Hi all,

One of our users just received an email with Microsoft Publication attachment. Upon receiving the file and opening it, SEP AV caught it that there's a trojan virus: Bloodhound.Exploit.446. I have him forwarded me the email with the infected file.

And this is the message that I get on the body of the email:

Symantec Endpoint Protection found a security risk in an attachment from "user".

Attachment: "filename".pub

Security risk detected: Bloodhound.Exploit.446

Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed

File stated: Infected

 

How do I fixed this?

I tried to google and search Symantec for this kind of Bloodhound.Exploit and no one has the .446.

Please advise on how to proceed or should I open a case with support?

 

Sym SEP 12.1.671.4971

 

Thanks,

Cp

Bloodhound varients usually expolits .lnk vulnerability in the system. Please ensure, you have latest OS  patch. Please ensure, you are not allowing your user to run .lnk directly from USB, netwok drives. You can block it through application control feature. Also, keep all your clients defs up to date.

I have checked for Bloodhound.Exploit.446- its relatively new. On Symantec site, there is hardly any information available.

For more information on how to fight infection in a controlled manner, please find the link for step by step process.

Best practices for troubleshooting viruses on a network

http://www.symantec.com/business/support/index?page=content&id=TECH122466&actp=search&viewlocale=en_US&searchid=1326936325747

http://www.symantec.com/security_response/infected_systems.jsp

Since it is already detecting, update the system with the latest patches along with the latest virusdefinition. Once updated scan the system in safe mode.

Bloodhound.exploit, also recognized as BloodhoundExploit is a internet explorer and Mail exploit virus. Bloodhound.exploit trojans are generally installed on your Pc through pornographic related adult sites, e-mail attachments, dubious file sharing p2p and shareware programs. Bloodhound.exploit use fake flash player update pop ups and system alerts. Bloodhound.exploit is a system exploit and hacker application that can steal your credit card, passwords and other private information.

Bloodhound.exploit symptoms:

• Corrupt registry files and "Blue Screen" error
• Bogus infection and "Your pc is infected" tray balloon alerts
• Drops Pc performance - slow system starup, re boot, windows freeze
• Inability to change your desktop wallpaper
• Strange running task processes
• Deactivate pop-up blocker
• Pornographic, casino and other adult related ads
• Reduced internet connection speeds, browser opens slowly
• Bloodhound.exploit reactivates after been removed
• Undisclosed tray icons and windows shortcuts

Bloodhound.exploit virus actions:

• Generates third party software and infects Pc via browser security holes
• Tracks and deactivate firewall and antivirus software
• Records and sends surfing history and registry information to outlying servers
• Logs windows activity and system registry tracks
• Logs surfing habits to generate matching popup advertisements

 

Below is the std. procedure recommeded by Symantec for common Bloodhound Exploits:

 

FOR BUSINESS USERS
If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.
 

• Locate a sample of a threat
• Submit a suspicious file to Symantec

Removal Tool
 

• Run the Symantec Power Eraser with the Symantec Endpoint Protection Support Tool
• Symantec Power Eraser Overview
• Symantec Power Eraser User Guide

If you have an infected Windows system file, you may need to replace it using the Windows installation CD.


How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network



MANUAL REMOVAL
The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
How to run a full system scan using your Symantec product


2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

Submit the sample to Symantec if it's still failed to clean/quarantine/delete.

 

Use SEP Support Tool load point analysis to copy it....

I have run the SEP Support Tool and have the .sdbz file.

How do I submit it to Symantec?

 

Thanks.

I have opened a case with support and submitted the file.

 

Thanks guys for all the feedback.

Much appreciated.

Cool. Did you ran loadpoint analysis and copy the suspicious file?

 

Let us know the outcome if you don't mind ;)

 

Yes, I did all that.

And TS told me to submit the file at submit.symantec.com.

 

I don't know if they'll find the cure. Good thing is we have VDI deployment so I just need to recompose the desktop and the virus will go PUFF!

 

Cheers!

Hi,

After submission sample file to Symantec, you might have received tracking number .

Could you please share with us, I can also check status of submission.

 

Hi CP, Did Symantec get back to you on this? We have same scenario. Publisher file being emailed internally and getting Bloodhound.Exploit.446 notification. Cheers Steve

They will have to. It's their job...

 

Any update yet?

Hi CP,
Did Symantec get back to you on this? We have same scenario. Publisher file being emailed internally and getting Bloodhound.Exploit.446 notification. I have also submitted a file, through our technology department, to Symantec on 1/10/12.  I understand our technology department has a support case opened with Symantec; likely on 1/11/12.  If I had the support case number, I would provide it. 

Hello,

We are seeing the same alert when users open a MS Publisher file.  The file was created on a local user's system and forwarded via outlook to other users.  When one person attempted to open it from outlook they received the Bloodhound.Exploit.446 alert.

I believe we may have a false positive in our case.  To test this we saved the file out of outlook to disk and did a scan of the file with SEP which came up clean.  We then tried opening the file from disk and again SEP didn't alert on the file.   We also tried launching the file from outlook on a system running an earlier version of SEP.  In that case the file opened and we didn't receive an alert.

All systems were running a up-to-date version of Office 2010.  The systems that gave the bloodhound alert have SEP 12.1 RU1 installed.  The system that didn't alert has SEP 11.0 RU7.  All SEP clients have defs for March 1 2012 r1.

I didn't submit the file to Symantec but did submit it to VirusTotal and ThreatExpert, both of which did not find any threats.

Cheers,