My wife's NAV2004 can't find a single piece of malware on her machine - which is a Toshiba Celeron M laptop running Windows XP Pro SP2 that she uses partly for her work, partly to surf the net. She sent good ol' Symantec her money to keep her update subscription going when the freebie NAV 2004 trial that came on her machine ran out back in October. Her machine also has all the Windows updates and patches, a good firewall (Zonealarm 2.6), and both Spyware blaster and Spybot S & D kept current. I've tried several online scanners as well. They find nothing.
So why do I think I have a trojan, or at least a loader? Read on...
NAV has a module called ccapp.exe which is stopped by several known viruses, trojans, and worms. It calls and runs several other modules and is apparently used by other Symantec software, like Internet security and Systemworks (can you tell I've been reading everything I can find about it?), although I can't figure out just what it's supposed to be doing. It's still running though. BUT....
1) It keeps asking for - not just Internet access, which I have no problem with, but SERVER rights.
I've read what little support documentation Symantec posts on the subject, and by getting creative I finally found a document on using NAV2004 with various firewalls that finally, under the manual configuration section, tells me that ccapp.exe is supposed to use several ports in performing it's multiple duties - although it doesn't say *anywhere* that it does or should be given SERVER rights (why would it need to act as an Internet *server* in the first place, right?). The Symantec documentation also lists the various ports NAV needs to access - by number and module even - and whether they are in or out ports. Right here
Compliments that Symantec does at least give you that important information. BUT GUESS WHAT???
2) When I check my firewall, it tells me NAV's ccapp.exe is listening on port 1038... which is *NOT* on the list of ports it is supposed to be accessing. Here’s the ones Symantec says it uses: 25, 80, 81, 82, 83, 110, 443, 1080, 1863, 8080, 8088, 11523...and they are all supposed to be outbound.
Kinda like ccapp.exe is acting like a trojan loader does waiting to be scanned by it's master to download the big kahuna, or maybe like a trojan waiting to send out all sorts of information it's mining off my wife's computer, huh?
It would sure be clever to modify just enough of a program like ccapp.exe that's part of an Antivirus program to use it to communicate and load the trojan itself -
Because - Hey, who wouldn't say "yes" to giving a module that is part of their Antivirus protection access, especially if they don't know much about computers, internet access versus server access, etc. Hey, Just look it up on the web - ccapp.exe isn't a hazard, it's part of Symantec Antivirus, Systemworks, etc., right? As long as it’s in the right folder, it’s surely OK. Relax...
Right, *IF* it's the original version. <gulp> Maybe it is. Maybe Symantec documentation just forgot to mention that a), there is some reason their program needs server rights, and b) there is some reason it needs to listen on a port they didn't mention in their documentation (forget the fact the documentation says ccapp.exe uses ports for outgoing communication only). Maybe. I could just be paranoid. But it sure seems fishy...
And I’ve checked ccapp.exe with all the virus scanners I could find, including the meta-scanners. No dice. I sent a zipped copy to Symantec Sunday afternoon, which they acknowledged. No reply so far, though. Which is a little scary in and of itself. And oh, even their standalone program to submit viruses crashes when you try and use it to send ccapp.exe. I hope that's just because it uses ccapp.exe to communicate with Symantec.
Anyway, Here's what I'd like to ask folks here to do. I'm asking people here to be so kind as to reply to this post if they have NAV2004 running on Windows XP pro. Please just check your computer and see if your NAV 2004 wants server rights, and listens to port 1038. I've already got one negative response so far on another forum, by a guy who says his ccapp.exe wants access to the ‘net (naturally), but NOT server rights, but I'm not sure he was correct that his NAV wasn't listening to port 1038. He was clearly trying to help, but I'm not sure he understood how his firewall worked well enough to tell.
And so I'm also asking if someone here would be so kind as to send me a MD5 or CRC checksum for their ccapp.exe that isn't (and ONLY if it isn't) wanting server rights or listening to port 1038. If yours wants server rights, we may both have the same malware.
My ccapp.exe gives a MD5 of
f1f54205eaad3e37ca2c5a133437bb947
and the crc is 8936d43e
and the file size reads 71328 - assuming it isn't an altered file length.
Checking your ccapp.exe is easy to do, and if you don't already have a hasher, you can use the online one over at Castlecops.
