Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Fake System_Idle_Process.exe (notice the Underscores)

Created: 29 Sep 2013 | 2 comments

We have a W2K8 R2 64bit server that is infected with a rather persistent mal-ware process.  The process is "System_Idle_Process.exe".  Please note the underscores in the process name.  This is how it appears in the task manager.  The legitimate System Idel Process entry does not contain the underscores.

 

This process consumes 98-99% of processor time effectively creating a DOS condition on the infected machine.  I have discovered it's folder as C:\Windows\ltc-miner.  I have been able to kill the process, which gives me contorl of the computer again.  I've then deleted the C:\Windows\ltc-miner folder along with another folder that appears to be related.  (C:\Windows\tanechka)

 

There must be a windows task setup to re-institute this bothersome bit of mal-ware, because within a few minutes, the process is active again and both folders are back (sometimes it takes a few hours, but it always comes back).  In addition, the newly created "C:\windows\tanechka" folder will contain several references to the Trojan.Horse and Trojan.Gen.2 viruses which Symantec Endpoint Protection catches and quarantines.  Unfortunately, Endpoint Protection is offering no help removing the underlying problem of the System_Idle_Process.exe Mal-ware.

 

Has anyone else run into this?  Is there a known removal tool?  I've been searching the net for any reference to this, but have not found anything helpful.

 

Thanks in advance for any help...

Operating Systems:

Comments 2 CommentsJump to latest comment

.Brian's picture

You need to submit this file to security response. Have you tried running the symantec power eraser on it?

Have a look here

How to collect and submit to Symantec Security Response suspicious files found by the SymHelp utility

Article:TECH203027  |  Created: 2013-02-21  |  Updated: 2013-05-23  |  Article URL http://www.symantec.com/docs/TECH203027

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Beppe's picture

You may also submit the same to http://www.threatexpert.com to know how it is infecting the system, hence identify its load point.

Regards,

Giuseppe