Endpoint Protection

Hello team,

We had submitted a Threat sample a acouple of days back. The tracking number is #11716725. Can anyone check and let me know the status. The problem is Critical to my network now.

Hi,

it is still under analysis.

Regards,

May I know the file name involved in the threat. Thanks.

@pslakshminarasimha, Did you use the regular web support submission or as per your contract ? For gold, the ideal turn around time is 24-48 hours and for BCS, 2-4 hours

can u check the Support type u are having?As said by sandeep Gold takes 24-48 to reply wheresas Basic take 2-4 days of time.  Now check when did u submitted and what is ur suport type.

Ajit

In case of emergency you should call our Support to get possible suggestions to reduce the emergency and monitor the sample analysis.

Regards,

Hi,

'The file name uploaded is SCVHOSTS.EXE.

The file was uploaded app 51 Hours Ago. I haven't received an update from the engineer who was assigned to the ticket. For getting an update i had to call SYmantec and wait on the queue for 70 min and the next engineer would say you would get a call in 30 min from the assigned engineer. :)

This is the process which is looping for a long time.

Let me know if you require more details

Hi,

'The file name uploaded is SCVHOSTS.EXE.

The file was uploaded app 51 Hours Ago. I haven't received an update from the engineer who was assigned to the ticket. For getting an update i had to call Symantec and wait on the queue for 70 min and the next engineer would say you would get a call in 30 min from the assigned engineer. :)

This is the process which is looping for a long time.

Let me know if you require more details

https://submit.symantec.com/gold /basic /retail ?? 

If that's the file in question. You may want to look into these links:

http://www.symantec.com/security_response/writeup.jsp?docid=2007-091311-1856-99&tabid=2

http://www.symantec.com/security_response/writeup.jsp?docid=2005-041022-0008-99&tabid=2

n some antivirus they are detected as W32/YahLover.Worm.gen from McAfee Antivirus and Win32/Autorun.R.worm from NOD32.

This virus will installs itself into your PC by using its INF file autorun.inf. The Autorun.inf file has an scripts that will trigger to execute the SCVHOST.EXE. Mostly in a removable disk is this occurred as you noticed that there is an Autoplay instead of Open. Once you double click the drive or removable disk, the autorun.inf run its scripts that this will trigger to execute the SCVHOST.EXE and spreading itself unto your system. It also copies itself through all your shared folders directories and on your computers throughout the network and run itself in the registry entries remotely using a GUEST account (through System:Remote).

Symptoms:

* When pressing Ctrl+Alt+Del it blocks to launch the Task Manager
* It blocks the Registry Editor.
* When you try to go to the command prompt CMD, it will restarts the computer.
* The shared folders will duplicates itself to different locations of. The duplicated virus uses a FOLDER icon with an .exe file extension. The configuration of your Yahoo Messenger has been changed.

How to Remove It

OK here we go, you must follow this step on how to remove this virus in manually method:

* Restart your PC and press F8 and select the option Safe Mode Command Prompt Only
* And after you log-in the command prompt you must log-in as Administrator.
* Type cd C:\windows\system32
* Type dir /ah, to display all hidden files on this directory folder. You will see the following files which is used by the virus to spread itself: AUTORUN.INI, BLASTCLNNN.EXE, and SCVHOST.EXE
* Type ATTRIB -H -R -S SCVHOST.EXE
* Type ATTRIB -H -R -S BLASTCLNNN.EXE
* Type ATTRIB -H -R -S AUTORUN.INI
* Type DEL SCVHOST.EXE
* Type DEL BLASTCLNNNN.EXE
* Type DEL AUTORUN.INI
* Type CD\
* Type ATTRIB -H -R -S AUTORUN.INF
* Type DEL AUTORUN.INF

You are almost done, reboot your PC you may seat back and relax.. :) while loading...

Go Start Menu and click the Run and type the REGEDIT command. Take note guys before make any changes into your Registry Editor you must make a full back-up to your registry to avoid system errors. :)

Look the location entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, if you see an entry Yahoo! Messengger (it’s spelled like this) with a value c:\windows\system32\scvhost.exe, Delete this entry.

Look the location entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, in the entry named: SHELL, a value = Explorer.exe,SCVHOST.EXE. Edit this value, delete the SCVHOST.EXE only and the value must be Explorer.exe. Once you delete all this value, your computer will not login anymore.

OK we are now done.. Please Restart your PC now and Enjoy!!! Thank you and hope this tips will help for everyone..Just post your comments about this problem.

Source: http://guideandtips.blogspot.com/2008/03/how-to-remove-scvhostexe-scvhostsexe.html

I just checked on your submission, and the file is still under investegation by the SR team.
Keep watching your email for a reply from the Security Response Team.

Regards,
Thomas

Hello People,

Is there an update from the SR team. Could you update me.

Hello,

You should have received a notification from SR. If not, please PM me ASAP.

filename: scvhosts.exe
result: This file is detected as W32.IRCBot. http://www.symantec.com/avcenter/venc/data/w32.ircbot.html


Thomas

Hello pslakshminarasimha,

Did the response team get back to you? Please give us an update when you have a moment. Let me know if there is anything else we can do.

Best regards,
Thomas

I think they have got the new definitions for it. I spoke to him about the issue, @Cycletech...I will mark your last post as the solution.