Hi,

I run Symantec Norton Anti-Virus, which of course creates an entry for "ccApp.exe" in the aggregate system startup list. when I click on it in SpybotS&D, the extra info given for it in the right-hand sidebar is shown below.

My question is whether I need to worry about the two worms/trojans mentioned? I've used various other tools to poke thru the registry, and all the entries mentioning "ccapp" look legitimate (ie only belonging to Symantec/NortonAV).

Is it the case that SpybotS&D gratuitously lists *all* possibilities for a startup entry, culled from Paul Collins' StartUp List? I.e. one who gets a listing like the one below may or may not actually have an infection ?

thanks,

Mobileuser

____________________
Current filename: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

Database status: Regular entry
Value: ccApp
Filename: ccApp.exe

Description
Part of _ Norton AntiVirus 2003_. Auto-protect and E-mail check will not function without this

Source: Paul Collins Startup list
____________________

Current filename: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

Database status: Not required - virus, spyware, malware or other resource hog
Value: ccApp
Filename: [random filename]

Description
Added by the _OBSORB_ TROJAN! Note the random filename compared to the valid Norton AntiVirus

Source: Paul Collins Startup list
____________________

Current filename: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

Database status: Not required - virus, spyware, malware or other resource hog
Value: ccApp
Filename: WMADZ.EXE

Description
Added by the _RBOT-LJ_ WORM!

Source: Paul Collins Startup list
____________________
end

Yes, where the info is given, it lists the possibilities for a given startup value (ccapp in this case), but look at the FileName: you see that if the filename is ccapp.exe it is the legitimate one. For the malware the FileName is different. So you need to look at the file name at the end of the path shown in the command line of your startup item. If it is ccapp.exe you're OK.

I don't think it is gratuitous for Spybot to provide the info. The malware uses the same value (ccapp in this case), and the additional info prompts the user to look more closely at the command line.

Note that the info is not always complete. I have complained several times that for one startup value, ctfmon.exe (related to MS Office) Spybot only gives info for the baddie (which has filename ctfmon32.exe), but omits to give the info for the legitimate entry (which has filename ctfmon.exe). This could cause people to worry unnecessarily. :-)

Hi, thanks for the timely response, it's helpful.

> but look at the FileName: you see that if the filename is ccapp.exe it
> is the legitimate one. For the malware the FileName is different.

I suspect what you mean by "Filename:" in the above is actually "Current Filename:", e.g. in the below example...

____________________

Current filename: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

Database status: Not required - virus, spyware, malware or other resource hog
Value: ccApp
Filename: [random filename]

Description
Added by the _OBSORB_ TROJAN! Note the random filename compared to the valid Norton AntiVirus

Source: Paul Collins Startup list
____________________


...the "Current filename:" is "<path>\ccApp.exe", but what the over example blurb above is trying to convey is that if malware was present and had set the startup entry, the "current filename:" would actually be set to something like "[<somepath>\][random filename]" where "random filename" could be anything. Yes?


> I don't think it is gratuitous for Spybot to provide the info.

I didn't mean "gratuitous" in a disparaging sense, I meant it in the sense that if SpybotS&D knows that a given entry is used by malware for bad things, it provides details about such use, whether I asked for said info or not.

I also meant it in the sense that all that info isn't terribly well explained for a novice SpybotS&D user, hence my question in the first place. And my being worried. :)

thanks again,

mobileuser

mobileuser:


> but look at the FileName: you see that if the filename is ccapp.exe it
> is the legitimate one.
Granted, ccApp.exe is a legitimate program for Norton AntiVirus 2003/2004/2005/2006. However, I question this statement:


For the malware the FileName is different.
You can find Paul Collins' Startup list here:
Startup Applications List
http://www.sysinfo.org/startuplist.php
Please go there and search for "ccApp.exe" (no quotes).

A couple of the items pulled up are:
W32.Ahker.D@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.ahker.d@mm.html


Once W32.Ahker.D@mm is executed, it performs the following actions:

Creates the following copies of itself:

%Windir%\CCAPP.EXE
W32.Reatle@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.reatle@mm.html

When W32.Reatle@mm is executed, it performs the following actions:

May copy itself as the following files:

%System%\ccapp.exe
The way I interpret this is that Symantec is telling you that their program name (ccApp.exe) can be used by malware. So according to symantec your statement:


> but look at the FileName: you see that if the filename is ccapp.exe it
> is the legitimate one. For the malware the FileName is different.
Is not necessarally true.

Now, in a help file how do you think this should be conveyed?