W32.Zoher@mm

[Pharquah]

I've got this email server (notes domino) running on NT4 (SP6) with NAV corporate edition latest version running on it. Defs are up to date.
When I do a full scan of the system, it appears to be clean, but every night, three copies of W32.zoher@mm appear in the quarantine that have been picked up by the real time file protection. No other machine in the network has/had the virus. The domino server also has norton av for lotus notes v2, which detects nothing. We also have mailsweeper, with norton av plug in. That doesn't detect anything either.

Where is coming from???

Any ideas would be most appreciated??

 

[Kento]

Well here's info on it:

http://securityresponse.symantec.com/avcenter/venc/data/w32.zoher@mm.html

 

[Pharquah]

Thanks for the pointer, I already checked it though...

 

[AVChap]

The fact that the files are already in quarantine means that NAV already detected them. Shouldn't pose too much problems. You can just delete them.

The problem here would seem to indicate that instead of NAV cleaning the virus (and probably deleting it), it chose to quarantine the files. Unless you've had it to quarantine in the first place, I'm not comfortable with having virus-infected files ANYWHERE on my network.

AVChap

 

[Pharquah]

That's the point - every machine in the network gets a full scan every day, and they ALL come out clean. And then at some ridiculous time of night these 3 zoher files (random file name.exe) appear in quarantine, and they were picked up from the %systemroot%\temp folder. Crazy.

 

[AVChap]

Send the files to Symantec. Have them check whether these files are causing a "false positive", which is not a good thing.

AVChap