Here's a link to make it easy:
Scroll down and use the browse button to point the hasher to your version of ccapp.exe
It's located by default in
c:\Program Files\Common Files\Symantec Shared\
Please help with this. I think I've kept it corraled if it's a trojan, but I'd sure like to know what is going on!!!
It will be GREATLY appreciated.
Thanks!
So why do I think I have a trojan, or at least a loader? Read on...
NAV has a module called ccapp.exe which is stopped by several known viruses, trojans, and worms. It calls and runs several other modules and is apparently used by other Symantec software, like Internet security and Systemworks (can you tell I've been reading everything I can find about it?), although I can't figure out just what it's supposed to be doing. It's still running though. BUT....
1) It keeps asking for - not just Internet access, which I have no problem with, but SERVER rights.
I've read what little support documentation Symantec posts on the subject, and by getting creative I finally found a document on using NAV2004 with various firewalls that finally, under the manual configuration section, tells me that ccapp.exe is supposed to use several ports in performing it's multiple duties - although it doesn't say *anywhere* that it does or should be given SERVER rights (why would it need to act as an Internet *server* in the first place, right?). The Symantec documentation also lists the various ports NAV needs to access - by number and module even - and whether they are in or out ports. Right here
Compliments that Symantec does at least give you that important information. BUT GUESS WHAT???
2) When I check my firewall, it tells me NAV's ccapp.exe is listening on port 1038... which is *NOT* on the list of ports it is supposed to be accessing. Here’s the ones Symantec says it uses: 25, 80, 81, 82, 83, 110, 443, 1080, 1863, 8080, 8088, 11523...and they are all supposed to be outbound.
Kinda like ccapp.exe is acting like a trojan loader does waiting to be scanned by it's master to download the big kahuna, or maybe like a trojan waiting to send out all sorts of information it's mining off my wife's computer, huh?
It would sure be clever to modify just enough of a program like ccapp.exe that's part of an Antivirus program to use it to communicate and load the trojan itself -
Because - Hey, who wouldn't say "yes" to giving a module that is part of their Antivirus protection access, especially if they don't know much about computers, internet access versus server access, etc. Hey, Just look it up on the web - ccapp.exe isn't a hazard, it's part of Symantec Antivirus, Systemworks, etc., right? As long as it’s in the right folder, it’s surely OK. Relax...
Right, *IF* it's the original version. <gulp> Maybe it is. Maybe Symantec documentation just forgot to mention that a), there is some reason their program needs server rights, and b) there is some reason it needs to listen on a port they didn't mention in their documentation (forget the fact the documentation says ccapp.exe uses ports for outgoing communication only). Maybe. I could just be paranoid. But it sure seems fishy...
And I’ve checked ccapp.exe with all the virus scanners I could find, including the meta-scanners. No dice. I sent a zipped copy to Symantec Sunday afternoon, which they acknowledged. No reply so far, though. Which is a little scary in and of itself. And oh, even their standalone program to submit viruses crashes when you try and use it to send ccapp.exe. I hope that's just because it uses ccapp.exe to communicate with Symantec.
Anyway, Here's what I'd like to ask folks here to do. I'm asking people here to be so kind as to reply to this post if they have NAV2004 running on Windows XP pro. Please just check your computer and see if your NAV 2004 wants server rights, and listens to port 1038. I've already got one negative response so far on another forum, by a guy who says his ccapp.exe wants access to the ‘net (naturally), but NOT server rights, but I'm not sure he was correct that his NAV wasn't listening to port 1038. He was clearly trying to help, but I'm not sure he understood how his firewall worked well enough to tell.
And so I'm also asking if someone here would be so kind as to send me a MD5 or CRC checksum for their ccapp.exe that isn't (and ONLY if it isn't) wanting server rights or listening to port 1038. If yours wants server rights, we may both have the same malware.
My ccapp.exe gives a MD5 of
f1f54205eaad3e37ca2c5a133437bb947
and the crc is 8936d43e
and the file size reads 71328 - assuming it isn't an altered file length.
Checking your ccapp.exe is easy to do, and if you don't already have a hasher, you can use the online one over at Castlecops.
Here's a link to make it easy:
Scroll down and use the browse button to point the hasher to your version of ccapp.exe
It's located by default in
c:\Program Files\Common Files\Symantec Shared\
Please help with this. I think I've kept it corraled if it's a trojan, but I'd sure like to know what is going on!!!
It will be GREATLY appreciated.
Thanks!