Endpoint Protection

1. Submitted Symantec Security Response Automation: Tracking #10534272

AV def: Monday, April 06, 2009 r3
PTP def: Friday, April03, 200 r19
NTP def: Friday, March 13, 2009 r1

2. I don't want to clean it with a different product, that's not going to help Symantec get this file detected and cleaned.  What tool from Symantec can I use to clean this?   I've run the downadup cleanup tool and it found nothing, so I don't think it is conficker. 

3. Virus Total Results

File 429363609.exe received on 04.06.2009 19:24:52 (CET)
Current status:     finished  
Result: 6/40 (15%)
 Compact
Print results 
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:   
   
Antivirus    Version    Last Update    Result
a-squared    4.0.0.101    2009.04.06    -
AhnLab-V3    5.0.0.2    2009.04.06    -
AntiVir    7.9.0.138    2009.04.06    ADSPY/AdSpy.Gen
Antiy-AVL    2.0.3.1    2009.04.06    -
Authentium    5.1.2.4    2009.04.06    -
Avast    4.8.1335.0    2009.04.06    -
AVG    8.5.0.285    2009.04.06    Win32/Heur
BitDefender    7.2    2009.04.06    -
CAT-QuickHeal    10.00    2009.04.06    (Suspicious) - DNAScan
ClamAV    0.94.1    2009.04.06    -
Comodo    1101    2009.04.06    -
DrWeb    4.44.0.09170    2009.04.06    -
eSafe    7.0.17.0    2009.04.06    -
eTrust-Vet    31.6.6435    2009.04.03    -
F-Prot    4.4.4.56    2009.04.05    -
F-Secure    8.0.14470.0    2009.04.06    -
Fortinet    3.117.0.0    2009.04.06    -
GData    19    2009.04.06    -
Ikarus    T3.1.1.49.0    2009.04.06    -
K7AntiVirus    7.10.694    2009.04.06    -
Kaspersky    7.0.0.125    2009.04.06    -
McAfee    5576    2009.04.06    -
McAfee+Artemis    5576    2009.04.06    -
McAfee-GW-Edition    6.7.6    2009.04.06    Ad-Spyware.AdSpy.Gen
Microsoft    1.4502    2009.04.06    Program:Win32/Winwebsec
NOD32    3990    2009.04.06    -
Norman    6.00.06    2009.04.06    -
nProtect    2009.1.8.0    2009.04.06    -
Panda    10.0.0.14    2009.04.06    -
PCTools    4.4.2.0    2009.04.06    -
Prevx1    V2    2009.04.06    -
Rising    21.23.41.00    2009.04.03    -
Sophos    4.40.0    2009.04.06    Mal/FakeAV-AK
Sunbelt    3.2.1858.2    2009.04.06    -
Symantec    1.4.4.12    2009.04.06    -
TheHacker    6.3.4.0.302    2009.04.06    -
TrendMicro    8.700.0.1004    2009.04.06    -
VBA32    3.12.10.2    2009.04.06    -
ViRobot    2009.4.6.1680    2009.04.06    -
VirusBuster    4.6.5.0    2009.04.06    -
Additional information
File size: 340030 bytes
MD5...: 8dbc47ab69f61dda416734006c7dbe56
SHA1..: 09471e50e0442071d30d1a3d30b0891eeaf979f4
SHA256: a95268cfc59097d1a7fcfabc58de6909838e33454f994a8ae2a94d8ab20bfeda
SHA512: c8621f5e8104346b4b01c10a8ac277e9eead17e8723b450fc3b40d1a9d5c4e19
37d82f2e04abc05218d73d64fbe04710973b345dc4450bfe3804309915153eba
ssdeep: 6144:DWQ4D/2yc4iJ0LenTS9TG+KUmiCP/3SzkOcaA7LaNAYmlJDyiuBFbIHJi8:
yQUrcqeT2rKU9CX3SAFaAyuh5yiL
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x12be
timedatestamp.....: 0x42fc7812 (Fri Aug 12 10:21:06 2005)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x11b75 0x11c00 7.98 e2103ef5aac4f0fffcafeaf4bc1d1805
.data 0x13000 0x5255c 0x3cc00 7.97 0d15ff97a3d98db6d5286d7ad68a580b
.idata 0x66000 0x614 0x800 4.04 981d443ffc7e8c63ec720251d5aeb1be
.rsrc 0x67000 0x38000 0x3c00 4.67 c6370896933a2d66eca33181af55b5ef

