downloader.misleadapp affecting SAV console?
I had a client machine get infected with an unknown virus on 5/2. This machine was still running SAV corporate 10.1.5.5000 at the time. The symptom on the machine that brought it to my attention was a fake Windows Firewall message stating the machine was infected with win32.brontok.
What worries me is that when I went into Symantec System Center I found this machine listed three times. Once was showing as offline. Two were showing the user as logged off. None showed any infection. When the screen refreshed the two "logged off" references were gone.
I got the machine and isolated it. The "Windows Firewall" was running as Aestf16724249.exe and was trying to phone home to a fake AV website (I didn't put the url in since I think that violates TOS). I've searched on both the filename and URL on Symantec.com and didn't find anything.
I've installed SEP 11 using the current defs and run a full scan. It identified it as a generic downloader.misleadapp. SEP seems to have cleaned it so I don't have a file to submit to support.
Has anyone run across one of these darn fake AV programs that can affect what is logged in the console?
Comments
Found a little info on our
Found a little info on our website about this particular trojan. If you want to read about it, the link is here http://www.symantec.com/security_response/writeup..... I havn't had any experience with this particular trojan so I don't want to comment on it affecting what is logged in on the console, although none of our tech notes suggest that this trojan should do anything of that sort. For future reference you could set SEP to quarantine first clean second so you can submit a report later on. This is always helpful.
Grant-
Please don't forget to mark your thread solved with whatever answer helped you : )
Unfortunately that's old
Unfortunately that's old information and pretty generic. I'm hoping to find some more information specific to what I had here.
Our normal setup is to quarantine then clean but in this situation (the console not seeing an infection and creating multiple instances) I pulled it from the network so I could scan it. SEP cleaned it as soon as it saw it because without access to the network it didn't have access to the policies.
I did find a reference to the exe recently posted on a peer to peer site so this might be a new variant ramping up.
Your Probably Right
Your right this is probably a new variant. I talked to one of our other guys here about this, and he has not ever seen this happen. Although he suggest that the trojan might not have anything to do with the machine showing up multiple times in the SSC. There are legitimate reasons why it could show up multiple times, such as an ip address being changed, or a computer name being changed. That sort of thing. So maybe it doesn't have anything to do with the trojan at all? This is just an idea.
Cheers,
Grant
Please don't forget to mark your thread solved with whatever answer helped you : )
Well, the URL I didn't want
Well, the URL I didn't want to put in here has come onto Symantec's radar. There is a new writeup for it here:
http://www.symantec.com/security_response/writeup....
The machine didn't have this program's screen but had a fake windows firewall message pointing to this company's page (presumably to install the program).
Would passing this on be helpful?
No Threats Found
I have tried all of the recommendations on the site to remove win32.brontok. Full scan finds no threats. None of the values are in the registry. I had the foresight not to start the application that would start the download from the fake firewall message.
Any other ideas for removal?
We reimaged the machine
We reimaged the machine here. No point messing around.
Would you like to reply?
Login or Register to post your comment.