But this particular laptop came with something extra. Despite the security seals being intact, and the OS having never been activated, the laptop came with a file called RavMon.exe on the C: and E: partitions.
RavMon.exe is an insidious virus that spreads on USB keys and drives, so it seems likely that this laptop was infected during the manufacturing process, despite having Symantec Anti-virus installed.
Of course, the first thing I did was remove Symantec and install ZoneAlarm, and ZA's Kaspersky anti-virus engine found RavMon.exe pretty much straight away. Thinking it was a false positive, I sent it to VirusTotal and the results speak for themselves.
| File RavMon.exe received on 03.03.2008 20:38:32 (CET) | |||
| Antivirus | Version | Last Update | Result |
| AhnLab-V3 | 2008.3.4.0 | 2008.03.03 | Win-Trojan/Xema.variant |
| AntiVir | 7.6.0.73 | 2008.03.03 | TR/Agent.Abt.33 |
| Authentium | 4.93.8 | 2008.03.02 | W32/Trojan.NAT |
| Avast | 4.7.1098.0 | 2008.03.02 | Win32:Agent-EDN |
| AVG | 7.5.0.516 | 2008.03.03 | Generic3.NKU |
| BitDefender | 7.2 | 2008.03.03 | Trojan.Downloader.Chacent.A |
| CAT-QuickHeal | 9.50 | 2008.03.03 | Trojan.Agent.abt |
| ClamAV | 0.92.1 | 2008.03.03 | Trojan.Agent-3327 |
| DrWeb | 4.44.0.09170 | 2008.03.03 | Win32.HLLW.Autoruner.198 |
| eSafe | 7.0.15.0 | 2008.02.28 | Suspicious File |
| eTrust-Vet | 31.3.5582 | 2008.03.03 | Win32/Compfault.C |
| Ewido | 4.0 | 2008.03.03 | Trojan.Agent.abt |
| FileAdvisor | 1 | 2008.03.03 | - |
| Fortinet | 3.14.0.0 | 2008.03.03 | - |
| F-Prot | 4.4.2.54 | 2008.03.02 | W32/Trojan.NAT |
| F-Secure | 6.70.13260.0 | 2008.03.03 | W32/Agent.CUTV |
| Ikarus | T3.1.1.20 | 2008.03.03 | Trojan.Win32.Agent.abt |
| Kaspersky | 7.0.0.125 | 2008.03.03 | Trojan.Win32.Agent.abt |
| McAfee | 5243 | 2008.03.03 | New Malware.eb |
| Microsoft | 1.3301 | 2008.03.03 | Worm:Win32/RJump.F |
| NOD32v2 | 2918 | 2008.03.03 | Win32/AutoRun.FQ |
| Norman | 5.80.02 | 2008.03.03 | W32/Agent.CUTV |
| Panda | 9.0.0.4 | 2008.03.03 | Generic Malware |
| Prevx1 | V2 | 2008.03.03 | Generic.Malware |
| Rising | 20.34.02.00 | 2008.03.03 | Trojan.DL.MnLess.n |
| Sophos | 4.27.0 | 2008.03.03 | Troj/QQRob-ADL |
| Sunbelt | 3.0.906.0 | 2008.02.28 | - |
| Symantec | 10 | 2008.03.03 | W32.Nomvar |
| TheHacker | 6.2.92.231 | 2008.03.02 | - |
| VBA32 | 3.12.6.2 | 2008.02.27 | Trojan.Win32.Agent.abt |
| VirusBuster | 4.3.26:9 | 2008.03.03 | Packed/nPack |
| Webwasher-Gateway | 6.6.2 | 2008.03.03 | Trojan.Agent.Abt.33 |
| | |||
| Additional information | |||
| File size: 48640 bytes | |||
| MD5: 5557dd0fd5565f12a71c92e6aad7088f | |||
| SHA1: 1dd1be78715ff68354967adadc8b6990706caafa | |||
| PEiD: - | |||
| packers: NPack | |||
| Prevx info: | |||
Luckily, the machine wasn't actually infected, but the .exe file was sitting there waiting to be clicked. Symantec would have detected this if it had updated in time, and as it is most AV products will detect the virus.
It just goes to show that you can't necessarily trust a PC straight out of the box.
5 comments:
Is there any comment from Toshiba ? Have you reported this incident ?
Did you speak to sales reps? If they put your laptop on display someone could just simply put any USB memory stick and copy the virus over.
I bought a Toshiba Equium from Currys and also found using Dr Webb that it had exactly the same file infected with same virus. I called up Toshiba and reported it to them. They simply said thanks for telling us!
strange - I bought a toshiba this weekend from PC World - sister of Comet - and when the first virus scan was performed it found the w32.monvar virus - Isn't that strange. As I had started to install software and files, I thoughtit must have been me that had infected it.....
Looks like it wasn't
Thanks - I will take it up with them...
I have the exact same problem:
http://blog.irreverence.co.uk/?p=509
Worrying.
Post a Comment