( 3 imports )
> KERNEL32.DLL: IsBadCodePtr, ResetEvent, GetCommandLineA, SetHandleInformation, VirtualProtect, CloseHandle, GetMailslotInfo, SetProcessWorkingSetSize, GetDiskFreeSpaceExA, TerminateProcess, VirtualQuery, GetProfileStringA, Module32First, FindNextFileA, LCMapStringA, GetDevicePowerState, CreateFileW, WriteFile, OutputDebugStringA, CreateFileA, CreateMailslotA, SetConsoleCtrlHandler, GetCommMask, BuildCommDCBA
> ADVAPI32.DLL: ClearEventLogA, GetOldestEventLogRecord, CryptContextAddRef, GetMultipleTrusteeOperationA, GetAccessPermissionsForObjectW, OpenSCManagerA, CreateProcessAsUserA, CreateProcessAsUserW, CryptReleaseContext, LookupPrivilegeDisplayNameW, GetServiceKeyNameA, SetFileSecurityA, SetEntriesInAuditListA, CryptGetKeyParam, BuildSecurityDescriptorW, RegUnLoadKeyW, BackupEventLogW, AddAccessDeniedAce
> USER32.DLL: UnregisterClassW, UnregisterDeviceNotification, GetMenuContextHelpId, GetMessageTime, SendMessageCallbackA, TrackPopupMenu, ChangeDisplaySettingsExA, ChangeClipboardChain, DdeQueryNextServer, RegisterLogonProcess, DdeEnableCallback, LoadAcceleratorsA, GetWindowContextHelpId, DrawAnimatedRects, EnumDisplayMonitors

- It appears that Symantec has closed this case.   Would a Symantec employee have this re-opened.  It is definitely fake AV software at the least.   
   
This message is an automatically generated reply.  This system is designed to analyze and process virus submissions into the Symantec Security Response and cannot accept correspondence or inquiries.
Please contact your Technical Support representative if more detailed information about your submission is required.  Do not reply to this message.

Below is a status update on your virus submission:

Date: April 6, 2009

We have analyzed your submission.  The following is a report of our findings for each file you have submitted:

filename:  C:\Documents and Settings\All Users\Application Data\429363609.zip
machine: Machine
result: See the developer notes

filename: 429363609.glu
machine: Machine
result: See the developer notes

filename: 429363609.exe
machine: Machine
result: See the developer notes

filename: pc429363609ins
machine: Machine
result: This file is clean

filename: pc429363609cnf
machine: Machine
result: See the developer notes

Customer notes:
This is acting like fake AV software.


Developer notes:
 C:\Documents and Settings\All Users\Application Data\429363609.zip is a container file of type  ZIP
429363609.glu is not malicious.  This file is contained by   C:\Documents and Settings\All Users\Application Data\429363609.zip
429363609.exe Our automation was unable to identify any malicious content in this submission.
 The file will be stored for further human analysis  This file is contained by   C:\Documents and Settings\All Users\Application Data\429363609.zip
pc429363609ins  is a clean file.  This file is contained by   C:\Documents and Settings\All Users\Application Data\429363609.zip
pc429363609cnf Our automation was unable to identify any malicious content in this submission.
 The file will be stored for further human analysis  This file is contained by   C:\Documents and Settings\All Users\Application Data\429363609.zip




Should you have any questions about your submission, please contact your regional technical support from the Symantec website and give them the tracking number in the subject of this message.

