Endpoint Protection

 View Only

  • 1.  New version of NEW FOLDER.EXE

    Posted Jan 22, 2010 10:13 AM

     We have an issue with a new version of NEW FOLDER.EXE. This was infected by a flash drive but I can’t stop spreading it. It brings the CPU process level to up 100%.it makes copies of its self .the PC is not totally frozen but very slow SEP did not succeed in getting the virus.reg edit, task manager, folder options all are work ok but slow.

    I submitted a sample from C:\WINDOWS \SYSTEM32 with the tracking ID #14576572 but it too didn’t have a successful response. The closing mail said that our automation was unable to identify any malicious content in this submission. The file will be stored for further human analysis.
    Need urgent help………………..

     



  • 2.  RE: New version of NEW FOLDER.EXE

    Posted Jan 22, 2010 11:59 AM
    Hi KRyan,

    If you have ADC in use with your SEP, you can block that file's MD5 by policy: How to use Application and Device Control to limit the spread of a threat.

    If you have a support contact with Symantec, I recommend that you open a case with them and ask for a manual analysis of that suspicious file---- it will receive attention more quickly that way than in its present queue.

    Thanks and best regards,

    Mick


  • 3.  RE: New version of NEW FOLDER.EXE

    Posted Jan 25, 2010 09:21 AM
    Antivirus Version Last Update Result
    a-squared 4.5.0.50 2010.01.25 Trojan.Agent!IK
    AhnLab-V3 5.0.0.2 2010.01.23 -
    AntiVir 7.9.1.150 2010.01.25 TR/Agent.73728.aaa
    Antiy-AVL 2.0.3.7 2010.01.22 -
    Authentium 5.2.0.5 2010.01.24 -
    Avast 4.8.1351.0 2010.01.25 -
    AVG 9.0.0.730 2010.01.25 -
    BitDefender 7.2 2010.01.25 -
    CAT-QuickHeal 10.00 2010.01.25 Trojan.Agent.ATV
    ClamAV 0.94.1 2010.01.25 -
    Comodo 3704 2010.01.25 Heur.Suspicious
    DrWeb 5.0.1.12222 2010.01.25 -
    eSafe 7.0.17.0 2010.01.24 Win32.TRAgent.Aaa
    eTrust-Vet 35.2.7258 2010.01.25 Win32/SillyAutorun.CKX
    F-Prot 4.5.1.85 2010.01.25 -
    F-Secure 9.0.15370.0 2010.01.25 -
    Fortinet 4.0.14.0 2010.01.25 -
    GData 19 2010.01.25 -
    Ikarus T3.1.1.80.0 2010.01.25 Trojan.Agent
    Jiangmin 13.0.900 2010.01.24 TrojanDownloader.VB.qkn
    K7AntiVirus 7.10.952 2010.01.22 Trojan.Win32.Malware.1
    Kaspersky 7.0.0.125 2010.01.25 -
    McAfee 5871 2010.01.24 -
    McAfee+Artemis 5871 2010.01.24 Artemis!FECCDA5BE738
    McAfee-GW-Edition 6.8.5 2010.01.25 Trojan.Agent.73728.aaa
    Microsoft 1.5405 2010.01.25 -
    NOD32 4803 2010.01.25 -
    Norman 6.04.03 2010.01.25 W32/Obfuscated.H!genr
    nProtect 2009.1.8.0 2010.01.25 -
    Panda 10.0.2.2 2010.01.24 Suspicious file
    PCTools 7.0.3.5 2010.01.25 -
    Prevx 3.0 2010.01.25 -
    Rising 22.32.00.04 2010.01.25 -
    Sophos 4.50.0 2010.01.25 Mal/Generic-A
    Sunbelt 3.2.1858.2 2010.01.24 -
    Symantec 20091.2.0.41 2010.01.25 -
    TheHacker 6.5.0.9.162 2010.01.25 -
    TrendMicro 9.120.0.1004 2010.01.25 PAK_Generic.001
    VBA32 3.12.12.1 2010.01.23 -
    ViRobot 2010.1.25.2154 2010.01.25 -
    VirusBuster 5.0.21.0 2010.01.25 -
    Additional information
    File size: 73728 bytes
    MD5...: feccda5be738da7867a944a1bc4e9553
    SHA1..: d3562aa37c2509b73e0d3d38d629443e69d9d30a
    SHA256: 07bde09102ef9240fee8d981754b0ab7febe11cd9be3fc3c3ba784f802e5c889
    ssdeep: 768:Hv8s3i6E5nXfUWPYfIc/Qi3qEBQpKGt0DlNvsnUp93qEBjUWPYfIc/QAnXZs
    3i6S:J3i6EBXlLOUpNt0QnUp9NLMXy3i6E
     
    PEiD..: -
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x121c
    timedatestamp.....: 0x4a979ae9 (Fri Aug 28 08:52:57 2009)
    machinetype.......: 0x14c (I386)

    ( 3 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x8780 0x9000 4.85 43006d9c6920c39385061aa35dcdfa1d
    .data 0xa000 0xaf8 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
    .rsrc 0xb000 0x7000 0x7000 4.44 6939f0bb7d844553a0964f31b3b15066

    ( 1 imports )
    > MSVBVM60.DLL: _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaLenBstr, _adj_fdiv_m64, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, -, __vbaStrToAnsi, _CIatan, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

    ( 0 exports )
     
    RDS...: NSRL Reference Data Set
    -
    pdfid.: -
    sigcheck:
    publisher....: n/a
    copyright....: n/a
    product......: winexploer
    description..: n/a
    original name: NewFolder.exe
    internal name: NewFolder
    file version.: 1.00
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned
     
    trid..: Win32 Executable Microsoft Visual Basic 6 (91.5%)
    Win32 Dynamic Link Library (generic) (5.5%)
    Generic Win/DOS Executable (1.4%)
    DOS Executable Generic (1.4%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
     
    Thanks Mike,

    The file can be deleted by giving the rights.this is the report that i got from virustotal when i submitted the same file that i submitted to you.from my side the problem is solved i guess.after terminating the file proses.but help others who are in trouble....

    Thanks and regards

    KRyan