Endpoint Protection

 View Only

  • 1.  W32.Qakbot

    Posted Nov 23, 2009 08:42 AM

    We are having huge problems with a variant of this virus. SEP is able to detect but not properly remove. Does anyone know of a removal tool that acutally works.

    Qakbot has the ability to dublicate itself with a new name everytime you delete it.

    We are using the latest version of SEP MR5 for the console but different versions of clients (MR3 and MR4)



  • 2.  RE: W32.Qakbot



  • 3.  RE: W32.Qakbot

    Posted Nov 23, 2009 09:07 AM
    Yes of course this is the first to try. However it is not right on for our problems. It works on some machines but not for all.

    I think that Qakbot has changed somewhat in the way it works and there must be more hidden settings somewhere


  • 4.  RE: W32.Qakbot
    Best Answer

    Posted Nov 23, 2009 09:12 AM
    Also with the help of this kb stop the threat from spreading


    Title: 'How to use Application and Device Control to limit the spread of a threat.'
    Document ID: 2009041514273648
    > Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2009041514273648?Open&seg=ent


    create a rule  to block the follwoing

    qbot.*
    qbotinj.*
    crontab.*


  • 5.  RE: W32.Qakbot

    Posted Nov 23, 2009 11:50 AM
    If you know the file name(s), have you submitted those files to Symantec yet?


  • 6.  RE: W32.Qakbot

    Posted Dec 02, 2009 09:00 AM
    We created a rule to block qbot* creation of folders/files in AD and also with policy in SEP it did not help the first day but after a couple of days most of the viruses have vanished.  

    The files have been submitted to Symantec since we have the default settings with submissions in the antivirus policy. I am not sure if the updated signatures since then has had any impact in catching the virus.