New Virus today?

PapillonUK · December 2007

OK - I just joined up for this forum as you guys seem to be the first people aware of this issue.
we're using eTrust on our corporate system. Our whole intranet stopped working as eTrust was incorrectly quarentining jquery.js.

I was running the compressed version (v1.1.2) of this JS library and it looks like a bit pattern is being falsely identified as a virus by the latest eTrust update.

I've replaced the JS with the uncompressed version and everything now works.

Hopefully eTrust will send out an update to fix this so we can put the compressed version back eventually!!!

Roadwolf · December 2007

tommyboy wrote:

Someone else http://www.dynamoo.com/blog/2007/12/jssnza-likely-false-positive-in-etrust.html seems to think its a false positive also.

Keep checking the CA site for new sig updates.

I saw that he also explained the ZoneAlarm thing... lol

meh i'll keep checking, but i'll likely go to bed soon and forget about it in the morning lol.

tommyboy · December 2007

edster wrote:

Roadwolf wrote:

I am intrigued that ZoneAlarm detected it tho.

I am as well - unless it's not a virus fingerprint, but I wonder if they share some element of a heuristics engine, which is picking them both up. . .

ZoneAlarm (like the Yahoo AV) is also a product that uses the CA Vet Engine (small world hey). ! So again , although it looks like its a more global problem - its all Computer Associates at the moment - unless someone else can tell me otherwise.

This is a good thing though as it is more and more likely to be a false positive.....

Roadwolf · December 2007

tommyboy wrote:

This is a good thing though as it is more and more likely to be a false positive.....

Indeed

Wayne_Lord · December 2007

I have this virus on my computor.

Please help me.

Im ginger.

PapillonUK · December 2007

Don't worry wayne - its not a virus its a false alert - hopefully CA will send out an update which will stop this.

I can't help you with the ginger problem though.

Rik762 · December 2007

spdracr39 · December 2007

Does it seem odd to anyone that all the "its not a virus"info is coming from members that just joined today? Could someone with a little experience here verify that info? No offense to anyone as I'm new also but it seems kinda suspicious.

Wayne_Lord · December 2007

I can verify that this is not a virus.

Thank You.

ging.

tommyboy · December 2007

spdracr39 wrote:

Does it seem odd to anyone that all the "its not a virus"info is coming from members that just joined today? Could someone with a little experience here verify that info? No offense to anyone as I'm new also but it seems kinda suspicious.

Its just where the first mention of the JS/SNZ.a appeared - so every man and his dog joined, Techexams must think its Christmas !!!

I think its nice - Wayne_lord is particularly happy - this is his first experience of meeting friends.

Shouldnt joke - being ginger is very serious.

Flu Virus · December 2007

spdracr39 wrote:

Does it seem odd to anyone that all the "its not a virus"info is coming from members that just joined today? Could someone with a little experience here verify that info? No offense to anyone as I'm new also but it seems kinda suspicious.

As a long standing member in the virus community i can confirm that this is not a virus.

ps, sorry to hear about the ging thing!

Health_Conscious · December 2007

So have we established if JS\Snz.A is related to Gingervitis? I don’t want to get infected.

ITManager · December 2007

I have had official confirmation from CA that this is a false positive. They said that some of their largest customers eg British Airways and Facebook are also affected and they will release an updated signature ASAP.

amyamandaallen · December 2007

Hi,

Any chance of getting a link or copy of that confirmation from CA?

Will celebrate better tonight if I know were not coming back into a virus sutuation on wednesday.

Cheers for all replies!

Amy

pezlaa · December 2007

With reference to the problems with the so called "JS/Snz.A" - we are having the same problem at my company.

you can email CA at this address. I have done the same and requested that they get of their ar5es and put out a statement on their website, because if you search for this virus on their site, nothing at all comes up !!! The site is cr4p.

virus@ca.com - spread the word !!!

From page: http://www.ca.com/gb/securityadvisor/newsinfo/collateral.aspx?cid=33514

For info (as it may help other people), my signature and engine details are:

Antivirus Engine Version: 31.3.0.0
Signature Version: 31.3.5417.0
Last Signature Update: 31/12/2007

Is everyone in the same boat on these versions???

Schluep · December 2007

pezlaa wrote:

With reference to the problems with the so called "JS/Snz.A" - we are having the same problem at my company.

you can email CA at this address. I have done the same and requested that they get of their ar5es and put out a statement on their website, because if you search for this virus on their site, nothing at all comes up !!! The site is cr4p.

virus@ca.com - spread the word !!!

