Monday, 3 March 2008

RavMon.exe virus on new Toshiba Satellite laptop

A few days ago I bought a very inexpensive Toshiba Satellite L40-18Z laptop from Comet in the UK. It's a basic laptop running Windows Vista, and it is certainly good enough for web browsing and wordprocessing.

But this particular laptop came with something extra. Despite the security seals being intact, and the OS having never been activated, the laptop came with a file called RavMon.exe on the C: and E: partitions.

RavMon.exe is an insidious virus that spreads on USB keys and drives, so it seems likely that this laptop was infected during the manufacturing process, despite having Symantec Anti-virus installed.

Of course, the first thing I did was remove Symantec and install ZoneAlarm, and ZA's Kaspersky anti-virus engine found RavMon.exe pretty much straight away. Thinking it was a false positive, I sent it to VirusTotal and the results speak for themselves.

File RavMon.exe received on 03.03.2008 20:38:32 (CET)
AntivirusVersionLast UpdateResult
AhnLab-V32008.3.4.02008.03.03Win-Trojan/Xema.variant
AntiVir7.6.0.732008.03.03TR/Agent.Abt.33
Authentium4.93.82008.03.02W32/Trojan.NAT
Avast4.7.1098.02008.03.02Win32:Agent-EDN
AVG7.5.0.5162008.03.03Generic3.NKU
BitDefender7.22008.03.03Trojan.Downloader.Chacent.A
CAT-QuickHeal9.502008.03.03Trojan.Agent.abt
ClamAV0.92.12008.03.03Trojan.Agent-3327
DrWeb4.44.0.091702008.03.03Win32.HLLW.Autoruner.198
eSafe7.0.15.02008.02.28Suspicious File
eTrust-Vet31.3.55822008.03.03Win32/Compfault.C
Ewido4.02008.03.03Trojan.Agent.abt
FileAdvisor12008.03.03-
Fortinet3.14.0.02008.03.03-
F-Prot4.4.2.542008.03.02W32/Trojan.NAT
F-Secure6.70.13260.02008.03.03W32/Agent.CUTV
IkarusT3.1.1.202008.03.03Trojan.Win32.Agent.abt
Kaspersky7.0.0.1252008.03.03Trojan.Win32.Agent.abt
McAfee52432008.03.03New Malware.eb
Microsoft1.33012008.03.03Worm:Win32/RJump.F
NOD32v229182008.03.03Win32/AutoRun.FQ
Norman5.80.022008.03.03W32/Agent.CUTV
Panda9.0.0.42008.03.03Generic Malware
Prevx1V22008.03.03Generic.Malware
Rising20.34.02.002008.03.03Trojan.DL.MnLess.n
Sophos4.27.02008.03.03Troj/QQRob-ADL
Sunbelt3.0.906.02008.02.28-
Symantec102008.03.03W32.Nomvar
TheHacker6.2.92.2312008.03.02-
VBA323.12.6.22008.02.27Trojan.Win32.Agent.abt
VirusBuster4.3.26:92008.03.03Packed/nPack
Webwasher-Gateway6.6.22008.03.03Trojan.Agent.Abt.33

Additional information
File size: 48640 bytes
MD5: 5557dd0fd5565f12a71c92e6aad7088f
SHA1: 1dd1be78715ff68354967adadc8b6990706caafa
PEiD: -
packers: NPack
Prevx info:

Luckily, the machine wasn't actually infected, but the .exe file was sitting there waiting to be clicked. Symantec would have detected this if it had updated in time, and as it is most AV products will detect the virus.

It just goes to show that you can't necessarily trust a PC straight out of the box.

5 comments:

Methusela Cebrian Ferrer said...

Is there any comment from Toshiba ? Have you reported this incident ?

Trailblazer said...

Did you speak to sales reps? If they put your laptop on display someone could just simply put any USB memory stick and copy the virus over.

Andrew said...

I bought a Toshiba Equium from Currys and also found using Dr Webb that it had exactly the same file infected with same virus. I called up Toshiba and reported it to them. They simply said thanks for telling us!

julie.hughes4 said...

strange - I bought a toshiba this weekend from PC World - sister of Comet - and when the first virus scan was performed it found the w32.monvar virus - Isn't that strange. As I had started to install software and files, I thoughtit must have been me that had infected it.....
Looks like it wasn't

Thanks - I will take it up with them...

Kenny Scott said...

I have the exact same problem:

http://blog.irreverence.co.uk/?p=509

Worrying.