Endpoint Protection

 View Only
Expand all | Collapse all

Virus THUN not detected by SEP antivirus on network!

  • 1.  Virus THUN not detected by SEP antivirus on network!

    Posted Aug 01, 2011 02:19 AM

    I jus discovered presence of a virus/trojan - THUN (also shows as autorun.inf folder) on my company's network. The Symantec Endpoint Protection is running and very much up-to-date but it still fails to detect this malicious attack. Can someone please help and advise best way to get rid of this on the network!!!

    I tried submitting on the Symantec site it is proving to be a herculean task............I will appreciate prompt response/assistance as this very urgent!



  • 2.  RE: Virus THUN not detected by SEP antivirus on network!

    Broadcom Employee
    Posted Aug 01, 2011 02:40 AM

    you may contact Symantec Technical Support team for help in uploading the file to site.

    By the way what's the difficulty you facing in uploading the file?



  • 3.  RE: Virus THUN not detected by SEP antivirus on network!

    Posted Aug 01, 2011 10:05 AM

    Hi Invisible,

    Have you seen this article yet?

    Best practices for troubleshooting viruses on a network
    Article: TECH122466 (http://www.symantec.com/docs/TECH122466)

    The steps and links there should assist. The authors of these threats intentionally make them as difficult to remove as possible, but there are proven procedures, tools and technologies which should stop them effectively.  That article is the best place to begin.

    Please keep this thread up-to-date with your progress!

    Thanks and best regards,

    Mick


     



  • 4.  RE: Virus THUN not detected by SEP antivirus on network!

    Posted Aug 01, 2011 05:03 PM

    From "Why SEP does not remove the AT, INF, INI, and Registry keys related to infections" (http://www.symantec.com/docs/TECH158359):

    By themselves, autorun.inf files are harmless.  They contain no malicious code and cannot cause harm to a system.  Our detection engines are focused on actual malicious files. Malicious files using an autorun.inf file to launch itself are detected by Symantec.  From a security standpoint there are no protection gaps for customers based on our policies towards autorun.inf.

    If the autorun.inf file is pointing to an executable (for example) that you suspect is malicious--one that we are not detecting--then I would recommend submitting that file for analysis.

    sandra



  • 5.  RE: Virus THUN not detected by SEP antivirus on network!

    Posted Aug 03, 2011 08:15 AM

    Exactly Sandra. I understand that the autorun.inf is used by the virus to launch itself. Now, that .exe file which is the suspected malicious file has not been detected by our Symantec Endpoint Protection. However, it has been submitted for analysis. (We are yet to get any response/update from Symantec on this though.). We are in dire need for a Rapid Release Definition from Symantec to treat this intrusion on our network!!!!!!!

    [edited by admin] please do not attach known, infected files on the forum or anywhere on Connect. There is a submission process to alert us.


  • 6.  RE: Virus THUN not detected by SEP antivirus on network!

    Posted Aug 03, 2011 08:47 AM

    Thanks Mick.We have submitted the suspected virus sample but yet to get a feedback from symantec apart from the initial auto-response. We will keep the thread updated with developments on this.Thanks again.



  • 7.  RE: Virus THUN not detected by SEP antivirus on network!

    Posted Aug 03, 2011 08:53 AM

    It's not being detected with current defs. I've re-submitted the file to Symantec.

    Please don't post virus here, or at least put up a warning that you are doing so, so that user's don't infect themselves



  • 8.  RE: Virus THUN not detected by SEP antivirus on network!

    Posted Aug 03, 2011 09:52 AM

    Looks like it is a new breed of virus. Even VirusTotal no one has submitted it and when I uploaded it was saying 'queued and analysing'. The following is the report from Virus Total.

