Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Trojan viknok Activity 3

Created: 04 Jun 2014 • Updated: 04 Jun 2014 | 11 comments

Hi folks,

 

I have a users running SEP 12.1 who is getting a pop up message he is infected with Trojan viknok Activity 3.  The message is SID:27601 Trojan.vidnok.activity 3 detected.

 

He ran a full scan, as well as a Malware Bytes Antimalware scan and it found nothing.  Also downloaded and ran the SymHelp tool and it found nothing.  Is he infected, or are we seeing some kind of false positive.

Any advice on how to proceed?

Operating Systems:

Comments 11 CommentsJump to latest comment

.Brian's picture

Don't assume it's a false positive.

Is the traffic from an external source? If so, a malicious attempt to infect the machine is being blocked. The IPS is doing it's job so no further action is needed.

Was the user browing the Internet when it occurred?

http://www.symantec.com/security_response/attacksi...

This is a tricky piece of malware because it injects itself into a critical Windows file...but let's first start with the remote source.

If you want to lock this down quickly. Use the firewall. Create two rules:

  1. Allow only 80/443 traffic from Internet Explorer
  2. Deny all other traffic over 80/443

This will point to the malicious executable trying to make requests....it's usually explorer.exe or dllhost.exe

A quick netstat -anob will also show processes making outbound calls

This is what I've seen with this particular malware.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

Might be a false possitive, since Symantec detected it and you scanned with multiple AVs. You should be clean.. 

Michael Berryman's picture

Thanks for the reply's folks.  If it's clean, why would Symantec popup that warning message about being infected?  The user is telling me Symantec is detecting as I described, but did not quarantine or delete.  A manual deletion was not successful either.

 

Is there another tool to run to remove this?

.Brian's picture

Because it's not clean then...Symantec AV is not detecting it but the IPS (malicious network traffic) is.

Try another third party tool such as hitman pro

or do what I described with the firewall

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Michael Berryman's picture

Thanks Brian, will try and report back.

OliverSantos's picture

Try using the Norton Power Eraser :
www.norton.com/npe

Run that on SafeMode. It will detect the Trojan.VikNok.activity 3

After the scan it should prompt you the Trojan.VikNok.activity 3 and on the other side it will say "Repair".
Just click on "Repair" and it will be fixed.

 

-ThehiTman
-Oliver

Oliver Saints ^^

Michael Berryman's picture

Oliver,

 

Thanks for the reply.  Other options have not fixed yet, will try this and post back.

AshMelwani's picture

Gents please look out for these kind of Trojan hard to find the source of infection

Rpcss.dll file is infected\patched needs to be replaced i Found that out. I Was able to get the sample submitted it to Symantec Also submitted it to virustotal.com and found that only 1 out of 54 Antivirus is detecting it. Have also opened a Ticket with Symantec for submission and detection

Please take care I  used Symhelp tool to detect and get the sample

mjpsalm's picture

Just fixed this on a PC.  Continuous pop ups (System Infected: Trojan.Viknok Activity 3 attack blocked)  Booted into Safe Mode w/Networking and launched Symantec Enterprise Protection (12.1.3001.165) so I could run a full scan. The gui finally came up and the scan link was not available to select.  Downloaded the Norton Power Eraser Beta and it scanned and found the rpcss.dll as a problem. I chose to repair it and it removed it.  Rebooted and logged back in as the user and all seems fine so far....  The event logs read:

Log Name:      Application
Source:        Symantec Network Protection
Date:          6/18/2014 9:27:29 AM
Event ID:      400
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      PC04.smi.local
Description:
[SID: 27601] System Infected: Trojan.Viknok Activity 3 attack blocked. Traffic has been blocked for this application: \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SVCHOST.EXE

apcuser's picture

mjpsalm,

Your solution works for me. NPE beta works, it removed the rpcss.dll and the pop up message disappeared.

Thanks a million for your great post!

I found other solutions on ending processes and removing files not working because you can't identify the virus process and the files are not there

apcuser

 

Nikhil_CV's picture

I suspect its a network attack.

Check if there is any rouge softwares there in system.

 

-cv