Endpoint Protection

I have seen these 2 files on practically every single share on my network, I have been manually deleting them 1 by 1.

I have SAV and SEP running, and what I do not understand is why either product is not picking up on these files and killing them. I have submitted both, the rondcw.exe is something called w32.harakit...I know how to delete this, I use SEP and Malwarebytes, and it removed it. I have a virtual machine that I am testing this on. The problem now is the lmoeam.exe, I ran that on the VM and I can not clean it. Malwarebytes will not run and Spy-bot is blocked from reaching out to the internet. I am picking these off one by one, but what I really need to know is WHY my AV (SAV/SEP) are NOT killing the initial files to begin with.  (rondcw.exe and lmoeam.exe)

Please advise

This garbage also changed the DNS entries, which prevented me from  updating S & D... Really need SAV/SEP to catch these files, they are not that new, and there is practically no documentation about these files. I have submitted both to symantec.

Thank you

These are most likely new threats. I am not finding anything on ThreatEpert or Symantec on these two files. Please let us know the outcome of your submission. You can try running the power eraser tool to remove these new threats.

http://www.symantec.com/business/support/index?page=content&id=TECH134803&locale=en_US

Thomas

Just to a symantec page where I do not see where to dl it...

Here you go - http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default

If you right-click the file share and scan it SEP doesn't detect those files?

From the write up: The worm spreads through network shares, removable devices or instant messaging applications.

Which means it most likely uses open shares to spread. If you Password protect your shares it should stop it from spreading.

You may want to look at the following document:

Title: 'Best practices for troubleshooting viruses on a network'
Document ID: 2010011510455048
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010011510455048?Open&seg=ent
 

Here's the write up for the threat:

http://www.symantec.com/security_response/writeup.jsp?docid=2008-102011-5014-99&tabid=2

I can't right click and "scan the file" there is NO option in the right click menu to do this...

I've also encountered the kh* files with 0 bytes. The .exe files eludes me.

Even with the latest definitions on certains PCs - at least they have defs 2 years after the writeup. I still see those files popping up.

I submitted, then went and got the rapid release defs and it worked MUCH better!!!

If there's no option it must be a 64-bit machine. That option is not available on 64-bit Oses.

Thanks for that Bryan. I'm hoping that this would make it into the regular def updates in a day or 2. I think this is a new variant of an old malware.

Kool!