Endpoint Protection

 View Only

  • 1.  Ukash / False Windows Update malware / virus

    Posted May 02, 2012 03:26 AM

    Hi there,

    how can it be that a XP PC with current Windows Updates and current pattern files with Endpoint Protection gets infected with this malware, which changes the registry at [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “Shell”=”explorer.exe“ to a different value.

     

    Thanks for any updates,

     

    Marcus



  • 2.  RE: Ukash / False Windows Update malware / virus

    Posted May 02, 2012 10:53 AM

    Probably because the virus is rapidly mutating and definitions aren't present yet. Sounds a bit like the BKA/GEMA ransomware family which is highly "popular" for the time being, such as Trojan.Ransomgerpo.

    You can send the suspicious file to Symantec: http://www.symantec.com/docs/TECH102419

    To protect PCs, you can create an Application Control rule preventing the change of the mentioned registry key. Furthermore, Intrusion Prevention may help to detect suspicious packets while they are downloaded.



  • 3.  RE: Ukash / False Windows Update malware / virus

    Trusted Advisor
    Posted May 02, 2012 11:59 AM

    Hello,

    In your case, there are few things to look at:

    1) Are the XP machines, installed with all feature set and carry the Latest definitions on them?

    2) Is Symantec Detecting any Threat or Suspicious Files?

    I would suggest you to follow the steps below:

    1) Follow the Steps provided in the Article below:

    Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

    2) Apply an Application and Device Control Policy for Hardening Symantec Endpoint Protection (SEP)

    http://www.symantec.com/docs/TECH132337

    How the Application and Device Control Hardening policy works

    http://www.symantec.com/docs/TECH132307

    Hope that helps!!



  • 4.  RE: Ukash / False Windows Update malware / virus

    Posted May 03, 2012 01:18 AM

    Hello,

    There are some factor that sometimes we missed out,

    1) Malware writer nowdays did not only exploit OS Level (Windows), but other component as Flash, Adobe etc

     

    2) Variant (could be by pollymorphic or obfuscation), e.g - if AV rely on traditional pattern for certain malware detection... then this method will easily bypass the protection as it doesn't have pattern to detect it yet...

     

    Mind sharing the specific threat name? Is it Ukash? Also you may want to read about Symantec detection for fake AV:

     

    http://www.symantec.com/business/support/index?page=content&id=TECH122898&locale=en_US