Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

New virus is attacking!

Created: 10 Sep 2013 • Updated: 11 Sep 2013 | 8 comments

Recently,I found an unknow virus attack our company's computers.At present,a lot of computers were infacted.

Details are as follow:

1.Yesterday,I found a lot of files  infected with virus,cause the Adobe Reader&SVN can't used nomally.

2.SEP can't intercept the virus.(Virus library has alreday upgrade to  latest version )

3.We used another anti-virus software succefully anti the virus.

So we doubt SEP can't anti the virus. Please propose some solutions and recommendations!  Thank you!

The following is the another anti-virus log:

==============================
Started time: 2013-9-10 17:18:07
Elapsed time: 06:18:29
Version of virus signature database: 2012-12-4 16:56:50
Scan mode: deep scan
Scan type: full scan
Status: completed
Number of scanned objects: 1100348
Number of detected threats: 111
Number of cleaned threats: 109

Trusted objects:

Trusted extensions:

Detected threats:
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc75.exe BDS/Banito.C Deleted
C:\Program Files\SogouInput\6.2.0.7817\PinyinUp.bak BDS/Banito.C Deleted
C:\Program Files\Symantec\Workspace Virtualization\SVSCmd.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc146.exe BDS/Banito.C Deleted
C:\Program Files\TortoiseSVN\bin\TSVNCache.bak BDS/Banito.C Deleted
C:\Program Files\ACD Systems\ACDSee\9.0\ACDSeeQV.exe BDS/Banito.C Deleted
C:\Program Files\SAP\FrontEnd\SAPgui\SAPgui.exe BDS/Banito.C Deleted
C:\Program Files\SogouInput\6.2.0.7817\crashrpt.exe BDS/Banito.C Deleted
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc122.exe BDS/Banito.C Deleted
C:\Program Files\Altiris\Altiris Agent\Agents\Inventory Agent\AeXAuditPls.bak BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc149.exe BDS/Banito.C Deleted
C:\Program Files\Kingsoft\PowerWord 2006\XDICT.exe  Deleted
D:\Config.Msi\5d6a6c.rbf BDS/Banito.C Renamed
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc140.exe BDS/Banito.C Deleted
C:\Program Files\SogouInput\6.2.0.7817\config.exe BDS/Banito.C Deleted
C:\Program Files\SogouExtension\sogouflash\1.0.0.132\SogouFlash.exe BDS/Banito.C Deleted
C:\Program Files\Common Files\Microsoft Shared\OFFICE12\offlb.bak BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc79.exe BDS/Banito.C Deleted
D:\Program Files\Dassault Systemes\B19\intel_a\code\bin\CNEXT.exe BDS/Banito.C Renamed
C:\Program Files\SAP\SapSetup\setup\SapStart.bak BDS/Banito.C Deleted
C:\Program Files\Windows Media Player\wmplayer.exe  Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc73.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc83.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc84.exe BDS/Banito.C Deleted
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.bak BDS/Banito.C Deleted
C:\Program Files\ACD Systems\ACDSee\9.0\ACDSeeQV.bak BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc141.exe BDS/Banito.C Deleted
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe BDS/Banito.C Deleted
D:\Program Files\TortoiseSVN\bin\TSVNCache.bak BDS/Banito.C Deleted
C:\keygen.rar Win32.3a1.bt Deleted
C:\Program Files\Java\jre1.6.0_07\bin\java.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc128.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc151.exe BDS/Banito.C Deleted
C:\Program Files\Common Files\InstallShield\Driver\10\Intel 32\IDriver.exe BDS/Banito.C Deleted
D:\Program Files\UGS\NX 6.0\UGII\ugraf.exe BDS/Banito.C Deleted
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.bak BDS/Banito.C Deleted
C:\Program Files\Common Files\Autodesk Shared\AcHelp.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc114.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc123.exe BDS/Banito.C Deleted
C:\Program Files\SogouInput\6.2.0.7817\SogouCloud.exe BDS/Banito.C Deleted
C:\Program Files\SogouInput\6.2.0.7817\PinyinUp.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc81.exe BDS/Banito.C Deleted
C:\Program Files\AutoCAD 2008\acad.exe BDS/Banito.C Deleted
C:\Program Files\Mindjet\MindManager 7\MindManager.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc101.exe BDS/Banito.C Deleted
C:\Program Files\Common Files\Microsoft Shared\OFFICE12\OffDiag.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc126.exe BDS/Banito.C Deleted
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.bak BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc89.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc145.exe BDS/Banito.C Deleted
D:\Config.Msi\121838.rbf BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc111.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc150.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc115.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc142.exe BDS/Banito.C Deleted
D:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-213296\Dd2\Notes\notes.exe BDS/Banito.C Deleted
D:\Program Files\ABAQUS\6.7-1\exec\Perl.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc113.exe BDS/Banito.C Deleted
C:\Program Files\TortoiseSVN\bin\TortoiseProc.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc125.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc112.exe BDS/Banito.C Deleted
C:\Program Files\SogouExtension\ExtensionManager.exe BDS/Banito.C Deleted
C:\Program Files\Kingsoft\PowerWord 2006\XDICT.bak BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc80.exe BDS/Banito.C Deleted
D:\RECYCLER\S-1-5-21-1917818757-519826986-3276041757-1009\Dd2.bak BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc66.bak BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc121.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc88.exe BDS/Banito.C Deleted
D:\Program Files\TortoiseSVN\bin\TortoiseProc.bak BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc152.exe BDS/Banito.C Deleted
C:\Program Files\SogouExtension\skinbox\1.0.0.107\SkinBox.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc102.exe BDS/Banito.C Deleted
C:\Program Files\Common Files\Microsoft Shared\OFFICE12\offlb.exe BDS/Banito.C Deleted
C:\Program Files\AutoCAD 2008\admigrator.bak BDS/Banito.C Deleted
C:\Program Files\SogouInput\6.2.0.7817\SohuNews.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc143.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc103.exe BDS/Banito.C Deleted
C:\Program Files\SogouInput\Components\SogouComMgr.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc133.exe BDS/Banito.C Deleted
C:\Documents and Settings\All Users\Documents\lenovo\RemoteAssistant\RTCStarter.exe  Deleted
D:\Program Files\AutoCAD 2008\acad.bak BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc82.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc147.exe BDS/Banito.C Deleted
C:\Program Files\SAP\FrontEnd\SAPgui\saplogon.exe BDS/Banito.C Deleted
C:\Documents and Settings\All Users\Documents\lenovo\RemoteAssistant\SysInfoMonitor.exe BDS/Banito.C Deleted
C:\Program Files\Common Files\Microsoft Shared\DW\DW20.exe BDS/Banito.C Deleted
C:\Program Files\Symantec\Workspace Virtualization\SVSCmd.bak BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc124.exe BDS/Banito.C Deleted
C:\Program Files\Common Files\Autodesk Shared\AcHelp.bak BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc153.exe BDS/Banito.C Deleted
C:\Program Files\Common Files\Microsoft Shared\DW\DW20.bak BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc92.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc77.exe BDS/Banito.C Deleted
D:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dd5.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc148.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc127.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc70.bak BDS/Banito.C Deleted
D:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-213296\Dd2\Notes\nlnotes.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc144.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc107.exe BDS/Banito.C Deleted
D:\Program Files\ABAQUS\License\lmtools.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc110.exe BDS/Banito.C Deleted
C:\Program Files\SogouInput\6.2.0.7817\quickinput.exe BDS/Banito.C Deleted
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe  Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc100.exe BDS/Banito.C Deleted
C:\Documents and Settings\All Users\Documents\lenovo\RemoteAssistant\SysInfoMonitor.bak BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc99.exe BDS/Banito.C Deleted
C:\Program Files\Common Files\Autodesk Shared\AcShellEx\AcLauncher.exe BDS/Banito.C Deleted
D:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dd6.exe BDS/Banito.C Deleted
C:\RECYCLER\S-1-5-21-2040253698-3682577049-2344840753-237402\Dc78.exe BDS/Banito.C Deleted