From page: http://www.ca.com/gb/securityadvisor/newsinfo/collateral.aspx?cid=33514

For info (as it may help other people), my signature and engine details are:

Antivirus Engine Version: 31.3.0.0
Signature Version: 31.3.5417.0
Last Signature Update: 31/12/2007

Is everyone in the same boat on these versions???

If they are already having trouble keeping up with the proper notification of this issue wouldn't spamming them with e-mails about it be counter-productive when they are clearly aware of the issue? It is likely that response times are significantly lower last week and this week due to the Holidays. The parking lot for our office complex has about 25% of the cars today as it normally does due to a lot of people extending New Year's into a 4 or 5 day vacation including the weekend.

ITManager · December 2007

Sorry, I had the confirmation verbally. They rarely get back quickly if e-mailed. The quoted my problem problem to me as soon as I mentioned increased alerts and quickly confirmed the false positive, directory name, virus name, files affected etc.

I can confirm that my engine and signature versions are the same as those posted above.

Looking at http://www.ca.com/securityadvisor/virusinfo/signaturefiles/default.aspx I can see their beta signatures. Currently on 5419 so somebody clearly working on it at CA.

NOTE: I am not recommending that anybody tries the beta ! Especially at before a holiday.

Sie · December 2007

Thank you all for replying to this thread:

As we all know this is not a real virus and just CA software picking up a false positive.

CA are aware and dealing with this so lets keep it under control and stop spamming them and this forum with known information.

My advice is to sit tight, use the uncompressed Java files if you are fed up of the alerts, (I have not tested this myself) and CA will release a revised signature in the near future. Hopefully when we all wake up tomorrow to our hangovers this will be as much of a distant memory as last night!

I do not mean to offend anyone but many posts about the same thing are not needed, lets keep this professional like we all are.

As you have now discovered the site you may wish to use the facilities here to study or train for any IT certifications you may be studying.

About TechExams:

Our mission is 'simply' to offer the best FREE online practice exams and study notes. We are trying to reach this goal by using known and experienced tech writers to write our questions and TechNotes. Besides that we try to offer quality and useful reading and a friendly place for the tech community.

Thank you for listening and welcome to all fellow IT Professionals.

ITManager · December 2007

T0$$ER

sprkymrk · December 2007

Sie wrote:

I do not mean to offend anyone but many posts about the same thing are not needed, lets keep this professional like we all are.

As you have now discovered the site you may wish to use the facilities here to study or train for any IT certifications you may be studying.

About TechExams:

Our mission is 'simply' to offer the best FREE online practice exams and study notes. We are trying to reach this goal by using known and experienced tech writers to write our questions and TechNotes. Besides that we try to offer quality and useful reading and a friendly place for the tech community.

I don't see anything wrong with this thread, it is a good "Off Topic" post (which is "For anything about anything. Computer, but non-certification related) and obviously people were concerned. I'm glad that several folks could come together here to discuss it. The fact that several seemed to post the same thing does not make it spam in this case, as a consensus was necessary to confirm the false positive. We run SAVCE 10.1.6 here and had no problems.

@Sie
I do appreciate your input and for helping keep things professional. Even though I disagree with you and thought this thread was helpful and on-topic, I did like the fact that you were very nice the way you stated your opinion.

Sie · December 2007

sprkymrk wrote:

@Sie
I do appreciate your input and for helping keep things professional. Even though I disagree with you and thought this thread was helpful and on-topic, I did like the fact that you were very nice the way you stated your opinion.

Point taken, I guess I just had visions of Hordes of Forum Warriors

May i also state to all that the above was my thoughts and comments and not that of TechExams.net, its moderators and owners.

Petr0V · December 2007

I suspect a false positive. I use CA Anti-virus and it reported as having deleted a file in the Mozilla Cache. It would be nice to know what file it deleted - it didn't say. I will check why the settings in the CA are set to "delete" as the automatic action, rather than "quarantine and inform"...

False positives are a reality. Several years ago I was a Cisco TAC engineer and had to deal with the fact that many customers reported that "Your Cisco Software has a virus in it, because my anti-virus software says so." This is not an easy matter to deal with, since the customers were dead certain that the fault lay in the software, and that a false positive was inconceivable. This was one particular build of IOS, not every software in general, of course.

I suppose that if one million monkeys typing for a million years can statistically produce a work of Shakespeare, then a sequence of bytes in software can just look like a virus signature, just occasionally.

Petr0V · December 2007

Currently (after the update shown below)

Product Version 9.0.0.154
Engine Version 31.1.0
Virus Signature Version 5147

This was in the "Real Time Scanner" Log.