-----------------------------------------------------------------------
This message was generated by Symantec Security Response automation.

For USA:
For electronic support options, Symantec provides On-Line Services at http://www.symantec.com/techsupp/

Hello Tekkid,

I checked out your submission and it appears it was submitted in the "Retail" queue. In order to provide you with your entitled support please ensure you use the correct link when submitting files for us to review:

https://submit.symantec.com/basic
https://submit.symantec.com/gold
https://submit.symantec.com/essential
https://submit.symantec.com/platinum
https://submit.symantec.com/bcs

If you want to give us a call and open up a case then I'm sure one of us would be glad to have your submission pushed under the proper support, otherwise it may be easier for you to simply re-submit the file under the correct link that matches your support. (Do not use: https://submit.symantec.com/retail in the future.)

Hope that helps!

I have submitted via the gold method.  I've also created case #320-184-780.

Rapid definitions were released for this threat and fixed the problem, thank you.

@ Tekkid

Hi I have had an almost identical issue that you have experienced with a contact of mine

I am providing telephone support for another contact re the issue

I am highly interested in whatthe exact solution and details were in regard to the threat

What was the threat (and its deatils)
 
How was the threat eventually contained and what was the identification of the threat : ie what was it identified as

I fear I wont be the only person seeking the information as this threat seems to have just occurred (released recently)

My sincere thanks in advance if you are able to provide detailed info on the threat etc

Kind regards

Tekkid,

Let (me) us know if the issue was resolved, and what the solution was - there are probably others on the community who have experienced the same issue.  If it was not resolved, please send me a PM with current status of your case.  I will check into it if needed.

Eric

I found the same trojan with the name "system security 2009", how to get rid of it? would it be as simple as deleted it in the safe mode?

Sorry, everybody, I didn't track this thread very well.   I submitted the sample via the Gold Submit Link and received an update AV def within a few hours.  

Using the most recent release of Norton antivirus with the latest virus updates it did not detect System Security 2009.

I have symantec endpoint protection on a computer that is not used very often
I went to the computer today and it is completely taken over by this system security virus
it has rendered my computer completely useless

you cannot open up symantec or ctrl-alt-del or do any searches for anything to fix it
in safe mode, symantec does not find anything and it says that my online updater is not working correctly

You need to create some sort of fix for this virus for all your customers who can't even get into their computer anymore...

help!

Here is what worked for me today for system security 2009 malware. Follow links below for fix and my notes under if you get stuck.

http://www.bleepingcomputer.com/virus-removal/remove-security-2009

http://remove-malware.net/how-to-remove-system-security-2009-rogue-anti-spyware/

The key thing for me was to go to the last comment on the 2nd link as below:

1. If you locate the file with the shield icon in your system, usually in the C:/program data\ folder. You can rename the systems security folder and program to 2222. This will interrupt it’s pathways for running when you reboot the PC. As a result you will then be able to download and use removal programs or manually remove it. This was how I solved not being able to run any exe files for removing it or going to the CMD or Taskmgr.

I actually found the culprit folder (as suggested in another link) in C:\Documents and Settings\All Users\Application Data. It will be the only folder in this location that consists on a folder with numbers (in this instance 15281094 but there are reports of several other numbers, the key thing being it is the only numbered folder in application data). Within this folder you will see the exe which will have the same shield icon with diagonal stripes as the System Security malware to confirm you have the right folder. Also just to note you may have to show hidden files and folders in order to see the application data folder.
After you rename the folder and the exe you just need to log off the pc and when you log back in you can then use CTRL, ALT and delete, task manager, searches etc. I then manually deleted files, folder and registry settings as per the 2nd link and followed it up by installing malwarebytes as per 1st link which removed the malware and a trojan which helped get it on to the pc in the 1st place by taking over internet explorer. I'm not a sys admin expert but it worked for me so should work for most! Good luck it drove me mad for half a day and I'm wondering how it got past Symantec which was running on that particular pc!