Endpoint Protection

We had an unusual day today with a lot of Virus Alert messages; I wonder if anyone one the forum can help us make sense of the information we received.

It started in the morning, when one of our computers generate 146 alerts for W32.Ircbrute.  These alerts all showed a File/Path of "Unavailable" and an Actual Action of "Details Pending."  Then, at noon, when we run a scheduled scan, we got another wave of detects for this threat, but this time the file/path pointed to System Restore files, and the action was "Cleaned by Deletion."   The flagged files were were all named "Desktop.ini" or "A000nnnn.ini"

All the infected computers are in a single bureau in our agency, though they are in multiple physical locations.  The Symantec information page for W32.Ircbrute says this worm spreads by removable media.  Several of the affected users had thumb drives or external drives on their computers, but they did not use these devices to exchange files with others in the bureau.  On the other hand, everyone in the bureau got an email earlier this week with a JPEG attachment.

So I have some questions for anyone who might care to answer:

1. Is it reasonable to suspect that the JPEG attachment is the vector of this worm?  It was not on removable media, but it's the only thing all the infected computers have in common, as far as we can tell.
2. Does anybody have a theory about the 146 "Unavailable" detects?  They came in pretty quick succession, and we can't figure out what event might have triggered them.
3. The JPEG file has apparently been sitting on these computers, in many cases, for a few days.  Is it possible that we got a wave of detects today because of an update in the Symantec definitions for W32.Ircbrute on May 5 or 6, or should we look for a triggering event on these computers?
4. If anyone out there has had to deal with W32.Ircbrute infections, was it hard to clean them up?  Did they cause any serious damage on your network?

I don't usually ask the Symantec community for help on issues like these, but we're puzzled.

(By the way, the computers that returned these detects are all running SAV 10.1.7)

We have just had a single detection which was caught and cleaned by deletion as part of an auto protect scan. Maybe the Auto protect scan triggered the infection? We seem to get a few through removable drives at the moment.

SEP also found a registry entry which was deleted so maybe that is where it is coming from

Registry key was

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}

I observed the same as well in my environment, where we have lots of computers detecting W32.IrcBrute all of a sudden.

I could only conclude that the viruses had infact been on this machine, but the AV was unable to detect this new variant until last Friday when it's virus pattern file gets updated.

Does that sounds reasonable?

Andy

We started seeing a wave of W32.Ircbrute detects on Thursday, and it looked to us like the detects came after a definition update.
We're still seeing a trickle of new detects, but it has mostly died down.

Did anybody notice any signs that this worm caused any actual damage?  We've been looking for communications with malicious servers, and other questionable activity, but we haven't seen anything.

Hello,

I am working on a Case, where we have detected a New Varient of the Threat W32. IRCBrute.