This Happens with every antivirus.
          sometimes symantec is first and sometimes others so when ever you suspect a file please submit that to security reponse team they will surly realease the updates for the virus.

 I agree. You just gotta submit samples for them to include it in their rapid release and then the certified defs. We have had a few cases over the past few months as well

I was at a local security group meeting this week and saw an interesting presentation from a pen test company. They wrote a buffer overflow exploit at the meeting and demoed it. They showed the method they use to make it undetectable by anti-virus as well. Their shellcode is self-decrypting and only happens when the code is run, so a scanner cannot pick it up on a file scan. They said that many AV programs only scan the first 100 bytes or so and their technique puts the changes where an AV scanner won't find it and in a format that changes each time it's run.

They had already built the exploit and showed the VirusTotal results. Nothing picked it up even though it used shellcode from Metasploit.

FWIW, their estimate was that some 70% of malware is not detectable by anti-virus programs. Their advice against infection is

1. Patch early and patch often.
2. Do not run as an administrator or power user.

BTW, your virus is here: http://www.symantec.com/security_response/writeup.jsp?docid=2009-020411-2802-99 and should have been detected with defs back in February, but they did update the defs just yesterday. I'm assuming your users are not Standard (restricted) users or the damage should have been more limited than you saw (#2) or the delivery mechanism exploited an unpatched vulnerability (#1).

Can you shed some more details on how the infection occurred?

Ray

It also used to be that honeypots could catch a lot and they could use them as a source of examples and information on how widespread something is, etc.
However, now with the infections being placed on LEGIT web sites, sites that get hacked or infected, and then moving to the workstation through web visits, they would have to have bots go out much like yahoo and google, and hit every single web page on every web server to find this new stuff.
We have entered the age, finally, where the bad guys have more time, resources and money - AND motivation, than the good guys, and their code SO good.......
The real issue is this - Microsoft in their obsession with making their OSs totally user friendly for the mindless masses, make it SIMPLE so "any idiot can run it", well, it opens it up so any bad guy can get in.
Other OS's that don't allow so much under-the-hood tweaking and require more work without a GUI are much more secure.
By making it simple, MS has done just that.

Here's what else hurts us - GOOGLE. GOOGLE has violated accepted protocols and security and allowed folks to be tricked into installing their software, and has made their software so it can install on a workstation on which the logged on user doesn't have software install rights!
What LEGIT application installs itself into the  "%userprofile%\local settings\application data "  area?
Is that not for APPLICATION data?
GOOGLE runs their EXE and DLLs there totally circumventing security! Shame on them!
IT admins everywhere should do something about it! (I'm thinking nasty emails, boycotts, blocking anything google like I have just done, etc.)
When a company uses tricks to get software installed, that's pretty low.
We don't want or allow software installs - using standard network/AD security, but see how they work around that and install anyway?
No more. All google software installs - ALL, are now blocked via SEP (thank you Symantec!)
That really made me angry with Google, and it's also a trick that these phoney av and security apps and other BUGS use - install into the user profile area, no security there, the logged in user is a god in that area.
So when a mainstream outfit like Google does that, where does that leave us with organized crime and spammers?

In todays world no Antivirus is 100% Secure.In old days there were total few thousands of virus in the wild.So all antivirus knew about it.Once there was a new Worm it became a major outbreak.

But in todays world everyday thosands of malicious codes are written .Out of which few thousands are caught by the Honeypots and very few submitted by the customers.But still there are many of them who are still in the wild.

So you cannot trust  any antivirus because they  just do Signature Based scanning.
However in SEP we do have Proactive Threat Protection and it does detect few of them before hand ,based on their behaviour.

If a virus is new it can do anything.It can disable any antivirus and once that is done it can download any known old virus.

So it is advised to keep Healthy Browsing Habbits.
Always keep your Autoplay Turned off.
Open attachments only only when you are sure it is from a trusted source.

This is the common feature of all antiviruses. No antivirus company can claim to have 100% total security. It is advisable to make windows patch uptodate, gateway firewall with proper URL filtering, antivirus filtering should be in place and of course antivirus should be uptodate.

Dear Kim

SEP 11.0.4000 has some bugs in it. Please upgrade it to 11.0.4014.

Ajit

Hi,

All of us have the same issue. No one AV will resolve 100% infection of Systems.

But we can avoid virus when our Windows have all critical updates installed and Antivirus have latest Build and definition.

This is very common, before antivirus detected the virus signature and release solution the machines get infected.

Every AntiVirus depends on signature if any AV have they detect if not they doesn't.

 Updating to The latest version number is: 11.0.4014.26 might solve your problem.

