Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

virus had hide .doc file type, create same name as hidden file but end with .exe

ℬrίαη

ℬrίαηDec 05, 2013 11:05 PM

Sounds good. Keep me posted

  • 1.  virus had hide .doc file type, create same name as hidden file but end with .exe

    Posted Dec 05, 2013 10:55 PM

    Dear All

    Currently i had encounter a nasty virus, the virus will hide the .doc file and create .exe with the same name as per hidden file(attached pic)

    Cuurently from the study of this virus i found it might be the same family for w32.mibling.

    i tried to copy the .exe and submit to symantec, however the first time we able to copy, but the second time we cannot copy or even get the md5 value from the file.

    The .exe i believe it had change the file ownership or it had been execute

    The effected client we had isolate from the network & disable the autorun.inf. Currently we still looking for the source.

    While i tried to submit the sample to Security Response Team, however the file size had shrink to 0bytes from it's original 166bytes.

    Did you all had encouter such virus or can provided any advice for a newbie to me?

     

    Thanks

    CHHOWA

    Malaysia

     

    gold-submission.JPG



  • 2.  RE: virus had hide .doc file type, create same name as hidden file but end with .exe

    Posted Dec 05, 2013 10:59 PM

    Have you tried doing this in safemode?

    Follow this link for guidance

    How to collect and submit to Symantec Security Response suspicious files found by the SymHelp utility

    Article:TECH203027  |  Created: 2013-02-21  |  Updated: 2013-05-23  |  Article URL http://www.symantec.com/docs/TECH203027

     



  • 3.  RE: virus had hide .doc file type, create same name as hidden file but end with .exe

    Posted Dec 05, 2013 11:00 PM

    You can submit file symantec Security Response Team

    Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

    https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

     



  • 4.  RE: virus had hide .doc file type, create same name as hidden file but end with .exe

    Posted Dec 05, 2013 11:03 PM

    Hi Brian,

    Not yet, as i will perform it now.

    Hi James,

    Had done but still waiting response from TSE

     

    Thanks

    CHHOWA

    Malaysia



  • 5.  RE: virus had hide .doc file type, create same name as hidden file but end with .exe

    Posted Dec 05, 2013 11:05 PM

    Sounds good. Keep me posted



  • 6.  RE: virus had hide .doc file type, create same name as hidden file but end with .exe

    Broadcom Employee
    Posted Dec 05, 2013 11:06 PM

    open a support ticket and run the Loadpoint and submit the suspicious files if any.

     



  • 7.  RE: virus had hide .doc file type, create same name as hidden file but end with .exe

    Posted Dec 05, 2013 11:28 PM

    Hi Pete

    Had done, as while waiting them to come back because they need time to analyzed, i'm seeking the is there any workaround?

    Thanks

    CHHOWA

    Malaysia



  • 8.  RE: virus had hide .doc file type, create same name as hidden file but end with .exe

    Broadcom Employee
    Posted Dec 05, 2013 11:37 PM

    when you ran the load point, did it show any errors or information about suspicious file?

    the file need to be identfied to overcome this issue.

    do you anything out of box in process of task manager?



  • 9.  RE: virus had hide .doc file type, create same name as hidden file but end with .exe

    Posted Dec 06, 2013 01:20 AM

    Hi Pete,

    Thanks for you pointers. I had run the load point and it did not came out any suspicious file. Current i doing scaning from safe mode, then i will used process exploerer to check on suspicious file.

    The load point take only the checksum tool and symhelp as suspicious file. where as the file above not. The TSE is asking me give them full data for support from syhelp log.

    Anything thing else i can do because the virus occurrance had breach 30k times in last 48 hours.

    Thanks

    Thanks

    CHHOWA

    Malaysia

     

     



  • 10.  RE: virus had hide .doc file type, create same name as hidden file but end with .exe

    Broadcom Employee
    Posted Dec 06, 2013 01:30 AM

    do you see any task scheduler which should not be in place?

    if disconnected from network do you still see this issue? to make sure the threat is residing on local machine

    is the system updated with newest definition and the patches?

     

    you may want to change the attributes of the files to be copied.



  • 11.  RE: virus had hide .doc file type, create same name as hidden file but end with .exe

    Posted Dec 06, 2013 01:37 AM

    Hi Pete,

    I had disconnected however the file attributes i was unable to change even i log in as local Admin. or using cmd.

    Yes, the system updated with latest definition.

    Patches i am checking now.

     

    Hi Brian,

    The Scanning still running because it is 4 tera data at the server.

    Thanks

    CHHOWA

    Malaysia



  • 12.  RE: virus had hide .doc file type, create same name as hidden file but end with .exe

    Posted Dec 06, 2013 05:00 AM

    Hi Dear All,

     

    Does anyone know any tool to qurantine the files and sent to SRT?

    Cause the recognised malicious file unable deleted by Symantec, and the unrecognise file was unable to copy and sent to SRT

     

    Thanks

    CHHOWA



  • 13.  RE: virus had hide .doc file type, create same name as hidden file but end with .exe

    Posted Dec 06, 2013 06:20 AM

    Did you try submitting via the web link?

    http://www.symantec.com/security_response/submitsamples.jsp



  • 14.  RE: virus had hide .doc file type, create same name as hidden file but end with .exe

    Posted Dec 06, 2013 06:23 AM
    Hi Brian, Yes i do, but the virus that i was submited was 166bytes, but SRT said i submited the file 0bytes. Therefore i need tool to solve this issue. Thanks CHHOWA


  • 15.  RE: virus had hide .doc file type, create same name as hidden file but end with .exe

    Posted Dec 06, 2013 10:31 AM

    Hello,

    as suggested by others, you need to get a good sample of the virus for a submission to us. If the virus is preventing you copy it, you need to avoid the host OS loads it, you can do it in these ways:

    - start the system in safe mode

    - use a Linux live CD to boot the infected system

    - plug the infected HDD into another system and access to it from the other OS

     



  • 16.  RE: virus had hide .doc file type, create same name as hidden file but end with .exe

    Posted Dec 06, 2013 02:50 PM

    Hi Beppe,

     

    i had able to clean the pc clients but currently i had issue with the file server infected as well. And from the risk tracer, the source is from the EMC shared drive that attached with the server. Therefore it cannot had downtime until we get approval from the management.

     

    Hi Brian,

    The safe mode scan works fine on the PC clients. Thanks for your pointers.

    For the server, the virus still there and SEP unable to trace it.

     

    Hi Pete,

    The task schedular is working normal from what i see.

    Current still waiting the management approval to allow us had down time to the server.

    I had used a free tool and able to recover the hidden files while using command are not able.

     

    Thanks

    CHHOWA



  • 17.  RE: virus had hide .doc file type, create same name as hidden file but end with .exe

    Posted Dec 08, 2013 12:07 AM

    Hi All,

    Can i know, during the scanning of virus, the client receive new set of definition, will the currently executing full scan will rescan again the files using new set of definition?

     

    Thanks

    CHHOWA