Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Rootkit.boot.pihar.c keeps getting through

Created: 10 Oct 2012 | 8 comments

Can anyone give me a reasonable explanation as to why Symantec Endpoint Protection doesn't seem able to protect against this particular trojan? Time after time I go to client sites who are getting BSODs and slow performance. Everytime I check the status of the SEP and it's current and up to date with definitions. And over and over I'm finding this trojan on their desktop systems. Right now I'm clearing it off the third or fourth desktop in the last few weeks at a customer and they're asking why does this keep getting through and where is it coming from?

We are running the latest version of Endpoint Manager from which the installation packages were created.

Comments 8 CommentsJump to latest comment

Ashish-Sharma's picture

HI,

I would request you to submit these files to the Symantec Security Team on 

https://submit.symantec.com/essential

and 

http://www.threatexpert.com/submit.aspx

Also, check these Article below:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

Check this thread

https://www-secure.symantec.com/connect/forums/whats-process-submit

Thanks In Advance

Ashish Sharma

Mithun Sanghavi's picture

Hello,

To catch the file, zip the container Folder and when you open the zipped folder, you may see the Threat file in it.

Submit the .zip folder to Symantec Security Response Team on 

https://submit.symantec.com/websubmit/essential.cgi

We also offer a self-service site to analyze files, at http://www.threatexpert.com, which can give you more information on the files you submit to it.

Also, check this Article below:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

Secondly, check these Articles to Answer your Questions on -

What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

http://www.symantec.com/docs/TECH99222

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

http://www.symantec.com/docs/TECH98929

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

cus000's picture

Are you managed to track the source of this threat?

Did you enabled all feature? (NTP....PTP... etc)

Fabiano.Pessoa's picture

Hello

Rootkit.boot. was discovered by someone manually or was discovered that the SEP?
place the svchost.exe as unreliable because malicious files like hiding there in svchost.exe
While running, this nasty rootkit drops a lot of TMP files in the Temp folder to install the other malicious components to jeopardize the system in the background. Some victims have evidenced That after infected, Began Their computer to randomly restart and release the page fault or page not found type error message on the BSOD.
1.Start the computer in safe mode with networking
2.Mostrar files and system folders
3.Open the Windows Registry Editor. Click Strat-> Run and in the Run box, type "regedit" and click OK.
4.No Registry Editor, find all registry entries created by this rootkit and remove them all.
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionSettings net "
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun "[Random] exe".
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell
5.All this rootkit files and delete them all.
C:. WINDOWSsystem32_VOID [RANDOM] dat
C: WINDOWSsystem32uactmp.db
C: WINDOWSTemp_VOID tmp [RANDOM]
C: WINDOWS_VOID [RANDOM]
C:. WINDOWSsystem32UAC [RANDOM] db
6. Perform a scan to check with SEP but only if you make manual deletion is experienced.
7. Restart the computer normally.
8.. Clean any operating system with a cleaner and optimizer. Symantec has excellent.
If if you can not manually delete a matter of experience, just put the SVCHOST.EXE as unreliable and scan.

hugs

Fabiano Pessoa

Systems Analyst - Forensic Expert

sandra.g's picture

I would reiterate the recommendation to get a sample to Security Response for analysis, if you have one available. Kaspersky gave it the pihar name, and they classify it in the Tidserv family. This document may help you determine how it might be getting through--the following writeup suggests through social engineering (e.g. sensational-looking fake video links).

Backdoor.Tidserv
http://www.symantec.com/security_response/writeup....

Which version of SEP are you using (12.1.1101)? Are all components (IPS in particular) installed and up to date?

Best Practices for Troubleshooting Viruses on a Network
http://www.symantec.com/docs/TECH122466

Another take on the same topic: Security Best Practices: Stopping Malware and other threats (also can be found here: http://www.symantec.com/docs/HOWTO75121)

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

AugustWest's picture

I've just encountered this on a users laptop. BSOD in normal and safe mode. Pulled HD and mounted it a machine with 12.1.1101.401 RU1 MP1 vir defs Oct 29, 2012. Ran a full scan against it, nothing was detected.

Went to Kasperky online scan, it detected the infected MBR almost immediately on the mounted drive. I'm running Kaspersky Rescue Disk to remove it. I haven't attempted to see if the SERT was capable of detecting and repairing it.

.Brian's picture

The infected MBR will need to be repaired with a good from the Windows CD using the recovery console.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

may55's picture

Read the post to get instruction to enable desktop so that you can proceed to remove Rootkit.boot.pihar.c

http://removecomputermalware.blogspot.com/2013/01/...

and there's a video available

Wish u luck