Hi Virut is a very nasty virus, I think you need to obtain the Risk Logs, I had the same situation the problem but check the logs and I traced that the anti virus service was turned off, no claims that it is turned off but I am sure someone did. I had the workstation re-imaged since the system exe files were infected.

Have to analyse the risk logs then you can go for the exact solution.
Post the log

Hi,

as you have already read the antivirus is not a 100% safe technology and an active security policy is required to prevent new infections.

The most of the times the user plays an active role... if he does not refrain to open a suspicious email or a not trusted web site, it is likely to get the latest updates of any malware.

Other malwares exploit some Windows vulnerabilities, therefore the latest Microsoft patches are practically more important than the AV definitions.

A lot of malwares use the autoplay feature to spread themselves, disable it in all your machines.

Other advices are available in our website.

An IT administrator should be able to manage the infection: detect and track the anomalies, isolate the infected machines, enforce the security policies to prevent a breakout and isolate a sample of the virus to submit it to the Symantec Security Response to write the new definitions. The Symantec Support helps in these steps.

Migrating to 11.0.4014 will not resolve issues with missed detections. Please disregard that advice as a possible solution. There is nothing in the release notes that indicates this version improves detection of viruses. Missed detections are, as explained several times already, due to new variants of old viruses that have not yet been submitted to Security Response, etc.

This really depends on the user, you can have a computer with no antivirus as long as your responsible in browsing, using the pc. AV's are just protection to know threats.

Agree with Ted G. Please and also Giuseppe.Axia.

Totally disagree with:
>>This really depends on the user, you can have a computer with no antivirus as long as your responsible in browsing, using the pc. AV's are just protection to know threats.<<

simply not true any more. Good antivirus heuristics can detect behaviour with no signatures.
In fact, there are a couple apps that don't use signatures as their primary means.

Also - no way today you can run with no av protection, even Apple sees that now. It's almost irresponsible to suggest that all one needs is "safe habits". All one needs is to pull the network cable out of the back of the computer and stop using removable media. But when simply being on the WWW or a network can infect you while sitting still, or while visiting major corporate sites, I'd not suggest no protection.
Anyone remember 3Com?  I found infected Word document files on thier web site a while back.
There are threats in LEGIT web sites - how do you know that www.kcci.com, a major news site, was clean? You don't, and that's how we discovered one of those nasty phoney av programs - a user here went to the tv stations site and got infected.
Same for a voc-rehab site out west. Their site was hacked, a user here got infected.

I'm also going to disagree with Symantec a bit in general - I've beta tested their AV products since NAV 2.0 and know that there are things that get put in that are not in the public "release notes".
Now perhaps that's changed today and they document every little detail down to the bit level, fine - but historically, it's not always the case. The engine is so modular that a simple LU can change detection.
I've upgraded before and suddenly started seeing threats that the prior version didn't catch - simply because there was a minor change to the scan engine to support some other feature, and lo and behold, it improved detection just a grain.
No offense, Symantec, but I still recommend that if a user is having issues with detection, I'll still say "update" the app. I've seen even your products change in places not documented for the public.
Now if a person is on MR4, there may indeed be no improvement in detection moving to MR4 MP1. But if on MR2, then do upgrade. Minor patches typically are for bug fixing and/or typically do document each change. And there are things that happen that they don't know about, too.......... changes that have impacts they didn't see in tests.
I can't promise improvement, but it's hard to say "never" in these areas when I've seen it myself.
Don't update just for the sake of updating, but if you are having issues and all else has failed, and there's a MAJOR version change, I'd update, personally.

Thanks for the feedback shadowspapa, I have a computer at home no antivirus installed, internet access only to trusted sites like yahoo, msn, google. works fine for me.

But technology nowadays are getting more and more complex.. whew!...

A week or so ago a user here wanted to show a client about his home state of Kentuky.
He went into Google and typed in kentuky.
Of course many links came up in google, he clicked one of the first ones, the url looked fine, and as soon as he clicked - BAM, phony AV was on his computer and hammering it really hard.

A month ago, another counselor was using yahoo.com to search for a doctor in reference to a client.
He typed in the doctor's name, yahoo came up with the links, BAM, his computer was hit hard. Took me two hours to clean it.

I trust nothing and certainly NOT Google after I found their underhanded methods of circumventing security and installing their crap in the users "application data" folder!
Those two folks were using Google to search and this annoying thing came up about enhancing their search abilities. They THOUGHT they were CLOSING the popup in Google and instead, ended up with google's unsecure Chrome browser installed in their profile area, NOT under program files.
So even google is playing those games now.
Again, I trust nothing. Esp google. They are on "my list"..................... and their products banned.

