Symantec answered back with this although I disagree with their analysis:


: [CLOSING]: Symantec Security Response Automation: Tracking #4843119

We have analyzed your submission. The following is a report of our
findings for each file you have submitted:

filename: A:\cftmon.exe
machine:
result: This file is infected with W32.Spybot.Worm
http://securityresponse.symantec.com...ybot.worm.html

Developer notes:
A:\cftmon.exe is non-repairable threat. NAV with the latest rapidrelease definition detects this. Please delete this file and replace it if neccessary. Please follow the instruction at the end of this email message to install the latest rapidrelease definitions.

Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created RapidRelease definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest RapidRelease definitions.
Symantec is now building a new set of definitions to include the threat you have submitted. The approximate time to complete this process is one hour. We recommend checking the ftp site periodically over the next 60 to 90 minutes to download these definitions as soon as they are available.

MY Personal Wrap-up Rant:

More or less, they are telling me that a year old worm has infected a bunch of workstations that have the latest SAV signatures. Hmmmmmmm, so then I checked their site for information on this worm but again, the description does not match this variant so perhaps the mechanics are similar but the sample I submitted, without question, is a variant not the actual worm they are coming back at me with. If it was, there wouldn't be a need for a rapid response definition they provided to me.

Anyway, case closed.