RavMon.exe virus on new Toshiba Satellite laptop
A few days ago I bought a very inexpensive Toshiba Satellite L40-18Z laptop from Comet in the UK. It's a basic laptop running Windows Vista, and it is certainly good enough for web browsing and wordprocessing.
But this particular laptop came with something extra. Despite the security seals being intact, and the OS having never been activated, the laptop came with a file called RavMon.exe on the C: and E: partitions.
RavMon.exe is an insidious virus that spreads on USB keys and drives, so it seems likely that this laptop was infected during the manufacturing process, despite having Symantec Anti-virus installed.
Of course, the first thing I did was remove Symantec and install ZoneAlarm, and ZA's Kaspersky anti-virus engine found RavMon.exe pretty much straight away. Thinking it was a false positive, I sent it to VirusTotal and the results speak for themselves.
| File RavMon.exe received on 03.03.2008 20:38:32 (CET) | |||
| Antivirus | Version | Last Update | Result |
| AhnLab-V3 | 2008.3.4.0 | 2008.03.03 | Win-Trojan/Xema.variant |
| AntiVir | 7.6.0.73 | 2008.03.03 | TR/Agent.Abt.33 |
| Authentium | 4.93.8 | 2008.03.02 | W32/Trojan.NAT |
| Avast | 4.7.1098.0 | 2008.03.02 | Win32:Agent-EDN |
| AVG | 7.5.0.516 | 2008.03.03 | Generic3.NKU |
| BitDefender | 7.2 | 2008.03.03 | Trojan.Downloader.Chacent.A |
| CAT-QuickHeal | 9.50 | 2008.03.03 | Trojan.Agent.abt |
| ClamAV | 0.92.1 | 2008.03.03 | Trojan.Agent-3327 |
| DrWeb | 4.44.0.09170 | 2008.03.03 | Win32.HLLW.Autoruner.198 |
| eSafe | 7.0.15.0 | 2008.02.28 | Suspicious File |
| eTrust-Vet | 31.3.5582 | 2008.03.03 | Win32/Compfault.C |
| Ewido | 4.0 | 2008.03.03 | Trojan.Agent.abt |
| FileAdvisor | 1 | 2008.03.03 | - |
| Fortinet | 3.14.0.0 | 2008.03.03 | - |
| F-Prot | 4.4.2.54 | 2008.03.02 | W32/Trojan.NAT |
| F-Secure | 6.70.13260.0 | 2008.03.03 | W32/Agent.CUTV |
| Ikarus | T3.1.1.20 | 2008.03.03 | Trojan.Win32.Agent.abt |
| Kaspersky | 7.0.0.125 | 2008.03.03 | Trojan.Win32.Agent.abt |
| McAfee | 5243 | 2008.03.03 | New Malware.eb |
| Microsoft | 1.3301 | 2008.03.03 | Worm:Win32/RJump.F |
| NOD32v2 | 2918 | 2008.03.03 | Win32/AutoRun.FQ |
| Norman | 5.80.02 | 2008.03.03 | W32/Agent.CUTV |
| Panda | 9.0.0.4 | 2008.03.03 | Generic Malware |
| Prevx1 | V2 | 2008.03.03 | Generic.Malware |
| Rising | 20.34.02.00 | 2008.03.03 | Trojan.DL.MnLess.n |
| Sophos | 4.27.0 | 2008.03.03 | Troj/QQRob-ADL |
| Sunbelt | 3.0.906.0 | 2008.02.28 | - |
| Symantec | 10 | 2008.03.03 | W32.Nomvar |
| TheHacker | 6.2.92.231 | 2008.03.02 | - |
| VBA32 | 3.12.6.2 | 2008.02.27 | Trojan.Win32.Agent.abt |
| VirusBuster | 4.3.26:9 | 2008.03.03 | Packed/nPack |
| Webwasher-Gateway | 6.6.2 | 2008.03.03 | Trojan.Agent.Abt.33 |
| | |||
| Additional information | |||
| File size: 48640 bytes | |||
| MD5: 5557dd0fd5565f12a71c92e6aad7088f | |||
| SHA1: 1dd1be78715ff68354967adadc8b6990706caafa | |||
| PEiD: - | |||
| packers: NPack | |||
| Prevx info: | |||
Luckily, the machine wasn't actually infected, but the .exe file was sitting there waiting to be clicked. Symantec would have detected this if it had updated in time, and as it is most AV products will detect the virus.
It just goes to show that you can't necessarily trust a PC straight out of the box.
Labels: Viruses
posted by Conrad Longmore at
22:56
5 Comments:
Is there any comment from Toshiba ? Have you reported this incident ?
07 March 2008 05:10
Did you speak to sales reps? If they put your laptop on display someone could just simply put any USB memory stick and copy the virus over.
07 March 2008 18:16
I bought a Toshiba Equium from Currys and also found using Dr Webb that it had exactly the same file infected with same virus. I called up Toshiba and reported it to them. They simply said thanks for telling us!
04 April 2008 18:25
strange - I bought a toshiba this weekend from PC World - sister of Comet - and when the first virus scan was performed it found the w32.monvar virus - Isn't that strange. As I had started to install software and files, I thoughtit must have been me that had infected it.....
Looks like it wasn't
Thanks - I will take it up with them...
07 April 2008 20:40
I have the exact same problem:
http://blog.irreverence.co.uk/?p=509
Worrying.
16 April 2008 19:03
Post a Comment
<< Home