie6.png within C:\Program Files\Stardock\ObjectDock\WinCustomize Icons\iepack.zip is infected with the Bloodhound.Exploit.24 virus.
The compressed file ie6.png within C:\Program Files\Stardock\ObjectDock\WinCustomize Icons\iepack.zip is infected with the Bloodhound.Exploit.24 virus.
The file C:\Program Files\Stardock\ObjectDock\WinCustomize Icons\winamp2.png is infected with the Bloodhound.Exploit.24 virus.
The file C:\Program Files\Stardock\ObjectDock\WinCustomize Icons\winamp3.png is infected with the Bloodhound.Exploit.24 virus
The file F:\Stardock\ObjectDock\WinCustomize Icons\winamp3.png is infected with the Bloodhound.Exploit.24 virus.
The file C:\Program Files\Stardock\ObjectDock\WinCustomize Icons\winamp4.png is infected with the Bloodhound.Exploit.24 virus.
The file F:\Stardock\ObjectDock\WinCustomize Icons\winamp4.png is infected with the Bloodhound.Exploit.24 virus.
I hope this helps
WOWfactor.555.
Reply #10 Wednesday, February 16, 2005 5:15 PM
Reply #10 Wednesday, February 16, 2005 5:15 PM
http://www.sarc.com/avcenter/venc/data/bloodhound.exploit.24.html
That should answer your question ...
That should answer your question ...
Darco
Reply #11 Wednesday, February 16, 2005 10:24 PM
Reply #11 Wednesday, February 16, 2005 10:24 PM
I read that article when it found the virus, trojan whatever...I am no computer wiz, when they say malformed png file does that mean it was done on purpose or just a badly made png. I was hoping the latter.
WOWfactor.555.
Reply #12 Wednesday, February 16, 2005 11:16 PM
Reply #12 Wednesday, February 16, 2005 11:16 PM
I'd Love To Say Badly Made, But No .. It Means Done On Purpose.
Please login to comment and/or vote for this skin.
Welcome Guest! Please take the time to register with us.
There are many great features available to you once you register, including:
- Richer content, access to many features that are disabled for guests like commenting on the forums and downloading skins.
- Access to a great community, with a massive database of many, many areas of interest.
- Access to contests & subscription offers like exclusive emails.
- It's simple, and FREE!
Reply #1 Tuesday, February 15, 2005 10:28 PM