Endpoint Protection

 View Only

  • 1.  ATTACK on Symantec processes, LU, etc.

    Posted Jan 22, 2010 03:44 PM
    Originated from www.yahoo.com
    TWO users in a single office.
    One use Yahoo to search for weather,
    and another to search for a movie on disabilities.
    BOTH computers hit by a risk within a couple minutes of each other.
    What is/was it? I could not stop the processes, and I was not able to do a remote reboot of either computer - it was blocking attempts to shut down remotely.

    WARNING - beware of YAHOO..............
    Domain name: IVRS-SEP1
    Site name: IVRS-SEP01
    API:  
    Action: Block
    Test mode: No
    Windows domain: VRNTDOM1
    User Joelle.McDermott
    Server name: VRDSMSEP2
    Group name: My Company\Client Computers\Desktop
    Computer Name  
    Current: VR003160RKBH58B
    When event occurred: VR003160RKBH58B
     
    Event type: Tamper Protection
    Event time: 01/22/2010 14:16:26
    Severity: Minor
    Begin time: 01/22/2010 14:16:26
    End time: 01/22/2010 14:16:26
    Rule name:  
    Alert: Yes
    Send SNMP trap:  
    Caller Process ID: 2284
    Caller Process Name: C:/Documents and Settings/Joelle.McDermott/Local Settings/Application Data/owplwb/buyjsysguard.exe
    Target: C:/Program Files/Symantec/LiveUpdate/LUALL.EXE
    User name: Joelle.McDermott
    Description: "C:\Program Files\Symantec\LiveUpdate\LUALL.EXE"
    ---------------------------------------------------------------------------------------------------------------------------------------------

    Domain name: IVRS-SEP1
    Site name: IVRS-SEP01
    API:  
    Action: Block
    Test mode: No
    Windows domain: VRNTDOM1
    User Britney.A.McMahon
    Server name: VRDSMSEP2
    Group name: My Company\Client Computers\Desktop
    Computer Name  
    Current: VR003160RK4H58B
    When event occurred: VR003160RK4H58B
     
    Event type: Tamper Protection
    Event time: 01/22/2010 14:01:34
    Severity: Minor
    Begin time: 01/22/2010 14:01:34
    End time: 01/22/2010 14:01:34
    Rule name:  
    Alert: Yes
    Send SNMP trap:  
    Caller Process ID: 4016
    Caller Process Name: C:/Documents and Settings/Britney.A.McMahon/Local Settings/Application Data/lcxuuk/aicmsysguard.exe
    Target: C:/Program Files/Symantec/LiveUpdate/LuCallbackProxy.exe
    User name: Britney.A.McMahon
    Description: "C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe"


  • 2.  RE: ATTACK on Symantec processes, LU, etc.

    Posted Mar 05, 2010 06:29 AM
    Were you able to submit the the two executables mentioned in the logfile above?

    You can run the ESUG loadpoint and create a task just to be sure that the machine did not get infected.

    Aniket


  • 3.  RE: ATTACK on Symantec processes, LU, etc.

    Posted Mar 05, 2010 06:49 AM
    Have u submitted the sample of buyjsysguard.exe to symantec security response team ?


    Regards...
    Ramji Iyyer