Endpoint Protection

I have a machine that is infected with a nasty trojan running as c:\windows\server.exe it seems to have injected the computer via a USB drive and now any USB drive plugged in gets infected, Endpoint 11.0.4014.26 is installed and doesnt find any problems.


Using my machine (Vista Sp1 x64) with Endpoint 11.0.4014.26 with the virus definitions "Tuesday, 21 Apri 2009 r34" i plug in an infected drive to scan it, it doesnt find any issue with the file that is being opened by the autorun.inf (hidden in the Recycler directory) . I tried to upload the file to Symantec using https://submit.symantec.com/websubmit/retail.cgi but it has a 10MB limit and the file is 13,216,672 bytes. I have uploaded the hn.exe file incase anyone has any ideas on how to submit it but be careful if you download it.

Has anyone seen this trojan and been able to find / clean it with SEP?




 

First disable autoplay.Start the computer in safe mode and delete the files.
Then check if it is still coming back.Then it might be of a smaller size then try to submit that.

To disable autoplay
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/UserTips/Customization/DisableCDautoplayinWindowsXPPro.html

If you have a maintenance agreement, better call support to get them id the file and create defs for it.
As advised by "sav to sep" disabling autorun is a good security practise now as it outweighs the convinience given.

I have managed to install a scanner (kapersky) that found the virus as Work.Win32.Autorun.fon but Symantec should have picked it up.

Not sure how to clean it yet though.

first and foremost disable autoplay on the machine and also you can use device control policy to block the usb...

Disable the System Restore. Run the computer in safe mode and then try to delete the autorun.inf file from the Pen Drive. Run a full scan of the computer as well as the Pen Drive. Disable the autorun featuer of Vista by issuing the following command: gpedit.msc.

Also disable system restore option before scanning in safe mode.


I would also suggest to apply RR definition on the machine and then scan it as RR definition has the lastest set of signatures.

Pls visit the below link to download RR definitions.

http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

Rgrds,
SAM

One thing you can do when you have an infection that SEP is not detecting, is to run the Loadpoint tool and send the log file to Symantec. And folks are right: Always Disable Autoplay. Not just for USB, but everything possible (floppy, cd, you name it).  And Disable System Restore. There is also a SEP Support tool you can run. Does a bit more than the Loadpoint tool does.

Symantec does not detect autorun as it is just a text that contains the information about the actual file that it should execute.In first place if you disable autoplay no autoruns will be created.

Did Kaspersky also detect the actual file?If it dint then i dont see a reason scanning with kaspersky.

However if you really wanna use 3rd party antivirus to remove it then i would suugest is to upload the file to http://www.virustotal.com/ and find out which antivirus is detecting it and then download trial version of that antivirus and remove the infection.

Can you post HiJackThisLogs here, it seems there still a process running and infecting every usb you insert on the PC.