Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Virus THUN not detected by SEP antivirus on network!

Created: 31 Jul 2011 • Updated: 05 Aug 2011 | 14 comments
This issue has been solved. See solution.

I jus discovered presence of a virus/trojan - THUN (also shows as autorun.inf folder) on my company's network. The Symantec Endpoint Protection is running and very much up-to-date but it still fails to detect this malicious attack. Can someone please help and advise best way to get rid of this on the network!!!

I tried submitting on the Symantec site it is proving to be a herculean task............I will appreciate prompt response/assistance as this very urgent!

Comments 14 CommentsJump to latest comment

pete_4u2002's picture

you may contact Symantec Technical Support team for help in uploading the file to site.

By the way what's the difficulty you facing in uploading the file?

Mick2009's picture

Hi Invisible,

Have you seen this article yet?

Best practices for troubleshooting viruses on a network
Article: TECH122466 (http://www.symantec.com/docs/TECH122466)

The steps and links there should assist. The authors of these threats intentionally make them as difficult to remove as possible, but there are proven procedures, tools and technologies which should stop them effectively.  That article is the best place to begin.

Please keep this thread up-to-date with your progress!

Thanks and best regards,

Mick

With thanks and best regards,

Mick

invisible's picture

Thanks Mick.We have submitted the suspected virus sample but yet to get a feedback from symantec apart from the initial auto-response. We will keep the thread updated with developments on this.Thanks again.

Mick2009's picture

Feel free to send me the tracking number via Personal Message - I will try to find time to check its status.

With thanks and best regards,

Mick

invisible's picture

Thanks Mick. I have sent it to your inbox. Will expect your reply

Brɨan's picture

Download the latest rapid release defs. Symantec is now detecting it per my post at the end of this thread.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

sandra.g's picture

From "Why SEP does not remove the AT, INF, INI, and Registry keys related to infections" (http://www.symantec.com/docs/TECH158359):

By themselves, autorun.inf files are harmless.  They contain no malicious code and cannot cause harm to a system.  Our detection engines are focused on actual malicious files. Malicious files using an autorun.inf file to launch itself are detected by Symantec.  From a security standpoint there are no protection gaps for customers based on our policies towards autorun.inf.

If the autorun.inf file is pointing to an executable (for example) that you suspect is malicious--one that we are not detecting--then I would recommend submitting that file for analysis.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

invisible's picture

Exactly Sandra. I understand that the autorun.inf is used by the virus to launch itself. Now, that .exe file which is the suspected malicious file has not been detected by our Symantec Endpoint Protection. However, it has been submitted for analysis. (We are yet to get any response/update from Symantec on this though.). We are in dire need for a Rapid Release Definition from Symantec to treat this intrusion on our network!!!!!!!

[edited by admin] please do not attach known, infected files on the forum or anywhere on Connect. There is a submission process to alert us.

Brɨan's picture

It's not being detected with current defs. I've re-submitted the file to Symantec.

Please don't post virus here, or at least put up a warning that you are doing so, so that user's don't infect themselves

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

sandra.g's picture

Never, never, NEVER post a suspected threat file to the forum.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

invisible's picture

Hello Brian,

thanks for this. I just downloaded thru the link and will test run on an infected system.

Will send update via this thread

deepak.vasudevan's picture

Looks like it is a new breed of virus. Even VirusTotal no one has submitted it and when I uploaded it was saying 'queued and analysing'. The following is the report from Virus Total.

Antivirus Version Last Update Result
AhnLab-V3 2011.08.03.02 2011.08.03 Worm/Win32.AutoRun
AntiVir 7.11.12.200 2011.08.03 TR/Dropper.Gen
Antiy-AVL 2.0.3.7 2011.08.03 -
Avast 4.8.1351.0 2011.08.03 Win32:Trojan-gen
Avast5 5.0.677.0 2011.08.03 Win32:Trojan-gen
AVG 10.0.0.1190 2011.08.03 Crypt.FAU
BitDefender 7.2 2011.08.03 Trojan.Generic.2401595
CAT-QuickHeal 11.00 2011.08.03 Trojan.Agent.cnbc
ClamAV 0.97.0.0 2011.08.03 Trojan.Agent-121641
Commtouch 5.3.2.6 2011.08.03 W32/Trojan2.IEOP
Comodo 9614 2011.08.03 -
DrWeb 5.0.2.03300 2011.08.03 Win32.HLLW.Autoruner.6836
Emsisoft 5.1.0.8 2011.08.03 Net-Worm.Win32.Kolab!IK
eSafe 7.0.17.0 2011.08.03 -
eTrust-Vet 36.1.8479 2011.08.02 -
F-Prot 4.6.2.117 2011.08.03 W32/Trojan2.IEOP
F-Secure 9.0.16440.0 2011.08.03 Trojan.Generic.2401595
Fortinet 4.2.257.0 2011.08.03 W32/VB.VAQ!tr
GData 22 2011.08.03 Trojan.Generic.2401595
Ikarus T3.1.1.104.0 2011.08.03 Net-Worm.Win32.Kolab
Jiangmin 13.0.900 2011.08.02 Trojan/Agent.dfum
K7AntiVirus 9.109.4973 2011.08.02 Trojan
Kaspersky 9.0.0.837 2011.08.03 Trojan.Win32.Agent.cnbc
McAfee 5.400.0.1158 2011.08.03 Generic VB.ci
McAfee-GW-Edition 2010.1D 2011.08.03 Generic VB.ci
Microsoft 1.7104 2011.08.03 VirTool:Win32/VBInject.gen!BG
NOD32 6346 2011.08.03 Win32/AutoRun.KS
Norman 6.07.10 2011.08.03 W32/VBTroj.CXPI
nProtect 2011-08-03.04 2011.08.03 -
Panda 10.0.3.5 2011.08.03 Generic Trojan
PCTools 8.0.0.5 2011.08.03 -
Prevx 3.0 2011.08.03 -
Rising 23.69.02.03 2011.08.03 -
Sophos 4.67.0 2011.08.03 Mal/VB-AD
SUPERAntiSpyware 4.40.0.1006 2011.08.03 -
Symantec 20111.1.0.186 2011.08.03 -
TheHacker 6.7.0.1.269 2011.08.03 -
TrendMicro 9.200.0.1012 2011.08.03 TROJ_VB.JGQ
TrendMicro-HouseCall 9.200.0.1012 2011.08.03 TROJ_VB.JGQ
VBA32 3.12.16.4 2011.08.03 OScope.Trojan.VB.0960
VIPRE 10051 2011.08.03 -
ViRobot 2011.8.3.4603 2011.08.03 -
VirusBuster 14.0.150.0 2011.08.02 Trojan.Agent!Iq4So4oTaUs
Brɨan's picture

Rapid Release defs are now available from Symantec per the ticket I just got:

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

I have just received an analysis from Security Response, confirming that protection against this particluar variant of W32.IRCBot was added in Rapid Release definition sequence 125685 (20110803.017). 

Please do ensure AV definitions are up-to-date and perform a scan on all computers.  Here are some additional Best Practices and advice for keeping computers secure: http://www.symantec.com/business/theme.jsp?themeid=stopping_malware&depthpath=0

Thanks and best regards,

Mick

With thanks and best regards,

Mick

SOLUTION