"Hacktool.Underhand" ?? virus ??

T

teacher24_70

Registered
For the last day or so I've been having trouble with my Mac (see thread http://www.macosx.com/forums/showthread.php?t=52334)

As I was running Yasu cron scripts and repairing permissions, I had a NAV window pop up that said:

"NAV Repair alert: swapfile1 is infected with Hacktool.Underhand. It could not be repaired but has been quarantined".

Could this be what was causing my original problems? If so what is it? I didn't think that there were any current OS X viruses?
 
Teacher24_70, please update your Norton definitions and do a scan. Please report back if this has solved your problems. There has been at least one other person on the forums reporting similar problems. I'm going to link that thread to here.
 
First of all, this is not a "virus". It is a trojan, and can only be installed on your computer by you or someone else
with local/physical/administrative access.
But that is beside the point, because don't have this Trojan on your machine.


This is a FALSE POSITIVE because Symantec's signature for
detecting this tool was too broad! Since the swapfile has
large amounts of dynamically changing data, they're
apparently detecting the same overly-broad binary
snippet they're searching for in your swapfile.

REPEAT: YOU DO NOT HAVE THIS TROJAN IF YOU ARE
GETTING A NOTICE IT'S IN YOUR SWAPFILE.

Underhand is a conventional .app application bundle that
hides itself from the Dock and the normal user-space
running process listings. It can physically be searched for,
and its mode of operation is clear: it will be present in
your Login Items and process listings, and runs from the
user home directory's Library/Preferences folder. Yes,
names can be changed, etc., but it is fundamentally a Mac
OS X application bundle that runs interactively (albeit
invisibly) while a user is logged in. A signature, in the
context of AV detection, or anything else that defines it in
that manner is not present in swap, and that is technically
impossible. Therefore, this is a false positive, and the
detection scheme likely appeared in Symantec's most
recent definition update.

Symantec has CONFIRMED this and has issued new virus
definitions to fix their mistake:

http://service1.symantec.com/SUPPORT/num.nsf/docid/2005050417004611
 
I've updated virus definitions. Still having major problems will applications quitting on me. Safari won't even run. Could this be a java problem? I know that it was a false positive but ever since I have been having these problems. what can I do?
 
You must log in or register to reply here.
Back
Top