Video Screencast Help

Threat Submitted. No response yet from Symantec.

Created: 08 Jul 2009 • Updated: 21 May 2010 | 15 comments
This issue has been solved. See solution.

Hello team,

We had submitted a Threat sample a acouple of days back. The tracking number is #11716725. Can anyone check and let me know the status. The problem is Critical to my network now.

Comments 15 CommentsJump to latest comment

Beppe's picture

Hi,

it is still under analysis.

Regards,

Regards,

Giuseppe

mon_raralio's picture

May I know the file name involved in the threat. Thanks.

“Your most unhappy customers are your greatest source of learning.”

Sandeep Cheema's picture

@pslakshminarasimha, Did you use the regular web support submission or as per your contract ? For gold, the ideal turn around time is 24-48 hours and for BCS, 2-4 hours

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

Ajit Jha's picture

can u check the Support type u are having?As said by sandeep Gold takes 24-48 to reply wheresas Basic take 2-4 days of time.  Now check when did u submitted and what is ur suport type.

Ajit

Regard's

Ajit Jha

Technical Consultant

ASC & STS

Beppe's picture

In case of emergency you should call our Support to get possible suggestions to reduce the emergency and monitor the sample analysis.

Regards,

Regards,

Giuseppe

pslakshminarasimha's picture

Hi,

'The file name uploaded is SCVHOSTS.EXE.

The file was uploaded app 51 Hours Ago. I haven't received an update from the engineer who was assigned to the ticket. For getting an update i had to call SYmantec and wait on the queue for 70 min and the next engineer would say you would get a call in 30 min from the assigned engineer. :)

This is the process which is looping for a long time.

Let me know if you require more details

pslakshminarasimha's picture

Hi,

'The file name uploaded is SCVHOSTS.EXE.

The file was uploaded app 51 Hours Ago. I haven't received an update from the engineer who was assigned to the ticket. For getting an update i had to call Symantec and wait on the queue for 70 min and the next engineer would say you would get a call in 30 min from the assigned engineer. :)

This is the process which is looping for a long time.

Let me know if you require more details

Vikram Kumar-SAV to SEP's picture

https://submit.symantec.com/gold /basic /retail ?? 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

mon_raralio's picture

If that's the file in question. You may want to look into these links:

http://www.symantec.com/security_response/writeup....

http://www.symantec.com/security_response/writeup....

“Your most unhappy customers are your greatest source of learning.”

mon_raralio's picture

n some antivirus they are detected as W32/YahLover.Worm.gen from McAfee Antivirus and Win32/Autorun.R.worm from NOD32.

This virus will installs itself into your PC by using its INF file autorun.inf. The Autorun.inf file has an scripts that will trigger to execute the SCVHOST.EXE. Mostly in a removable disk is this occurred as you noticed that there is an Autoplay instead of Open. Once you double click the drive or removable disk, the autorun.inf run its scripts that this will trigger to execute the SCVHOST.EXE and spreading itself unto your system. It also copies itself through all your shared folders directories and on your computers throughout the network and run itself in the registry entries remotely using a GUEST account (through System:Remote).

Symptoms:

* When pressing Ctrl+Alt+Del it blocks to launch the Task Manager
* It blocks the Registry Editor.
* When you try to go to the command prompt CMD, it will restarts the computer.
* The shared folders will duplicates itself to different locations of. The duplicated virus uses a FOLDER icon with an .exe file extension. The configuration of your Yahoo Messenger has been changed.

How to Remove It

OK here we go, you must follow this step on how to remove this virus in manually method:

* Restart your PC and press F8 and select the option Safe Mode Command Prompt Only
* And after you log-in the command prompt you must log-in as Administrator.
* Type cd C:\windows\system32
* Type dir /ah, to display all hidden files on this directory folder. You will see the following files which is used by the virus to spread itself: AUTORUN.INI, BLASTCLNNN.EXE, and SCVHOST.EXE
* Type ATTRIB -H -R -S SCVHOST.EXE
* Type ATTRIB -H -R -S BLASTCLNNN.EXE
* Type ATTRIB -H -R -S AUTORUN.INI
* Type DEL SCVHOST.EXE
* Type DEL BLASTCLNNNN.EXE
* Type DEL AUTORUN.INI
* Type CD\
* Type ATTRIB -H -R -S AUTORUN.INF
* Type DEL AUTORUN.INF

You are almost done, reboot your PC you may seat back and relax.. :) while loading...

Go Start Menu and click the Run and type the REGEDIT command. Take note guys before make any changes into your Registry Editor you must make a full back-up to your registry to avoid system errors. :)

Look the location entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, if you see an entry Yahoo! Messengger (it’s spelled like this) with a value c:\windows\system32\scvhost.exe, Delete this entry.

Look the location entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, in the entry named: SHELL, a value = Explorer.exe,SCVHOST.EXE. Edit this value, delete the SCVHOST.EXE only and the value must be Explorer.exe. Once you delete all this value, your computer will not login anymore.

OK we are now done.. Please Restart your PC now and Enjoy!!! Thank you and hope this tips will help for everyone..Just post your comments about this problem.

Source: http://guideandtips.blogspot.com/2008/03/how-to-re...

“Your most unhappy customers are your greatest source of learning.”

Thomas K's picture

I just checked on your submission, and the file is still under investegation by the SR team.
Keep watching your email for a reply from the Security Response Team.

Regards,
Thomas

pslakshminarasimha's picture

Hello People,

Is there an update from the SR team. Could you update me.

Thomas K's picture

Hello,

You should have received a notification from SR. If not, please PM me ASAP.

filename: scvhosts.exe
result: This file is detected as W32.IRCBot. http://www.symantec.com/avcenter/venc/data/w32.ircbot.html

Thomas

SOLUTION
Thomas K's picture

Hello pslakshminarasimha,

Did the response team get back to you? Please give us an update when you have a moment. Let me know if there is anything else we can do.

Best regards,
Thomas

Sandeep Cheema's picture

I think they have got the new definitions for it. I spoke to him about the issue, @Cycletech...I will mark your last post as the solution.

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"