Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Virsues not been cought by Symantec

Created: 04 Mar 2013 | 15 comments

Dears, i was working with Symantec customer he report to me that he has a virus in his network that are copy it self to each media usb attached and duplicated it's file. i guide him to extract that virus and send to me my machine is working under SEP 12.1.2 with the maximum security level ever. my machine couldn't detect that virus, i submit it to Symantec via essential virus report on last Wed and i submit it again on Sat until now SEP couldn't catch that virus and i begin to feel that my network is not save as well that customer and Symantec support team didn't give us the appropriate care. i upload the file to threatexpert and it report as below. +++++++++++++++++++++++++++++++++++++++++ Submission details: Submission received: 4 March 2013, 06:02:02 AM Processing time: 6 min 46 sec Submitted sample: File MD5: 0x2327B0E73D0A6D7BAC4E9D083D737455 Filesize: 308,266 bytes Alias & packer info: Trojan-Downloader.Win32.AutoIt.lq [Kaspersky Lab] W32/YahLover.worm.gen [McAfee] Mal/Sohana-A [Sophos] Worm.Autoit [Ikarus] packed with UPX [Kaspersky Lab] +++++++++++++++++++++++++++++++++++++++++++ i am not sure what to do right now i am not infected but if this infect my network then who well be blame for such thing. i can solve the problem in customer side by applying application control MD5 and delete the infection by using risk-disk from kaspersky but how can i be sure i that i am not gonna be infected again by such thing, i am totally hopeless.

Discussion Filed Under:

Comments 15 CommentsJump to latest comment

.Brian's picture

Upload the sample to security response here:

https://submit.symantec.com/websubmit/gold.cgi

https://www.symantec.com/security_response/submits...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

Please submit the virus, did you get the submission number and any auto reply once submitted?

 

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

http://www.symantec.com/business/support/index?page=content&id=TECH98929
Mishaal's picture

this is the track number of submitted file Tracking #28454033

my system is clean and it is not infected yet.

Chetan Savade's picture

Hi,

Submitted sample file tracking id is still open.

Do you have any open case with Symantec support?

Always follow the best pracitce: Best practices for responding to active threats on a network

http://www.symantec.com/docs/TECH122466

Here are some excellent suggestions on how to keep your computers, their users and data safe:

http://www.symantec.com/theme.jsp?themeid=stopping...

Common loading points for viruses, worms, and Trojan horse programs on Windows 2000/XP/2003

http://www.symantec.com/docs/TECH99331

User risk tracer as well: https://www-secure.symantec.com/connect/forums/sou...

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Rafeeq's picture

 

Only way as of now you can check the status is by calling Symantec Tech Support on the Local number from the link provided below: 

http://www.symantec.com/enterprise/support/contact_techsupp_static.jsp

Or Symantec employees on this forum can give you the details.

Mithun is an active member he might help you on that.

 

cus000's picture

Please call support and ask them to follow up the tracking number.

 

Provide them analysis from Threat expert and Virustotal.com

hforman's picture

Question:  Did you set up SEP to scan USB drives?  or did you try to put the file on the C: drive and scan it?

 

 

Mithun Sanghavi's picture

Hello,

Could you please PM me the Tracking # which you have received after submission to the Symantec Security Response Team?

Secondly work on the Article below and check we SymHelp detects any other suspicious files - 

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

https://www-secure.symantec.com/connect/articles/using-symantec-help-symhelp-tool-how-do-we-collect-suspicious-files-and-submit-same-symante

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Mishaal's picture

Dears,

i am using the best security practices and using the aggressive mode.user repudiation IPS and more.

the virus not been cough even by scan it.

i am using application control in my network to stop the threats by taking out the hash value.

what did the virus or worm do from the first look it copied it self on each media flash, adding itself as the same folder name, change the attribute of the folders to H S hidden and System.

when i tried Ollydbg program the program couldn't it show the virus is encrypted.

by the way my network is not infected yet, but one of Symantec customer i had a contact with his network been infected by that virus and we used a third party risk-disk to delete the threats.

Chetan Savade's picture

Hi,

Out of 2 Submitted files 1 files is clean while other is undetermined.

If you have open case with Symantec pleaes get in touch with support, Probably more files are needed to Submit to remove threat successfully.

 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

cus000's picture

Any update from Security respond team?

 

Did the support team get back to you?

Mishaal's picture

there is no updated.

what i am going to do is follow Chetan Savade advise and open a case with the support.

.Brian's picture

It's been two weeks, security response usually has something within a few hours. Is this still ongoing for you?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mishaal's picture

Hello,

I have raised up a case Technical one. the support email me and we will figure that matter on this coming Saturday.

Chetan Savade's picture

Hi,

Thanks for the udpate.

Please share this thread with support engineer to have more insight about the issue.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<