Norton Installs Itself Like Malware and Then Asks Me “How Safe Is Your Computer?” Print E-mail
General
Written by Darwin Sanoy   
Wednesday, February 3, 2010 4:24pm

Quite amazing.  After I was away from my computer for a couple hours I came back to the below dialog window (Figure 1) asking me “How safe is your computer?”  Regardless of how safe my computer is or isn’t, I wouldn’t expect this from a company trying to get my security business back.  So I set about reverse engineering how it got there…

NortonSecurityScan

Figure 1 – Didn’t install any Norton products, nor any other products

If you like digging to the bottom of this kind of thing, keep in mind that we have two courses that teach these skills.  Win7 LUA/Non-Admin Application Integration Engineer (ENG-60) and Win7 Application Testing and Troubleshooting Technician (TEC-40)

It appears to have absolutely no registry footprint except for an uninstall key.

It waited until I rebooted to install and show itself.

The software is composed of valid Norton software as seen by the file signature in Figure 2 below.

Norton Signed Code

Figure 2 – The Code is From Symantec

I tracked it down to an installation of the Divx Web player.  I had visited racedayrush.com to check out fitness videos I could watch while on a cycling trainer.

Norton Security Scan piggy backed on this install just like malware.

At the bottom of this post I have included the install screens for the Divx Web player to show that there was no opt out offered and no notification that Norton Security Scan would be installed on my system.

Enjoying your read? Subscribe to our newsletter (without loosing your place in this article).
captcha
(Please ensure that the confirmation email clears your spam filter so that you will see future mailings.)

It appears that DivX installer, installs “C:\Program Files\DivX\Symantec\scstubinstaller.exe” and schedules it to run once on machine reboot.  Further evidences of this was found in an install log called %TEMP%\NSSSTUB.TXT.  The following line appears in the file:

“bDlg::CreateRunOnceKey Creating the run once post reboot key = C:\Program Files\DivX\Symantec\scstubinstaller.exe /runonce”

It would seem that scstubinstaller.exe then creates “C:\Program Files\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\2.7.0.52\InstStub.exe” and associated files.

InstStub.exe then runs and installs Norton Security Scan into: “C:\Program Files\Norton Security Scan\Engine\2.7.0.52\Nss.exe”

I’m not going to write a book on all the things that are wrong with this, I’ll just say I think this kind of thing is creepy!

 

divx1

divx2

divx3

divx4

Figure 3 – Install Screens for Divx Web Player.
 

Add comment

Security code
Refresh