Endpoint Protection

Any idea what this is?  I've got in a system here, but nobody lists it as a threat.  Or anything at all.

Keeps returning..  Drags down the CPU..  etc.

I'm not finding anything on Threat Expert or Google. If you can grab the file, then submit it to Security Response for analysis.

http://www.symantec.com/business/security_response/submitsamples.jsp

Submit the file to https://submit.symantec.com/basic ( depending on your support contract with symantec )

also check the file in threatexpert.com or virustotal.com

Best practices for responding to active threats on a network

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/52f4f4d80ac9a7b2882576ac0067121c?OpenDocument

How to use Application and Device Control to limit the spread of a threat.

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/5b5f6319ba48fda5882575990075e260?OpenDocument


Those two guides should help keep the threat from spreading. I really hope you do submit this virus. I have not seen any mention of this specific one on any site. Also as you mentioned zero hits on google which is unusual.

Cheers
Grant

I grabbed it onto CD, two files.  One in C:\WIndows, one in "Prefetch".  I deleted it off the machine. 

Here is the issue.  Can I submit from the CD without risking it getting loose?  I'm doing this without our IT folks help.  They did the google search, came up empty, and say "it must not be a problem".

I can handle the submission, I just don't want to spread this thing by mistake.  It has been almost a decade since I ran Servers, I'm a little out of date.

Please keep the forum posted on the outcome of your submission. If possible please provide your submission number and support can check on the status as well.

Thanks,
Thomas

OK, I had to send as two submissions.

First One: #15156624, was the .pl file from the Prefetch folder.
    That one came back closed as No Trouble Found in less than a minute. (Yea, sounds like automated rundown from a list.  How do you check something new out?)

Second One: #15156634, was the .exe from the C:\ Windows.
     That I haven't heard anything on yet.

I'll keep you posted.  Anyone find anything out about it?  I've never seen an .exe with this little traffic, good or bad.

The prefetch file is essentially a pointer to the actual file and is not in and of itself malicious.  The other submission still shows as 'open'.

The file name looks randomly generated, which may be why you can find little info on it.

sandra

Interesting.

I don't entirely think the name is random.  (Or entirely random.)  But I can fill more on that when I get some time, I'll dig into it over the weekend.

Thanks,  I'm waiting with baited breath.

One: ljy is a trojan.

Two: xoa is a surname.

Three: Liy is a first name. (Not that any of this matters, but it is interesting.)

Four: We really, really need to keep more computers physically isolated from the Net.  I swear that most of the garbage comes on through ports that don't need to be connected. 

Do you tried this
Security Response recommendations for Symantec Endpoint Protection settings

Nothing back yet.  I don't know the response time for this stuff, but I am up on my toes.

I just checked your submission, and it is still showing as open and undetermined.  I'm not sure what the current expected turnaround time is right now.

sandra