Symantec 'security scan' distributes rootkit
By Thomas C Greene in Washington
Posted: 15/07/2003 at 15:01 GMT

"Symantec Security Check is a free web-based tool that enables users to
test their computer's exposure to a wide range of on-line threats," the
press release begins. Unfortunately, Symantec Security Check has also been
installing an on-line threat of its own in the form of a dangerous ActiveX
control.

"The ActiveX control, named Symantec RuFSI Utility Class or Symantec RuFSI
Registry Information Class, contains a buffer overflow exploit," the
company says, though we're nearly certain they mean that it's exploitable,
not that it's actually been infected with something. But you never know;
the press release is one of those waffly ones that doesn't quite tell you
everything you want to hear.

The buffer overflow can be exploited by hip Webmasters, and victims
turning up at their sites risk having malicious code run on their Windows
boxes.

The easiest way to get rid of the dangerous ActiveX control that security
experts Symantec have planted on your machine is to visit the Security
Check Web page again, submit to the security check once more, and allow
them to install a much better one in its place, which they are now
prepared to do.

Or, if you've had enough of their security expertise for now, you can, in
Symantec's words, "attempt to remove" the relevant file thus:

Boot to a DOS prompt and delete the file rufsi.dll from the
%Windir%\Downloaded Program Files\ directory.

Choose your poison.