Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

[SID: 24250] System Infected: Trojan Kazy Activity detected - "mor.exe"

Created: 02 Jul 2012 • Updated: 09 Jul 2012 | 12 comments
This issue has been solved. See solution.

Hi,

I see a couple of detections "[SID: 24250] System Infected: Trojan Kazy Activity detected" in the last days.

All are related to the same executable in the file path "C:\Users\Username\AppData\Local\Temp\mor.exe".

I couldn't find more information about this here in the forum. What is thinking Symantec about this? Has anyone more information to this detection.

Thanks!

 

Comments 12 CommentsJump to latest comment

.Brian's picture

That PC or PCs are infected with the Kazy trojan.

The path you specified is a known location for malware to try and hide.

I would unplug the PC(s) and run a full system scan. Make sure definitions are fully updated.

You can also submit the threat to security response:

https://submit.symantec.com/websubmit/gold.cgi

You can also upload mor.exe to virustotal to get an idea of what it is.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

"[SID: 24250] System Infected: Trojan Kazy Activity detected"

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24250

Response

No further action is required but you may wish to perform some of the following actions as a precautionary measure.
• Run the Symantec Power Eraser. 
• Update your product definitions and perform a full system scan.
• Identify suspicious files.
• Submit suspicious files to Symantec for analysis.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Thomas K's picture

I just checked Threat expert for that file name, and nothing comes up. As Brian stated, submit the file for analysis ASAP.

You can see the following thread for helpful information on removing threats - https://www-secure.symantec.com/connect/forums/you...

 

BYIT's picture

Thanks,

 

So unfortunately not possible to catch the file - checked it on two machines - the file wasn't in this location.

 

 

 

.Brian's picture

Check your AV risk log, perhaps it was caught and cleaned.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

BYIT's picture

No entry in the risk log about "mor.exe". But a couple of machines had a new detected infection of "Trojan.Zeroaccess.B" in the file system.

So first the Network Threat Protection detected Trojan Kazy Activity and after this on a couple of those machines was Trojan.Zeroaccess.B detected in the file system.

My feeling is not so good about this behavioar. How could those machines getting infected, if the first threat was detected and blocked by endpoint protection?

 

Mithun Sanghavi's picture

Hello,

Obviously, there are many ways the machines could get infected.

What I could see is that the machines are not completely patched with Latest Microsoft (MS) Security Patches.

Are your machines patched with updated MS security patches and service packs?

I would request you to make sure that all the machines are patched with all MS security patches and service packs.

For Trojan.Zeroaccess.B, you could run the Removal Tool available on: 

http://www.symantec.com/security_response/writeup.jsp?docid=2011-122300-3915-99

http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99

You could also Run the Microsoft Baseline Security Analyzer to to identify missing security updates and common security misconfigurations.

http://www.microsoft.com/en-us/download/details.aspx?id=7558

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

BYIT's picture

 

Hi,

 

of course, there are many ways to go infected - agree.

But the exact similar behavior (1. Trojan Kazy activaty >> 2. Trojan.Zeroaccess) showed an a couple of machines. Related to this my feeling grows that here is something articulated ongoing.

How would you know, that those machines are not completely patched?

Mithun Sanghavi's picture

Hello,

I see these both Threats are exploiting vulnerabilities to get on the machines.

 

Trojan Kazyhttp://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24250

Trojan Kazy exploits from Blackhole toolkit that may compromise a computer through various vendor vulnerabilities.

Secondly, Trojan.Zeroaccess.B Trojan.Zeroaccess.B is a Trojan horse that uses an advanced rootkit to hide itself. It can also create a hidden file system, download more malware, and open a back door on the compromised computer.  The behavior of this threat on 32-bit computers is almost identical to Trojan.Zeroaccess.

Read the Patch operating system and software section under: http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2

It reads: This threat is known to be spread by through the Blackhole Exploit Toolkit and the Bleeding Life Toolkit, which exploits certain vulnerabilities. Installation of the following patches will reduce the risk to your computer: 

These above points clearly indidcates that these Threats may have Exploited the Vulnerabilities on the OS.

You could also Run the Microsoft Baseline Security Analyzer to to identify missing security updates and common security misconfigurations.

http://www.microsoft.com/en-us/download/details.aspx?id=7558

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
BYIT's picture

Hi Mithun,

thanks for this information - they are really helpful!!!

One last questition (maybe not the best, but I must ask this smiley):

If I read the information below - why are machines getting infected, when Endpoint Protection is in place?

"The good news is that Symantec customers are protected from this attack. Symantec IPS and AV engines have generic detections for BlackHole's traffic, exploits, Trojans, and the rogue application FakeAV."

Scource: https://www-secure.symantec.com/connect/blogs/blackhole-theory

Mithun Sanghavi's picture

Hello,

Yes, In your case that stands True. smiley

It is essential that you use not just AV, but PTP and especially NTP for Intrusion Prevention (IPS). Code on fake AV programs and malware changes multiple times a day. AV detections are, for the most part, code-based, i.e. reactive (and I mean all traditional AV protection). IPS is proactive--looking for traffic patterns regardless of code.

Ensure all plugins that tie into Internet Explorer are updated (Quicktime, Adobe Flash / Reader, Java, etc). Make sure all critical system patches are applied.

Symantec Endpoint Protection – Security Best Practices for Stopping malware and other Threats

http://www.symantec.com/theme.jsp?themeid=stopping_malware

Best practices for troubleshooting viruses on a network

http://www.symantec.com/business/support/index?page=content&id=TECH122466

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

cus000's picture

Also patching need to be done not only on Windows.... i bet they like Java and Adobe as well

 

IMO it's always game of cat and mouse in AV world...nobody dare to guarantee 100%