Endpoint Protection

HI All,

We have around 1500+ clients since two months we are facing the virus issue,

Before two months we observe some .exe is generating on our fileservers share folder where all user are connected all folders mapped to users no other user can open others folder.

I submitted all the files to Symantec Security Response Team and the detected the virus as W32.Harakit.

We run the rapid release on SEPM server and also schedule the full scan on all clients and then all unwanted .exe are deleted,

But till now we are facing the same issue, some unwanted .exe, khs, khq and khs files are generating day by day,

We submit .exe files many times but it shows to be clean, if it is clean I don't know how its came back after few hours,

All khr, khq and khs files are zero bytes files that is y no detection were found,

We already open a case in support but no solution they are still analyzing the logs,

We given all logs LoadPoint,  Esug latest version and Process Monitor.

After that they suggested to enable NTP on fileserver, it is very risky for us because this is our 24x7 production server,

But we take a risk and install NTP on that server to find out the source of attack,

But this is all fail no result were found,

And then again support people taken the process monitor logs for re-analyzing.

This is very bad that Its above two months gone but NO solution from Symantec.

Did you try the manual removal from the doc?
http://www.symantec.com/security_response/writeup.jsp?docid=2008-102011-5014-99&tabid=3

Hi Monsoor! Are you using Symantec Threat Reporter for reporting?

Generate threat list for this infection and trace the first infection, this could be the source. But using the NTP would surely detect where the attack could be.

I have seen khs, khq and khs  files are left even after virus is cleaned/deleted . But those files does nothing i just delete those files .

check the date accessed or modified of those files, if its re-occuring it could also be there's a new virus creating those.

First thing to determine - is this beast on the SERVER or a computer connected to the net?

Personally, I'd start the machines in safe mode and check the registry thoroughly for load points.
Scan every single file, no exceptions.

What files are being infected? What type/kind/extension type?

Things like rootkits load from hidden folders and hidden files, loaded by HIDDEN registry keys. Few products can get into those as most require the OS to do that work - and the OS doesn't even show them.
Maybe even try a scan with Trojan Remover. That is the only thing that found hidden folders and keys on a computer I cleaned - even then it took MANUALLY going to the folders after the TR pointed them out to me. Even it couldn't clean the beast.
Some of these things even load as a "browser helper", meaning they load with IE so they are otherwise dormant, but once IE is started, they go to work.

Hi,

Please delete these files, restart the machine and then check whether yo are getting the 0kb files in the same location.

Rgrds,
SAM

If they are still generating , then your machine is infected with some Trojan as Shadowpapa said.

Kindly run loadpoint and send the same to Symantec Team for further analysis. It could be a new variant also.
Rgrds,
SAM

Hi All,

First of all sorry for delay in reply,

Sandeep : - I have gone through the KB but there is no such kind of entries in registry Symantec Support also checked through WEBEX only we found 0kb files.

Hi Bjain,

We have deleted those  zero KB files but it came back a few hours.

HI Sam,

I have already run loadpoint and Process Monitor on the server and submit to Support many times,

But they are only analyzing but no such resolution comes.

Mansoor,

I think this shouldn't be the way the symantec team work.

Can you please post the case number as well as tracking number.

Symantec Team will help you here in this forum.

Rgrds,
SAM

Hi All,

Thanks for your reply,

One more thing the exe which I upload to Symantec Security Response Team they said this is only a modified version or partially repaired version of legitimate notepad.exe. It is not malicious by itself, but it is recommended that the file be deleted or restored from backup.

But when we upload to virustotal they found infection on that files. (Snapshot Attached)

connect/imagebrowser/view/image/794821/_original

connect/imagebrowser/view/image/794841/_original

connect/imagebrowser/view/image/794851/_original

Please advise..

Hi Paul,

Generated files have the current date and time when they generate,

we delete many times and restart the server but no luck,

And also in NTP logs we found two systems have Windows XP Embedded with no antivirus so we mapped the drive and start scan then we found the Trojan Horse and Silly FDC but no KHS and KHR.

Any suggestion...

HI SAM,

Yes I can Share the Case ID and Tracking number they are as folllow: -

Case ID : - 312-146-729

Tracking : - 10532938

Hi Mansoor, I see that you already detected the workstation with the virus, please run these workstations on safe mode and do a full system scan. On the Process Monitor you have, did you see any unusuall process running? Can you paste the screenshot here?

Hi Paul,

I cannot found any unusuall process running.

Download the free Trojan Remover application from Simply Super Software or the app from Malwarebytes "Anti-malware" app and do full scans. They will prompt you to update right after install.
Seriously, there are other solutions, but in this case, I prefer the shotgun approach.
If it's a rootkit issue, then you will NOT SEE the processes running. You will NOT see the files or folders that run. They are HIDDEN from the OS and thus from most AV apps.
I normally would not recommend this here, but there are cases where speed is more important than "figuring it out" in detail.
These are shareware as I recall, and not in direct competition with Symantec. You still need SEP, but these are more specialized and made for removing what you already have for the most part.

