After the fact, I down-graded my anti-virus definition files (I use both Norton and NAI mainly), turned on the heuristics to their 'highest level' (meaning that I turned them on... the little slide bar with three settings actually has two... off, off, and on.). I then scanned the original lovebug virus, nothing. I ran it, making sure that I had an on-access scanner turned on with heuristics, nothing. I tried this with both Norton and NAI. neither of their heuristic engines caught it. I have yet to find a heuristic engine that is capable of detecting anything but modified boot sector viruses.

Why didn't the anti-virus programs immediately analyze (or better yet, stop) any file with a .txt.vbs extension (or for that matter, a .gif.vbs? how about .mp3.vbs??) It's one of the oldest tricks in the book! The use of double-extensions is an obvious sign that something's wrong. How come the heuristics didn't pick that up?!?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/32/1828#1828