When you rely on one vendor you have a single point of failure. Our philosophy is that the desktop AV should never go off. If it does, it means our other protections failed.

One of the most effective layers we have is an AV scanner on the proxy server. It actually runs all traffic through AV engines from three different vendors before it passes it on to the desktop.

Is it perfect? No, however  if we get one Symantec alert a month (1,500 desktops) it's unusual. The proxy AV system catches several a week on average.

Ray

I have to agree AV software is the last line of defense.  Several things that you need to have is obviously a firewall to prevent attacks.  Patching has to be a primary thing as well if the exploit can't run it can't infect your machine.  Another thing I know we use is a web filter and if it goes down for any reason I notice a big increase in viral and spy ware activity.

No AV software is 100% effective.  I also do a weekly full disk scan and every week we detect quit a few viruses when it runs.

Being a public agency and not private enterprise, we can't afford proxy server and all the extra software that goes with it, maintenance, OS licenses, etc. so it's not an option for us.
Patching is all well and good, and must be a priority, however, nothing at all we see here is an "exploit" of a hole in the OS.
We get several alerts a week - mostly things that were caught and deleted, many minor things, the worst are the phoney AV apps - those have gotten quite good and nasty and don't rely on things that can be prevented or closed with a patch.
We keep things patched and if we see a hot hole, we apply patches with less testing.
I WOULD like to see us get a product like websense in here...............

Websence by far is the best at this time.  I will say this though depending on your environment there are also several appliance based ones that are very good as well.    When we were doing our research I evaluated several and and 8e6 had a very nice one at a good price its design just didnt fit into our environment.  I dont remember the name of the other appliance that I looked at but but it was very good too.   The main reason we choose websense it that we have redundent firewalls as a failover and the appliance based ones could only monitor firewall at a time.

I am very sad when someone says might solve your problem I have SEP 11.0.4...

I have an out break of virut... and well SEP11 and AV10 was not able to detect this virus.. I installed a old ver of Free AVG with no updates and it removed the virus no problem it is sad when a free anti virus works and the one you pay alot of money for does not work

The fact of the matter is there is a Difference between an Anti-Virus and an Anti-spyware / Anti-Malware etc.
Don't forget, we live in what is commonly described as "difficult economic times" and are in the middle of a recession.
"Corporate America" is not the only one suffering and supplementing 'income' is required for alot of corporations to survive.

That being said, and you all can feel free to disagree with me all you like, but without "threat" there is no business in AV / AS / AM.

Ever wonder why running: "Malwarebytes Anti-Malware" you find threats.  You remove the threats.  WIHTOUT removing it (The Anti malware)...  You than run: "Lavasoft Adaware" and your "clean machine" comes up with more 'different threats' that the first one did not catch.

So you scratch your head and wonder, maybe there is more?  So you install and run: "Spy bot - search and destroy" for example.

2 AM softwares, MUST have gotten them all, right?

Nope more threats pop-up...  interesting.  Why is that?  It's called supplemented income.  It's shady back alley deals between legitimate companies trying to keep people employed while maintaining a profit margin.

Not all Malware is 'bad'.  Some of it, and most of the time, the ones that dont get caught are dataminers.  Tagging you and your browsing habits (mostly for home users).  Pop-ups and marketting.  Kickbacks are given to the same corporations for "not tagging" their Malware / Spyware, call it what you will.

Noone will come out and openly admit it.  That would be self incrimation, and is illegal.  You might think I am crazy or paranoid or looking for the "conspiracy theory".  But truth be told, this was going on long before the economic recession of modern time.  This is the way the corporate world works.  

I am not saying Symantec is in cahoots with anyone.  Consider they do "protect" 99% of the Fortune 500 companies, so they don't need to rely on "shady antics" to buff their corporate profits, keep their share holders happy and keep the economy from crumbling more.

* * * * * 
Remember it took a "coalition of hackers" to take down the McColo Data Center in San Jose california.  Responsible at the time for 80% of the World's SPAM.  Who was chased after this?  The hackers responsible...  Money was going to be lost and taxes not paid from companies selling their products or marketting.  Economy suffers... 

They knew this was going on from this location for years, just noone wanted to step in and do anything about it.  Sad really.  Than they relocated to Russia and are now in "a bullet proff data center" rumored to be underground.  How many SPAM suppliers can claim that they would continue to SPAM the world even after a Nuclear strike...  And none of the "internet authorities" will stop them.