Hi,

Thanks for your reply shadowpapa,

But this is our 24x7 production server so if I run Antimalware on that this will stopped our work and SEP is also installed.

Hi mansoor,
                       can you tell me what type of sharing are u using in the file server. are the users getting full permissions to these? If they are getting full permissions in these folders then this virus will come back again and again. I also had this issue in my organisation a few months back, actually a CSRCS.EXE is being running in the system32 and creating these babies under itself and deploys them where there is a open network share. So try to detect that open network share and remove write permission from there, you will not see this thing again

Hi Sapta,

There is no CRSCS.exe found in our fileserver or network and there is no open shares,

This is a user base share folder which mapped on their desktop.

User will not access others folder.

Last time which virus you found in your network for this same issue 

Actually this is a symptoms of W32.Harakit and we found in netowrk.

Hi mansoor,
tell me what do the users do in their respective folders, do they perform both read and write actions? and also can u tell me about your sharing scenario? Means how these particular folders are shared, using what permissions?

Hi Sapta,

This drive is a Sun StorageTek 6140 Array [SAN device] mounted to a clustered server

Clustered server is Node 3 and Node 4

Node 4 [2003 server] Active  - SEP installed NTP IPS installed

Node 3 [2003 server ]Passive - SEP installed NTP IPS not installed

Virtual ip for the cluster is 172.27.0.138 name is

Users/Clients [around 800] have access to the share folders on the SAN In these shares at randm interval the files are being created

Hi mansoor,
I am afraid that this thing will come again and again as long as the users have write access to the folders, even i also had the same problem that you are facing now, but i had no choice except to stop the sharings. Only i have kept sharings where there is absolutely needed. And i even get these starnge exe's coming back till now. One more thing you can check, run a search from the command prompt to see if the autorun.inf file is present on any of the root drives, if it is present then delete it. Also check one registry entry in the machine "HKLM\Software\Microsoft\Windows NT\Current Version\winlogon" There you will find the key named Shell, Look if there is anything associated with Explorer.exe, If anything else is associated with explorer.exe then delete the excess value. there should be only Explorer.exe there. One more thing, do you have autoplay disabled in your network?

Hi Sapta,

This is our fileserver so we cannot remove the share folder, all folders are very IMP and users needed that share on their desktop,

We already disable the autoplay option and could not found any Autorun.inf confirmed by Symantec Support they also checked for same.

We have also gone through the KB Article but NO luck.

Hi mansoor,
I am afraid then you will have to bear with that, as the virus will do no harm, as because symantec have updated that in their virus definitions, but it will come back again and again and gets deleted, One more thing if it is possible try to format the machine

Hi Anjan,

Above I already wroted that I have already delete many times but it cames after few hours.

Hi Sapta,

There is no chance to format the system this is our 24x7 prosuction server yaar.

And why we format the system the only one drive is infected which is not a locall drive of the server.

This is a mounted drive.

Hi mansoor,
I know what the feeling is yaar, tell me can you dismount the volume and mount that again? of course taking a backup of the volume at first...

Hi Sapta,

Our 800+ users connected daily to this drive we cannot do this.

hi mansoor,
then i am really sorry, you will have to bear this thing, as it will get deleted everytime and also keep coming back again and again.

Hi Sapta,

I think you have not understand my problem this is not get deleted.

Hi Sapta,

NO, If they are not detecting by SEP so how can they delete itself yaar.

That's y I tell you you have not understand what my problem is.

Please go up and read carefully.

SEP is not detecting the files I submitted many time to SRT but no luck.

hi mansoor,
i had the same problem and like you i had also submitted the .exe's to the symantec response team, after they have included them in their virus definitions it gets deleted from my side, only the files khq,khr,khs does not get deleted, you will have to delete them manually

Hi Sapta,

I agree that but I also submit suspicious files to Symantec Security Response Team and they give us Rapid Release Definition and we delete all the KHS, KHR and KHQ but after few days it came back and then every day we have to delete those files.

hi mansoor,
that was exactly what i was trying to tell you, you will have to delete the files (khq,khr,khs) not the exe's. the exe's will automatically get deleted....

We said na delete many times but it came back yaar.

If you have any other solution so please suggest.

Hi mansoor,
i am sorry i dont have any other solutions left for you

Ok no problem Support is working on this case.

That's an excellent idea - get support involved DIRECTLY. That's going to be the fastest, best, and perhaps THEY can learn as well....... and when done, please post back what was found - the solution, the name of the critter causing you all the headaches, etc.

I think that perticular virus which creates khq,khr,khs files is in your network which keeps attacking your server and symantec deletes the virus or cleans it but the files are khq,khr,khs left which is an aftereffect of the virus so try to find out which pc is causing the problem and remove it from network and see it.

