Symantec 'security scan' distributes rootkit By Thomas C Greene in Washington Posted: 15/07/2003 at 15:01 GMT "Symantec Security Check is a free web-based tool that enables users to test their computer's exposure to a wide range of on-line threats," the press release begins. Unfortunately, Symantec Security Check has also been installing an on-line threat of its own in the form of a dangerous ActiveX control. "The ActiveX control, named Symantec RuFSI Utility Class or Symantec RuFSI Registry Information Class, contains a buffer overflow exploit," the company says, though we're nearly certain they mean that it's exploitable, not that it's actually been infected with something. But you never know; the press release is one of those waffly ones that doesn't quite tell you everything you want to hear. The buffer overflow can be exploited by hip Webmasters, and victims turning up at their sites risk having malicious code run on their Windows boxes. The easiest way to get rid of the dangerous ActiveX control that security experts Symantec have planted on your machine is to visit the Security Check Web page again, submit to the security check once more, and allow them to install a much better one in its place, which they are now prepared to do. Or, if you've had enough of their security expertise for now, you can, in Symantec's words, "attempt to remove" the relevant file thus: Boot to a DOS prompt and delete the file rufsi.dll from the %Windir%\Downloaded Program Files\ directory. Choose your poison.