Video Screencast Help

New risk issue

Created: 23 Apr 2013 • Updated: 23 Apr 2013 | 10 comments
Barkah MLPT's picture

Hello,

I have a new risk issue that happened on my clients. All Ms.Word (.doc) files that exist on the hard drive, has been turned into .exe format files. When I check the SEP 11.0 that installed on my clients, it's no showed any symptoms of the risk. I've trying scan by SEP, but nothing virus detected.

But, on one of my clients what use AVG software detects that the file (.exe) has infected by Trojan Horse Generic26.CBGM.

For anyone who has experienced this issue, please share your information to me! What this issue is true caused by trojan?

Thank's
Barkah

Operating Systems:

Comments 10 CommentsJump to latest comment

Brɨan's picture

Sounds like Symantec does not have a definition for this variant or it is a new one.

Submit to Security Response so they can create a new definition:

https://submit.symantec.com/websubmit/gold.cgi

Also, submit to Virustotal to confirm:

https://www.virustotal.com/en/

Try running a few of the tools mentioned here to help clean up the infection

https://www-secure.symantec.com/connect/forums/you...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Are you running the SEP 11.x client with latest definitions and carry all the latest Microsoft updates and security patches on the machine?

Run a scan in safe mode with networking to remove the virus.

Could you zip each of the folders and submit the zip files (without password) to the Symantec Security Response Team on : 

https://submit.symantec.com/websubmit/essential.cgi

We also offer a self-service site to analyze files, at http://www.threatexpert.com, which can give you more information on the files you submit to it.

What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

http://www.symantec.com/docs/TECH99222

In your case, it is also advisable to follow few important steps:

1) Make sure all these machines are Patched with ALL Latest MS security patches and service packs.

2) Make sure the machines are installed with the Latest Symantec virus definitions.

3) Disable the Autorun Feature on the machine via GPO. http://support.microsoft.com/kb/967715

4) Disable System Restore before you do this as the virus also creates entries in the System Restore Points store volumes.

Also, check this Article:

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Riya31's picture

Open cmd browse to c drive and run following commands.

"Attrib /s | findstr SHR"

will list  all running process.. try to figure out genuine process if you suspect some files submit it to

https://submit.symantec.com/websubmit.

repeat the same for all hard drive.

also you can run hijackthis utility.

Mick2009's picture

Also: absolutely get any infected machines isolated from the others!  This will prevent the spread of infection.

Security Best Practices for Protecting a Business Environment from Common Threats
http://www.symantec.com/docs/TECH105236 
 

With thanks and best regards,

Mick

Barkah MLPT's picture

Dear All,

Apologize, i'm late reply! Thanks for your help and informations.

Best Regards,

Barkah

E-Mail : barkah.mlpt@multipolar.com

Mick2009's picture

Glad to help, Barkah- were you able to get the file submitted so that SEP can detect it? 

With thanks and best regards,

Mick

Barkah MLPT's picture

Mick,

I have to submit the file until several time. When I get a notification email about case closing from symantec security response, they always said "The file will be stored for further human analysis". So that the file is still can't detect by SEP.

Can I ask your advice for this issue? Thank's.

Best Regards,

Barkah

E-Mail : barkah.mlpt@multipolar.com

Mick2009's picture

It sounds like you are submitting the file via the method used by Norton customers.  Submit it through the portal which matches your contract (basic/essential/etc) and a more detailed reply will be forthcoming.

With thanks and best regards,

Mick

Barkah MLPT's picture

Ok Mick, thanks!

Best Regards,

Barkah

E-Mail : barkah.mlpt@multipolar.com

AjinBabu's picture

Hi, 

Please submit it  to the files Security Response so they can create a new definition.

How to Use the Web Submission Process to Submit Suspicious Files

http://www.symantec.com/business/support/index?page=content&id=TECH102419

Regards

Ajin