Please do a manual removal of the virus. Follow this link:

http://www.symantec.com/security_response/writeup.jsp?docid=2008-102011-5014-99&tabid=3

You can also visit the following website for reomal tool:

http://www.scanforfree.com/19/w32-harakit-remover.html

Hi Mansoor, the mapped drive of the workstations that could be the source, did you already run full scan on them? is the virus still re-occuring?

Hi Paul,

Thanks for replying,

We have schedule daily scan and network scan also checked so our all mapdrives also scan.

And also we have scan our fileserver once a week because its takes 3 days to complete.

Yes the files are still occuring.

Still NO solution from Support.

Today Support created two share folders on fileserver, one with write access and otherone for read only access for finding the source of attack.

Hi Binayak,

I already gone through the Document but no luck Support not have the solution.

if your file server it self is not infected and getting infected because of the worm trying to propagate over the shared network drives then try enabling a detailed view of the shared folder, and enable the Owner pan in it OR look for owner information in the property of that 0 Kb file then go and unplug that user system from the network.

the thing is that symantec might be detecting some of the variants when some infected user trying to copy the virus to the share drives BUT you might have one settings enabled which says TRUST computers running Auto protect disable it and then see how it goes.

And running loadpoint on the server will not give you anything ... becoz virus is being copied over to the shares and the server it self is not infected.

if you want to troublshoot your self then get sysinternals tools and some other tools as well :)

my 2 cents :-)

 

you should try updating rapid release from symantec server & scan.

Hi Auusie,

Actually support already done what you have suggested but no such solution found.

Hi Samiron,

This is not a issue from today or yesterday it happening since two months,

So how could you suggest me a rapid release,

Rapid release definition release every two to three hours and this signatures added in nextcertified Defs release.

Actually this is a new variant of W32.Harakit and support and our team are searching source of attack.

Hi,

Since the support asked you to create the folders, you might want to enable auditing on the folder, then record file copy,create operations on it. It will register the user on the event viewer.

Hi ffup, can you post HiJackThis log here? So that me and the other members can double check?

Hi Paul,

The folder which we created in that folder also khs and khr generated we trace the user and found the user is Unmanage and have older definition of Nov 08 then we update the client and full scan in safemode but nothing found on that system.

Hi Binayak,

We are using WSUS and all clients are already patched with latest critical and all updates.

Hi Paul,

To whom you are asking about HIJACK logs?

Any suggestion on this?

Mansoor, please post HJT logs from the server.

HI Ajitjha,

After every two hours we are updating with rapid release only.

Hi Paul,

But the infection is not in server its a SAN drive.

Only in one drive those files are generating not on local drives.

Use 3rd party tools like rootkit revealer,Autoruns,Icesword to find out what is running in the background.
There might be rootkit sitting undetected in the kernel layer.
You can check regmon and find which registry entry is creating those files.
Run filemon and monitor these files and exclude other you will find it.
Once the actual file is found submit those files.
It just needs some dig in from your side.

Regards,
Vikram Kumar

Thanks Vikram,

But We already tried this but nothing found.

And also support team have all logs and they are still analyzing.

Yes I am aware of this but Support can not use all 3rd party tools like hijackthis and many more except (Sysinternals) they have to work with in a framework,So if you do use some third party tools..mainly to find out which files to submit or which computer to quarantine then it will help both you and support to get a resolution faster.

Thanks,
VIkram Kumar

OK, so the server is using SAN drive, and the infection is NOT on any local workstation drive, correct?
Just a drive that is technically local to the server.
IF there's no infection or strange files on ANY workstation, you can possibly assume it's a server bug.
Now the question is -  how did a bug get to the server?
These things typically spread via web sites or email.
Servers should never be used for applications such as email, Office, etc. -and we even avoid opening any browser on a server.
So if it's a server infection - you need to think about how it could have possibly gotten to the server. IS the server firewalled?
Was there an infected workstation that got to the server but the workstation is now clean, the server is not?
Rootkits are VERY VERY hard to find. In fact, they hide their processes from the OS, so you won't see squat in logs, the normal tools won't work.
That's why I use TR and Malwarebytes applications to detect them.
There are others that can reveal a rootkit, but it takes a lot of "forensics" work! You will need specialized tools.
Actually, everything has pretty much been covered in this thread - but forget about "updates" of the defs or the AV product - unless the product is behind, if it's not finding it now, it probably won't.
In some cases, the rootkit disables known popular AV products - they LOOK like they are running, but they really are not.

run virus removal tool, cleanwipe

Hi kajal,

I am not understand what u suggest.

Please be ready my query and then answer it.

Hi Symantec World,

Not sure how this thread escaped my radar.  I noted your case ID above, we'll look at the case.

Eric

Hi Hear4U, I haven't got an update from the user also, I was requesting for Logs, if possible can you also post the path of the infection.

Personally, I'd start the machines in safe mode and check the registry thoroughly for load points.
Maybe even try a scan with Trojan Remover.

Download the free Trojan Remover application from Simply Super Software or the app from Malwarebytes "Anti-malware" app and do full scans. They will prompt you to update right after install.