Endpoint Protection

 View Only

  • 1.  Suspicious.vundo.2

    Posted Dec 01, 2010 02:54 PM

    We are getting hit with this virus. It is going to the quarantine folder but it seems to replicate itself and shut down the Internet Explorer browser. Saying needs a reboot. We have the latest definitions and scan was run



  • 2.  RE: Suspicious.vundo.2

    Posted Dec 01, 2010 03:01 PM

    Try going into Safe mode and scanning.

    The Power Eraser is a good tool to use to remove these hard to find threats.

    http://www.symantec.com/business/support/index?page=content&id=TECH134803&locale=en_US

     

    The SERT is another good tool - http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

     

    If possible submit the suspected file to Symantec or Threat Expert for analysis.

    http://www.symantec.com/business/support/index?page=content&id=TECH102419&locale=en_US

    http://www.threatexpert.com/submit.aspx

    Moving this thread to the Endpoint forum for better visibility.

    Thomas



  • 3.  RE: Suspicious.vundo.2

    Posted Dec 01, 2010 04:15 PM

    If there is a vundo then might be a rootkit as well which is not getting detected and is downloading other threats or the same threat that is getting detected.

    So will have to find out the main culprit file.

    Empty Temp Internet files and %temp% folder.

    Also run a full scan in safe mode wit updated rapidrelease definitions.



  • 4.  RE: Suspicious.vundo.2

    Posted Dec 01, 2010 05:13 PM

    Hello,

    Can you log your internet traffic? Check you computer connection with internet for download another trojens.

    Best Regards.

    Fatih



  • 5.  RE: Suspicious.vundo.2

    Posted Dec 10, 2010 11:56 AM

    Thanks for your help



  • 6.  RE: Suspicious.vundo.2

    Posted Dec 10, 2010 12:00 PM

    If you want to run the SEP Support Tool with the Loadpoint Analysis option I can check it. Please be aware this will print out some directory listings of what is on the machine for others to view.

    ftp://ftp.symantec.com/public/english_us_canada/products/symantec_endpoint_protection/SEPDIAG/Sep_SupportTool.exe



  • 7.  RE: Suspicious.vundo.2

    Posted Dec 11, 2010 03:46 PM

    Bradog,

    First of all isolate infected machines from thwe rest of the network. Then user SERT tool as advised above and apply all Microsoft patches and updates. Rescan the machine to make sure it is clear.



  • 8.  RE: Suspicious.vundo.2

    Posted Dec 30, 2010 01:19 PM

    Yeah, it's kind of hard to isolate when half of your network has the Vundo.  It subsided but a couple will show back up and then fix itself.  Today we are seeing a huge spike in the pc's ( 800) quaranting the Vundo. Keeps coming back in some sort of fashion.



  • 9.  RE: Suspicious.vundo.2

    Posted Dec 30, 2010 11:39 PM

    Suspicious.Vundo.2 - Removal

    http://www.symantec.com/security_response/writeup.jsp?docid=2009-040110-5259-99&tabid=3