Wednesday, November 24, 2010

Webroot/Sophos detect mysterious malware "Mal/JSIfrLd-A"




Today, Webroot made me run the biweekly sweep (now up to 3 hours and 600000 files across 2.5 million definitions -- it doesn't let me work until I run this), and in the files (not registry) it spotted “Mal/JSIfrLd-A” , which it called a “virus” (not spy coolied) which it quarantined at the end.

The only definition I could find on the web was a generic listing from Sophos (Webroot’s antivirus engine) is here , dated Nov. 22, 2010. I found a similar listing from 2008 by surfing, but this appears to be a new variation of a low-prevalance threat before. Since the date is recent, the Shield may not have detected the virus during surfing before Nov. 22. You can look at the Sophos “malicious behavior” link and find a general description of how it looks for “malicious behavior” with what it calls “genotype protection”, as here

Apparently it found an executable with markers known to be associated with spyware or malicious activity and not considered part of legitimate application code. It’s possible that it found accidental “unsafe code” in a legitimate module, but there is a risk that it could have found the “virus” in an executable placed there by a website and inserted originally on a legitimate corporate site by a hacker, for later use in identity theft or perhaps DOS attacks.

Search engines find numerous lists of new threats including this and similarly spelled "Mal/" threats, but they always point back to a Sophos link, which gives little information other than "suspected malicious behavior". This may be spyware or keylogging or attempts to sell fake anti-virus products.

Webroot has been sending me advisories of a new Security Essentials upgrade, which I can only do by working with Geek Squad to remove a duplicate record on their files; I may get this done when I go to Windows 7. 

Both Webroot and Kaspersky have a "street" reputation of being much stricter with suspected malware than McAfee and Norton. Webroot has a very active Twitter feed.

(Note: the spelling of the virus name seems to have an "l" (lower case "L") and only then an "I" (upper case "i")), according to search engines, when looking it up.)

No comments: