Şu virusu bilen varmı? WS.Reputation.1

[Maxim]

aslında garip birşey viruste değilki
ama birçok kürek dosyasında karşıma çıkıyor
norton antivirus kullanıyorum

detay bilen varmı?
birçok virus programı sanırım böyle bir hata vermiyor aynı dosyalara


WS.Reputation.1
Updated: February 15, 2012 3:15:47 PM
Type: Other
Risk Impact: High
Systems Affected: Windows XP, Windows Vista, Windows NT, Windows Server 2003, Windows 2000


Behavior
WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec's community of users and therefore are likely to be security risks. Detections of this type are based on Symantec's reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories.

The reputation-based system uses "the wisdom of crowds" (Symantec's tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.


Symantec's reputation technology system tracks the attributes of software files (applications, drivers and DLLs) from multiple sources, including:


Anonymous data contributed by tens of millions of Norton Community Watch members
Anonymous data contributed by enterprise customers in a data collection program tailored to large enterprises
Data provided by software publishers
Symantec's Global Intelligence Network

The reputation-based system uses "the wisdom of crowds" (Symantec's tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.

The system considers many aspects of a file, including file age, file download source, digital signature, and file prevalence. These attributes are combined using a proprietary algorithm to determine a file's safety reputation. The system maintains a rating for all files rather than just malicious files. Each software file is given a GOOD, BAD or SUSPICIOUS rating.

Symantec's reputation-based security engine continuously monitors all files and over time a file's reputation may change.

[MC_Skywalker]

McAfee ye göre aşağıdaki şu değişiklikleri yapıyormuş.

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files


The following files were analyzed:

A548F82B8B53B03023B2C8F1546253272E3039EF

   The following registry elements have been created:
HKEY_CURRENT_USER\SOFTWARE\TCODE\
HKEY_CURRENT_USER\SOFTWARE\TCODE\SETTINGS\
HKEY_CURRENT_USER\SOFTWARE\TCODE\SETTINGS\FONT\
   The following registry elements have been changed:
HKEY_CURRENT_USER\SOFTWARE\TCODE\SETTINGS\CONVERT BASE64 = 1
HKEY_CURRENT_USER\SOFTWARE\TCODE\SETTINGS\CONVERT ON START = 1
HKEY_CURRENT_USER\SOFTWARE\TCODE\SETTINGS\CONVERT QP = 1
HKEY_CURRENT_USER\SOFTWARE\TCODE\SETTINGS\DETECTION LIMIT = 80
HKEY_CURRENT_USER\SOFTWARE\TCODE\SETTINGS\TRAY ICON = 1
HKEY_CURRENT_USER\SOFTWARE\TCODE\SETTINGS\FONT\SIZE = 8

[pisayisi]

Kürek dosyalarına norton da benzer bir virüs uyarısı vermekte, sistemde ne tür değişiklikler yapabildiğini bilmiyordum sadece lisanssız bir yazılımı kırmak gayretini bloke edecek bir hareket gibi algılıyordum. Ancak bir kısım sıkıntılar oluşturabilme yeteneğine sahipmiş dikkatli olmaz lazım demek.

Ancak symantec sitesinde bu uyarı için belirgin bir tehdit olmadığını, symantec kullanan üyelerce şüpheli olarak merkeze gönderilmiş olan dosyalar içinde düşük skora sahip dosyaların bu kategoriye alındığından bahsetmiş. Sanırım ticari yasal imzaları içermeyen dosyaları böyle sınıflamaktalar ve tehdit olarak algılanmakta...

http://www.symantec.com/security_response/writeup.jsp?docid=2010-051308-1854-99