I have come across a virus that Symantec could not detect (as of March 21, 2005). The symptoms are:
- cannot open Word or Excel
- machine hangs up
- Symantec crashes
- regedit and task manager closes immediately
By using the rename trick (copy regedit.exe and rename it to regedit.com), I was able to open the registry and check out what is in the Run key.
Under these two keys:
HKLM\SOFTWARE\Windows\Microsoft\CurrentVersion\Run
HKLM\SOFTWARE\Windows\Microsoft\CurrentVersion\RunOnce
Is the value IPOT USB Service DRV32 which runs the file hpsebc08.exe. The file is hidden and located under c:\Windows\System32. If you do a search for hpsebc08, you'll also find a Prefetch file (.pf).
Symantec does pick up another file that it drops, msdirectx.sys, which is detected as the generic "hacktool.rootkit". This virus attempts to connect to an outside server using IP address 140.123.176.237 with port 19899.
I submitted a virus sample to Symantec and they have provided a rapidrelease definition, so the next public update should be able to detect this spybot variant.
http://www.antisource.com/article.php/spybot-hpsebc08-msdirectx