    Antivirus Version Last Update Result
    AhnLab-V3 2011.08.03.02 2011.08.03 Worm/Win32.AutoRun
    AntiVir 7.11.12.200 2011.08.03 TR/Dropper.Gen
    Antiy-AVL 2.0.3.7 2011.08.03 -
    Avast 4.8.1351.0 2011.08.03 Win32:Trojan-gen
    Avast5 5.0.677.0 2011.08.03 Win32:Trojan-gen
    AVG 10.0.0.1190 2011.08.03 Crypt.FAU
    BitDefender 7.2 2011.08.03 Trojan.Generic.2401595
    CAT-QuickHeal 11.00 2011.08.03 Trojan.Agent.cnbc
    ClamAV 0.97.0.0 2011.08.03 Trojan.Agent-121641
    Commtouch 5.3.2.6 2011.08.03 W32/Trojan2.IEOP
    Comodo 9614 2011.08.03 -
    DrWeb 5.0.2.03300 2011.08.03 Win32.HLLW.Autoruner.6836
    Emsisoft 5.1.0.8 2011.08.03 Net-Worm.Win32.Kolab!IK
    eSafe 7.0.17.0 2011.08.03 -
    eTrust-Vet 36.1.8479 2011.08.02 -
    F-Prot 4.6.2.117 2011.08.03 W32/Trojan2.IEOP
    F-Secure 9.0.16440.0 2011.08.03 Trojan.Generic.2401595
    Fortinet 4.2.257.0 2011.08.03 W32/VB.VAQ!tr
    GData 22 2011.08.03 Trojan.Generic.2401595
    Ikarus T3.1.1.104.0 2011.08.03 Net-Worm.Win32.Kolab
    Jiangmin 13.0.900 2011.08.02 Trojan/Agent.dfum
    K7AntiVirus 9.109.4973 2011.08.02 Trojan
    Kaspersky 9.0.0.837 2011.08.03 Trojan.Win32.Agent.cnbc
    McAfee 5.400.0.1158 2011.08.03 Generic VB.ci
    McAfee-GW-Edition 2010.1D 2011.08.03 Generic VB.ci
    Microsoft 1.7104 2011.08.03 VirTool:Win32/VBInject.gen!BG
    NOD32 6346 2011.08.03 Win32/AutoRun.KS
    Norman 6.07.10 2011.08.03 W32/VBTroj.CXPI
    nProtect 2011-08-03.04 2011.08.03 -
    Panda 10.0.3.5 2011.08.03 Generic Trojan
    PCTools 8.0.0.5 2011.08.03 -
    Prevx 3.0 2011.08.03 -
    Rising 23.69.02.03 2011.08.03 -
    Sophos 4.67.0 2011.08.03 Mal/VB-AD
    SUPERAntiSpyware 4.40.0.1006 2011.08.03 -
    Symantec 20111.1.0.186 2011.08.03 -
    TheHacker 6.7.0.1.269 2011.08.03 -
    TrendMicro 9.200.0.1012 2011.08.03 TROJ_VB.JGQ
    TrendMicro-HouseCall 9.200.0.1012 2011.08.03 TROJ_VB.JGQ
    VBA32 3.12.16.4 2011.08.03 OScope.Trojan.VB.0960
    VIPRE 10051 2011.08.03 -
    ViRobot 2011.8.3.4603 2011.08.03 -
    VirusBuster 14.0.150.0 2011.08.02 Trojan.Agent!Iq4So4oTaUs


  • 9.  RE: Virus THUN not detected by SEP antivirus on network!

    Posted Aug 03, 2011 10:05 AM

    Feel free to send me the tracking number via Personal Message - I will try to find time to check its status.



  • 10.  RE: Virus THUN not detected by SEP antivirus on network!

    Posted Aug 03, 2011 10:21 AM

    Rapid Release defs are now available from Symantec per the ticket I just got:



  • 11.  RE: Virus THUN not detected by SEP antivirus on network!

    Posted Aug 03, 2011 10:26 AM

    Never, never, NEVER post a suspected threat file to the forum.

    sandra



  • 12.  RE: Virus THUN not detected by SEP antivirus on network!

    Posted Aug 03, 2011 12:41 PM

    Thanks Mick. I have sent it to your inbox. Will expect your reply



  • 13.  RE: Virus THUN not detected by SEP antivirus on network!

    Posted Aug 03, 2011 12:44 PM

    Download the latest rapid release defs. Symantec is now detecting it per my post at the end of this thread.



  • 14.  RE: Virus THUN not detected by SEP antivirus on network!
    Best Answer

    Posted Aug 04, 2011 06:21 AM

    I have just received an analysis from Security Response, confirming that protection against this particluar variant of W32.IRCBot was added in Rapid Release definition sequence 125685 (20110803.017). 

    Please do ensure AV definitions are up-to-date and perform a scan on all computers.  Here are some additional Best Practices and advice for keeping computers secure: http://www.symantec.com/business/theme.jsp?themeid=stopping_malware&depthpath=0

    Thanks and best regards,

    Mick



  • 15.  RE: Virus THUN not detected by SEP antivirus on network!

    Posted Aug 05, 2011 07:58 AM

    Hello Brian,

    thanks for this. I just downloaded thru the link and will test run on an infected system.

     

    Will send update via this thread