Sunday, May 06, 2012
Dear Team,
Our office has a client who teaches students in the Middle East. Late last March our client was visiting Jordan and while there gave several lectures to a group of international students. Some of the students were from Iran.
One of their assignments was to write a term paper and because of that assignment several of the students begin sending e-mail questions to our client. Our client reports that shortly after receiving e-mails from the Iranian students his Norton antivirus program began to issue a specific warning. A copy of that warning is shown below.
While our client expects his e-mail to be monitored while dealing with Iranian students he is beginning to wonder if there is not something more nefarious at hand.
After poking about in our client’s registry we did note that the actor program below was loaded onto his computer at the same time the first group of e-mails arrived from the Iranian students.
We are requesting help in this matter. Can anyone please tell us if you have seen similar warnings before and if so what should we do about it? Right now the only symptom he has is a general sluggishness in the operation of his computer.
He is using an older model Dell desktop with a single core Intel CPU and 1024 MB of RAM runnging XP SP3. Also, he tends to keep multiple applications open on his desktop and multipe Word, Excel, and P Point documents as well.
Anything that anyone can tell us about this potential infection, and how to safely remove it, would be very much appreciated. A copy of the warning message follows;
- Actor – C:\PROGRAM FILES\GOOGLEUPDATE\exe
- Actor PID – 2460
- Target – c:\PROGRAM FIILES\Norton Antivirus\Engine\17.9.0.12\ccsvchst.exe
- Target PID – 1871
- Action – Open Process Token
- Reaction – Authorized Process Blocked
Of course just because these warnings first appeared around the time that the first Iranian e-mails arrived does not necessarily mean that they are of Iranian origin.
If anybody has knowledge of the history of this particular infection that would be nice to know.
Thank you for your assistance in this matter and please email or post your questions here.
Sincerely,
Mike
Charles M. “Mike” Adams, EnCE, ACFE, TX DPS # A17351