Operating Systems:

Comments 8 CommentsJump to latest comment

.Brian's picture

Do you have a sample to submit to security response?

See here:

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

Article:TECH98929  |  Created: 2000-01-06  |  Updated: 2013-08-02  |  Article URL http://www.symantec.com/docs/TECH98929

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

can you submit the file to Symantec Security response for analysis?

Ambesh_444's picture

Hello,

Please check below thread for your best answer.

https://www-secure.symantec.com/connect/forums/desktopexe

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

Mithun Sanghavi's picture

Hello,

In your case, all the files have been deleted -

Next time, please zip each of the files and submit the zip files (without password) to the Symantec Security Response Team on : 

https://submit.symantec.com/websubmit/essential.cgi

We also offer a self-service site to analyze files, at http://www.threatexpert.com, which can give you more information on the files you submit to it.

Check these articles:

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

https://www-secure.symantec.com/connect/articles/using-symantec-help-symhelp-tool-how-do-we-collect-suspicious-files-and-submit-same-symante

What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

http://www.symantec.com/docs/TECH99222

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

http://www.symantec.com/docs/TECH98929

Here are some excellent suggestions on how to keep your computers, their users and data safe:

http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Chetan Savade's picture

Hi,

Did you scan with Symantec power eraser?

Symantec Power Eraser is the latest Symantec Recovery tool. The tool is aimed at the detection and clean-up of "zero-day" threats as well as other threats which may have infected the user’s system. Zero-day threats are those that take advantage of a newly discovered hole in a program or operating system before the developers have made a fix available – or before they are even aware that a hole exists.

Before submitting it to the Symantec go through the following steps 

1) Install all the SEP features i.e. AV/AS, PTP & NTP.

1) System should be updated with Service packs and windows patches.

2) Make sure the machines are installed with the latest third party applications.

3) Disable the Autorun Feature if not using SEP 12.1.

4) Scan the full system in safe mode.

5) Use Symantec power eraser to scan the system.

http://www.symantec.com/theme.jsp?themeid=spe-user...

Best practices for responding to active threats on a network

http://www.symantec.com/docs/TECH122466 

If these steps couldn't help then I would also suggest to submit suspicious files to the Symnatec.

How to Use the Web Submission Process to Submit Suspicious Files

http://www.symantec.com/docs/TECH102419  

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Mick2009's picture

Hi chudyjay,

Which version of SEP is in use, and which components are selected?  Many of today's sophisticated threats require more than an older release of SEP with only AV.  I recommend upgrading to SEP 12.1 and using AV with IPS, ADC, and the reputation-based Insight components.  Together those provide quite a good defense.

Here are some additional recommendations:

Symantec Endpoint Protection – Best Practices:
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0
  

With thanks and best regards,

Mick

Mohammad Altaf Khan's picture

You need to submit all these files to Symantec Security Response in order to detect by SEP

https://submit.symantec.com/websubmit/essential.cgi

Once you submit the files they will reply you back and if they still says files are clean then open the case with Symantec.

Mick2009's picture

Hi chudyjay,

When time allows, can you post an update on this thread?  Are you still experiencing this infection or have you resolved it (and how)?

Thanks again,

Mick

With thanks and best regards,

Mick