Endpoint Protection

Sunday, May 06, 2012

Dear Team,

Our office has a client who teaches students in the Middle East. Late last March our client was visiting Jordan and while there gave several lectures to a group of international students. Some of the students were from Iran.

One of their assignments was to write a term paper and because of that assignment several of the students begin sending e-mail questions to our client. Our client reports that shortly after receiving e-mails from the Iranian students his Norton antivirus program began to issue a specific warning. A copy of that warning is shown below.

While our client expects his e-mail to be monitored while dealing with Iranian students he is beginning to wonder if there is not something more nefarious at hand.

After poking about in our client’s registry we did note that the actor program below was loaded onto his computer at the same time the first group of e-mails arrived from the Iranian students.

We are requesting help in this matter. Can anyone please tell us if you have seen similar warnings before and if so what should we do about it? Right now the only symptom he has is a general sluggishness in the operation of his computer.

He is using an older model Dell desktop with a single core Intel CPU and 1024 MB of RAM runnging XP SP3. Also, he tends to keep multiple applications open on his desktop and multipe Word, Excel, and P Point documents as well.

Anything that anyone can tell us about this potential infection, and how to safely remove it, would be very much appreciated. A copy of the warning message follows;

• Actor – C:\PROGRAM FILES\GOOGLEUPDATE\exe
•  Actor PID – 2460
•  Target – c:\PROGRAM FIILES\Norton Antivirus\Engine\17.9.0.12\ccsvchst.exe
• Target PID – 1871
•  Action – Open Process Token
•  Reaction – Authorized Process Blocked

Of course just because these warnings first appeared around the time that the first Iranian e-mails arrived does not necessarily mean that they are of Iranian origin.

If anybody has knowledge of the history of this particular infection that would be nice to know.

Thank you for your assistance in this matter and please email or post your questions here.

Sincerely,

Mike

Charles M. “Mike” Adams, EnCE, ACFE, TX DPS # A17351

Hi Mike,

If you feel the system may be infected, I would start with the following the steps in this post.

https://www-secure.symantec.com/connect/forums/your-system-infected

BTW, you posted in the Enterprise product forum. Norton products questions are best posted in the Norton Community.

http://community.norton.com/norton/

Regards,

Thomas

This may be related to the Flamer threat.

http://www.symantec.com/outbreak/?id=flamer

If possible, I would submit a sample to Symantec Security Response ASAP.

http://www.symantec.com/security_response/submitsamples.jsp

This may be of interest to followers of this thread:

Painting a Picture of W32.Flamer
https://www-secure.symantec.com/connect/blogs/painting-picture-w32flamer

Hello,

A Special Thread has been created for W32.Flamer

W32.Flamer Information

https://www-secure.symantec.com/connect/forums/w32flamer-information

Hope that helps!!

This new analysis from Symantec Security Response may be of interest to followers of this thread:

Have I Got Newsforyou: Analysis of Flamer C&C Servers
https://www-secure.symantec.com/connect/blogs/have-i-got-newsforyou-analysis-flamer-cc-servers