Video Screencast Help

Symantec Not Capable of Detecting "Conflicker"

Created: 12 Jun 2009 23:00:51 GMT • Updated: 23 Jan 2014 18:34:48 GMT
Symantec Security Response's picture
0 0 Votes
Login to vote

So says the spam that couldn’t spell Conficker correctly. The spam noted that Symantec was working with Microsoft to create a patch for "Conflicker." According to the spam message, Conficker is also called "Troj/Brisv.A." Wow!

The spam is accompanied by a file named "remtool_conf.exe." The spammers have taken an extra step ahead of just spreading their Trojans. This file is actually a Symantec fixtool for Trojan.Brisv bundled with the Trojan. So, when someone runs this file they actually run the Symantec Brisv fixtool, along with the Trojan completing its task. In this case, the dropped Trojan contacts a remote site in order to download another piece of malware, which is currently detected by Symantec products as Suspicious.MH690.A.

Below is a screenshot of the alleged fixtool file, which even uses the Symantec icon:





We gave the infection a run on a test machine. Almost immediately we saw our own EULA:





Unsuspecting users might think: “Yes, Symantec info. Cant’ go wrong!” True, but that’s not all that can be had as a result of running the email attachment. Running the email attachment did a few things–it dropped the original (signed) Symantec Trojan.Brisv fixtool into a temporary folder; it dropped a Trojan into the same folder; and, it ran the original fixtool. Here is a screenshot of the original fixtool and the Trojan sitting in a temporary folder:





One can see that this is indeed Symantec’s own legitimate fixtool. But, the Trojan file "webexplorer.exe" is basically a downloader. It contacts a remote site in order to download another file called "winupdate.exe." As you’ve guessed, that is also a Trojan and is currently detected as Suspicious.MH690.A.

The moral of the story? If you have a need to run a Symantec fixtool, go to the Symantec website and download it for free. Oh, and please avoid clicking on random attachments. And to be clear, Trojan.Brisv has nothing to do with W32.Downadup/a.k.a. Conficker (not "Conflicker”). Symantec products have and will continue to detect Downadup/Conficker-related files as such.







Message Edited by Trevor Mack on 06-12-2009 04:05 PM