Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

W32.Extrat RAT Activity attack blocked

Created: 17 Jun 2013 • Updated: 25 Jun 2013 | 2 comments
julrendo's picture
This issue has been solved. See solution.

good

Currently a computer of my company is generating attacks which are detailed in the attachment, executed a full scan did not detect any risk,

can tell me what else I can do since this computer continues with these events

thank you very much

Operating Systems:

Comments 2 CommentsJump to latest comment

.Brian's picture

What website is this machine trying to access? Being a 172.x.x.x IP address, is this internal?

I would suggest blocking access to that IP address/website. It is possible that the website has been hacked and it now serving up malware to anyone who visits.

SEP is doing it's job by blocking it and if you already ran a scan and found nothing than the machine should be OK. Just avoid going to that website.

If it is internal, than that remote IP needs to be scanned as well.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

I believe you had a similar issue in the past - 

https://www-secure.symantec.com/connect/forums/rat-w32extrat-activity

W32.Extrat RAT Activity is a worm which may inject itself into iexplore.exe, or any customizable process.

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26353

As per the Logs, IPS signatures is detecting this worm. 

I would suggest you to follow the below Plan of Action:

1) Make sure you have client machine pb0l0514388 updated with Latest Microsoft Secuirty Patches / Sevice Packs.

You could you do this by running the MBSA (Microsoft Baseline Security Analyzer) from the site below:

http://www.microsoft.com/download/en/details.aspx?id=19892

2) Make sure it is installed with Symantec EP with latest / updated with virus defintions.

3) Remove the client machine from the network and Run a Full scan on the client machine.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.