Endpoint Protection

 View Only
  • 1.  virus that symantec doesn't find it

    Posted Aug 13, 2010 08:29 AM

    Hello Everybody,

    Yesterday my users told me that their memory sticks doesn't work fine.  I checked it out and I found an autorun.inf who execute  viski.exe file. Viki.exe it's in a hidden system folder named Melo. I deleted those files and everything seems ok , but today the rate of infections is higher. Symantec client (11.0.6005.562 - with definitions up to date) doesn't find this virus . You know somthing about those files: Viski/Melo and how to remove them with symantec client?.


  • 2.  RE: virus that symantec doesn't find it

    Broadcom Employee
    Posted Aug 13, 2010 09:12 AM


  • 3.  RE: virus that symantec doesn't find it

    Posted Aug 13, 2010 09:15 AM
    submite this file to the https://submit.symantec.com/websubmit/basic.cgi

    and virustotal.com to see if this virus is already know...


  • 4.  RE: virus that symantec doesn't find it

    Posted Aug 13, 2010 09:55 AM

    thk for suggestions!!! I'm noob with symantec support and I don't figured out yet what Is my "contact id"  but I uploaded on virustotal.com the file:
    http://www.virustotal.com/file-scan/report.html?id=1de6cce096beea01dfd9f42df17bc9ebb528fca6225aeb5efafcd14afbbc74c5-1281707229
    I think I will deploy Micosoft antivirus for now... :(


  • 5.  RE: virus that symantec doesn't find it

    Posted Aug 13, 2010 11:37 AM
      |   view attached

    Users in my company are getting hit by Fake.AV for a year. We run Win XP SP3 with SEPP ver.11 and Webroot AntiSpyware ver. 3.5.1 installed on each desktop. Sometimes I do get a message from either AV that Fake.AV was detected on a machine, but a few time those viruses went completely undetected and did the damage. The virus defs. on those machines are up-to-date.
    Why Symantec is not able to detect those Fake.AV ? In all cases when the virus did infect a machine I used Malwarebytes to remove the threat. Why this free program is able to do the job and Symantec can't? I attached a screenshot of a scan that I ran just yesterday from one of the user's machine that got infected. It had a familiar Fake.AV popup message "You need to purchase this AV to remove the virus", several registry keys were modifyed and proxy setting in IE were changed. I booted into SafeMode with Networking, installed Malwarebytes, updated definitions, ran the scan, deleted infected files and machine is being working fine so far.

    Symantec, I need your help to block those Fake.AV!

    Thank you,

    Paul Leskov,

    Network Administrator

     

    Attachment(s)

    docx
    MBAM.docx   112 KB 1 version


  • 6.  RE: virus that symantec doesn't find it

    Posted Aug 13, 2010 12:55 PM
    Are the users with the FakeAV issue local administrators or a user that has elevated permissions?  Removing those permissions can help.  I know that is not always possible.

    We have also had some success with sending some screen shots of common FakeAV apps to users with instructions to terminate with CTRL-ALT-DEL and end task rather than clicking.

    This article has some good tips

    http://www.symantec.com/business/theme.jsp?themeid=stopping_malware&depthpath=0

    There is also a blog from Bill Felt at Symantec that has osme great screen shots and comments.