12/31/2007 9:44:35 AM File infection: C:\Users\Office Depot\AppData\Local\Mozilla\Firefox\Profiles\ftq2vgvg.default\Cache\5318F350d01 is JS/Snz.A trojan. Deleted

Could we suggest that CA use the terminology "Could Be" rather than "is"...

31/12/2007 08:03:13 =======================================
31/12/2007 08:03:13 Application started:
31/12/2007 08:03:14

31/12/2007 08:03:14 Starting update process...
31/12/2007 08:03:20 Starting license validation...
31/12/2007 08:03:23 License validation has completed successfully.
31/12/2007 08:03:24

31/12/2007 08:03:24 Starting the update process. Attempt: 1
31/12/2007 08:03:27 Checking updates for component: Anti-Virus ArcLib Update
31/12/2007 08:03:27 Connecting to server to check for updates: consumerdownloads.ca.com Port: 80
31/12/2007 08:03:28 Checking updates for component: Anti-Virus Data Update
31/12/2007 08:03:32 Checking updates for component: Anti-Virus Engine Update
31/12/2007 08:03:32 Checking updates for component: Anti-Virus ISafe Update
31/12/2007 08:03:33 Checking updates for component: Anti-Virus Product Update
31/12/2007 08:03:33 Checking updates for component: Anti-Virus Resource Update
31/12/2007 08:03:34 Checking updates for component: Anti-Virus Realtime Driver Update
31/12/2007 08:03:34 Checking updates for component: Common Product Files
31/12/2007 08:03:35 Checking updates for component: Common Resource Files
31/12/2007 08:03:35 Checking updates for component: Common Update Core Files
31/12/2007 08:03:35 Checking updates for component: Common Update SDK Files
31/12/2007 08:03:36 Checking updates for component: Security Center Product Files
31/12/2007 08:03:36 Checking updates for component: Security Center Resource Files
31/12/2007 08:03:37 No updates are available for component: Anti-Virus ArcLib Update
31/12/2007 08:03:37 Updates are available for component: Anti-Virus Data Update
31/12/2007 08:03:37 No updates are available for component: Anti-Virus Engine Update
31/12/2007 08:03:37 No updates are available for component: Anti-Virus ISafe Update
31/12/2007 08:03:37 No updates are available for component: Anti-Virus Product Update
31/12/2007 08:03:37 No updates are available for component: Anti-Virus Resource Update
31/12/2007 08:03:37 No updates are available for component: Anti-Virus Realtime Driver Update
31/12/2007 08:03:37 No updates are available for component: Common Product Files
31/12/2007 08:03:37 No updates are available for component: Common Resource Files
31/12/2007 08:03:37 No updates are available for component: Common Update Core Files
31/12/2007 08:03:37 No updates are available for component: Common Update SDK Files
31/12/2007 08:03:37 No updates are available for component: Security Center Product Files
31/12/2007 08:03:37 No updates are available for component: Security Center Resource Files
31/12/2007 08:03:37 Inspecting new packages...
31/12/2007 08:03:37 Downloading packages ...
31/12/2007 08:03:38 Downloading packages ...
31/12/2007 08:03:38 Downloading packages ...
31/12/2007 08:03:39 Downloading packages ...
31/12/2007 08:03:39 Downloading packages ...
31/12/2007 08:03:39 Installing update Anti-Virus Data Update
31/12/2007 08:03:42 Package installation has been deferred: AV Dat Patch Update
31/12/2007 08:03:42 Package installation has been deferred: AV Dat Patch Update
31/12/2007 08:03:42 Package installation has been deferred: AV Dat Patch Update
31/12/2007 08:03:42 Package installation has been deferred: AV Dat Patch Update
31/12/2007 08:03:52 Package has been installed: AV Dat Patch Update
31/12/2007 08:03:53 Package has been installed: AV Dat Patch Update
31/12/2007 08:03:53 Package has been installed: AV Dat Patch Update
31/12/2007 08:03:54 Package has been installed: AV Dat Patch Update
31/12/2007 08:03:54 Package has been installed: AV Dat Patch Update
31/12/2007 08:04:02 Updating has completed successfully.
31/12/2007 08:04:04 =======================================

Mishra · December 2007

Schluep wrote:

pezlaa wrote:

With reference to the problems with the so called "JS/Snz.A" - we are having the same problem at my company.

you can email CA at this address. I have done the same and requested that they get of their ar5es and put out a statement on their website, because if you search for this virus on their site, nothing at all comes up !!! The site is cr4p.

virus@ca.com - spread the word !!!