IMO all malware is bad, thus the term. If it wasn't, they could be above-board with it and ask permissions.
Malware of any sort - ANYTHING that tracks me, or installs software or files of any sort on THIS computer without my express consent is an invasion of privacy. I don't let the gov't do it, so why should someone wanting to make money off me be allowed to?
Do you let people come and go freely in your car, your garage or your HOME? do you let them wander in, snoop through your underwear drawer, leave spy cameras in your living room, tap your phone and report back to someone wanting to make money off you?
Then why is this @!#%$ allowed? Why is it legal? IT's not free speech. If that was the case, you could come into my home, drink my milk, eat my cookies, watch what I do all evening, write it down and leave whenever you felt like it.
This is private property, not any less than my home or my car is private property.
Police can't ask me to open my trunk without a warrant or just cause - why do these morons get a right to snoop on me using MY computer that I BOUGHT and paid for, and moreso, install software I don't want, and even go so far as to INTERFERE with my work, and lose my data?
Why is that legal more than me walking into your home, taking your magazines and preventing you from watching your TV?
What's the difference?
Malware is bad - period.
Malware should be illegal - it's an invasion of privacy, it's theft, it's interfering with my right to enjoy and use my own property.

Sorry to have mislead you into thinking I thought it was okay.  What I meant to say, is I agree with everything you just said. 
But contrarily to Virus / Trojan / Botnet...  Malware is "spying on you" yes.  It may or may not be there, yes.  You might not even know it's there.  Because it is not "directly affecting your system's performance". 

It is not deleting your files, etc. 

Bad YES.  Harmful, matter of opinion.  Do I want it on my system(s) HELL NO!

eventually while using symantec the avg free used to detect more virusesthan this one.

Om_123, for me it's not recommended to install 2 AV's, because AVG might detect the viruses that Symantec already quarantined. Another is that it my hog more resources from your PC.

w32.Virut is a major file infector that came along free with Downadup.c.
Well it was there even before downadup and there is more than 400 variants of virus in the wild it is not possible for all AV companies to detect all the variants.
it might be possible AVG detects 100 and symantec detects 300 and the one u got was one of which was detected by AVG but not Symantec.
But if you would have submitted one sample of that threat symantec would have 301 detections.
As a security administrators it is even our responsibility to submit suspicious files to symantec or whichever AV you use.

No paul, it's worse than that. The main reason to not install 2 memory resident background checking AVs is because they can actually cause each other to MISS finds due to contention during file checking.
When you launch or touch a file, each is attempting to perform checks. During this process, 1 of two things can happen:
1. false alerts are triggered due to the contention
or
2. the virus goes UNFOUND due to them stepping on each other.

MEMORY and CPU resources aside, and that's bad enough, all too often they step on each other in the background checks and you end up with WORSE protection, not better.

It's just part of being a professional security administrator - forensics, sample submission, etc.......... at least it has been for me for roughly 20 years now.  I've been security administrator for 4 entities now.
It was much easier back then!

Do the various companies catch things that another may not? Absolutely! I've experienced that since day one. HOWEVER, over the 20 years I've been at this, Symantec has the advantage in averages - year-after-year being one of the best. When you look at individual threats one at a time, each has their advantages, but when looking at the in-the-wild group as a WHOLE, even independent companies agree, Symantec typically takes the lead. Check PC Magazines most recent reviews............ A Symantec product was once again EDITORS CHOICE. 2 reasons as I see it - virus catching abilities AND this year, LEAST INTRUSIVE and load intensive!
Way to go. Takes LESS processor time than other products (consumer class products in this review).

Since it was mentioned earlier in the thread.....

Paid for solutions aren't the only option though - I use free/very cheap stuff for home/personal use, and if you are prepared to do some manual config, these are potentially scalable to corporate use.
Check out DansGuardian as an alternative to Websense - works with Squid or other free proxies, and sits on a free OS. For non profit/non profit organisations, it's free.

The blacklists you can use for it are either free or very cheap (sub $500 for the year for corporate use).

Nick

As per my experience with SEP it is running nice
there are hundred of viruses being created everyday so our responcibility is to submitt virus sample to symantec team.After submitting we quickly get updated virus defination which will detect that virus.

You must carefull while using your pendrives or network connections

the virus that attacked ur comp must have come from an unsafe site that u must have visited,the virus entered ur system n SEP did not catch it as it was an unknown virus for symantec's team n particular update was created for dat virus.

particular update was not created for dat virus.

eventually while using symantec the avg free used to detect more virusesthan this one.

This is the common feature of all antiviruses. No antivirus company can claim to have 100% total security. It is advisable to make windows patch uptodate, gateway firewall with proper URL filtering, antivirus filtering should be in place and of course antivirus should be uptodate.

USB is one of the main source to get virus.