From page: http://www.ca.com/gb/securityadvisor/newsinfo/collateral.aspx?cid=33514

For info (as it may help other people), my signature and engine details are:

Antivirus Engine Version: 31.3.0.0
Signature Version: 31.3.5417.0
Last Signature Update: 31/12/2007

Is everyone in the same boat on these versions???

If they are already having trouble keeping up with the proper notification of this issue wouldn't spamming them with e-mails about it be counter-productive when they are clearly aware of the issue? It is likely that response times are significantly lower last week and this week due to the Holidays. The parking lot for our office complex has about 25% of the cars today as it normally does due to a lot of people extending New Year's into a 4 or 5 day vacation including the weekend.

Ususally you get a good judge of how big the issue is by personally reminding said company about the problem. If they get 20 people emailing vs 100,000 there is a big difference. I don't think its a bad thing if you make them aware that your company is having an issue.

Now having multiple people from one company email them is going beyond what you should do.

Schluep · December 2007

Mishra wrote:

Ususally you get a good judge of how big the issue is by personally reminding said company about the problem. If they get 20 people emailing vs 100,000 there is a big difference. I don't think its a bad thing if you make them aware that your company is having an issue.

Now having multiple people from one company email them is going beyond what you should do.

In this case however numerous people here and on the other blog posted by tommyboy have already stated that they reported it. The feedback was that they are well aware of the problem and have already released beta signatures being tested in response to this problem as linked by ITManager in this thread.

Clearly if beta signatures have already been developed for an issue that arose this morning then they are working adequately to address the problem. Their website notifications and updates are a little behind (likely due to the short staff). This likely skeleton crew does not need to be further tasked by unnessary e-mails from people who have been following this thread and are aware that it is a lik false positive being rectified.

Obviously if a company has not found this information in their own research they would want to contact their software provider for any issues, but in the case if this thread anyone reading it is aware of the situation and need not waste their time or the time or the company working to rectify the problem.

Having been on the other end and being hounded by phone calls/e-mails while trying to fix something that is broken it gets to be very frustrating when time is spent away from resolving the problem.

scotdanzer2 · December 2007

I was hit by this virus .I am pc illiterate so if anyone has any laymens terms to help me with this I would appreciate it greatly. I have gotten rid of all my temporary files and scanned for virus nothing seems to help.[/b]

scotdanzer2 · December 2007

Ok I have done something really stupid. I thought the virus was made by an update in java so I went in and removed it and now when I try and download it again i keep getting ..error..please help.

RussS · December 2007

scotdanzer2 - This appears to be a false positive so I would not worry too much.

Me, I am amazed how much buzz this has caused. I have seen some serious virus threats over the past few years that did not generate this until it was too late

False PositivesThese are something we come across in our field from time to time. Sometimes it is a virus, sometimes a possible hack attempt and sometimes something else - the common denominator is that we must take reasonable attempts to verify or disprove the threat.

Carry on people

Oh - anyone remember the time a Symantec update removed run32dll.exe or the time a CA update removed the system file from the config directory?

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9019958
This must have upset many

Roadwolf · December 2007

RussS wrote:

scotdanzer2 - This appears to be a false positive so I would not worry too much.

Me, I am amazed how much buzz this has caused. I have seen some serious virus threats over the past few years that did not generate this until it was too late

lol me aswell.

Frankly I was just bored and surfing last night. And I kept seeing it come up, on various websites. Normally I wouldn't really care too much as long as the file got deleted. but i saw it so often that I became inclined to click on the virus info and look into it.

I then saw there was no info, so I googled. Eventually (after a few hours) I found this forum and joined up to talk about it

---

That being said, no I am not a extremely savvy in terms of IT managment. I do have many computers and I am ok with handling normal IT stuff, networking, etc... But I just really dont have the patience or desire to learn about in depth programming. I once knew how to program, back in the dos days, but meh, i just haven't kept up to date with any of that. My main area of expertise is with non IT type systems, mainly Audio, Video and Radio broadcast systems. I generally deal with things ranging from satellite systems, to audio matrix routing, to 50,000 watt AM Transmitters and two-way radio systems.

Nice to meet ya all, and I may stick around to check out other topics in the future

But for now, happy new year all

have a good one !

Natalie_ca · December 2007

I think they patched it now. I ran an Update and something patched and I went to the websites that were consistently giving me that virus warning earlier today and I didn't get it this time.

So it seems CA has fixed the problem.

New Virus today?

Comments