Endpoint Protection

We have reclassified this detection, it's a brand new threat that we added on October 30th. Here's the link:

http://www.symantec.com/security_response/writeup.jsp?docid=2010-103008-0555-99

Unfortunately I don't have anything further to add other than our Security Response is looking into more robust detections for this.

To answer your questions, yes you should be able to reboot and be clean/protected from this threat. It would be prudent to run another scan after rebooting to verify.

Well, just to give an update:

After SEPM detected Backdoor.Cycbot  and I rebooted the client machine I ran a scan on the client and again the virus appeared again as infected, I clicked on the "remove risk now" button and it cleaned it. I ran a scan again on the client and it came up again as infected, I then chose to remove the risk again by selecting delete, which it says it was deleted, then ran the scan again and it came up infected again.

To prevent further spreading I'm going to disable autorun on the network but user's are still dealing with the virus.

What does Symantec suggest I do after disabling autorun to prevent it from spreading? My definitions are already up to date?

Does the current rapid release version have an updated definition that can detect and delete this virus?

Make sure you run full scan in safe mode so that SEP can take complete action on those files.

Do you know if the current rapid release version have an updated definition that can detect and delete this virus? All my clients have definition 2010-11-01 rev. 002

http://www.sophos.com/security/analyses/viruses-and-spyware/malgbota.html

Lists all relevant Processes and registry locations. Best anwser until Symantec can pick it up.

I can Tell you 2010-11-01 rev. 019 does NOT.

The files it does not identify are the DWM.exe and sometimes the shell.exe.

We just had a security meeting on this threat. Right now there are 200 known variants of this threat. We are also seeing it packed with 3-4 other files when it infects. If you are seeing re-infections after a scan it's likely Symantec hasn't caught all the files. It would be a good idea to log a case with support so we can find the files and get them submitted for detections.

Autorun is now disabled on the network via GPO and I guess we'll have to wait for an updated definition.

Thanks everyone.

I selected a few of the responses as the "solution" - thanks for all your help.

You can also password protect your shares, if you have any need for them. Otherwise, turn it off.

I find it somewhat disenheartening Sophos has been stopping this since 9/23. 

Has anyone tried adding the MD5s to the Application Control>Block Applications?  Should work on the .exe files, never tried with a non-exe (the .cfg file in the write-up).

2010-11-01 rev.54 obviously doesnt clean it either.

Update, we *should* have an updated detection for this today that will hopefully fix this. I believe the detection will be under the name Backdoor.cycbot!gen or something similar. Unfortunately I do not have an ETA on this.

Domains to block related to Cycbot:

·         bookknowlege.com

·         protectyourpc-11.com

·         8minutedating.com

·         freenetgameonline.com

·         xinmin.cn

·         freeonlinedatingtips.net

·         xy95.cn

Listening port may be 50370, good idea to ensure that is locked as well.

Thanks, hopefully it'll come out today.

Updated detection: 11/2/2010 rev. 8

Name: Backdoor.Cycbot!gen1

I believe this should cover most of the threats if not all. If you come across anything it isn't detecting I would recommend submitting the file(s) to Symantec for further analysis.

Just updated the clients with new revision 2010-11-02 rev.008

Seems as if it detected the viruses on one of the infectedclients but couldnt clean them for some reason?

Client AV notification:

Scan type: Auto-Protect Scan

Event: Risk Found!

Security risk detected: Trojan.FakeAV!gen39

File: C:\Documents and Settings\jjones\Application Data\Microsoft\svchost.exe

Location: C:\Documents and Settings\jjones\Application Data\Microsoft

Computer: ACCTWHSG User: SYSTEM

Action taken: Pending Side Effects Analysis : Access denied

Date found: Tuesday, November 02, 2010  3:42:32 PM 

SEPM Notification: 

Action taken is: Details Pending and Left Alone???

The file may be locked by Windows or something, try taking it to Safe Mode and scanning the C:\Documents and Settings\jjones\ folder to see if you get better results.

Edit: The dwm.exe file is pending but right above it it gets cleaned. The above info still applies though for that file that is left alone.

Seems that the file sinfected are dwm.exe and svchost.exe

Here's what have so far that are related to this:

·         dwm.exe

·         shell.exe

·         svchost.exe

·         stor.cfg

I tried scanning and deleting in Safe Mode, but when I return to regular mode the virus is still detected on an active scan. I've been having this problem since October 22 (it began as W32.SillyFDC). Symantec, despite many live updates and full scans, still hasn't cleaned Backdoor.cycbot. On the bright side, it has identified all the files mentioned in this thread.

In short, I'm getting pretty frustrated by the persistance of this problem.

What do you suggest?

The latest surviving (but allegedly cleaned) copy is backdoor.cycbot as shell.exe in this location:

c:\documents and settings\[my.name]\application data\microsoft\windows\

Before I click to take action, the software always warns that other processes should be ended -- but my browsers are closed and nothing else is open except stuff running in the background from startup.

Thanks for any  help.

Hi,

Your best bet (for the time being) is to use MalwareBytes Antispyware (its free).

Just until Symantec try and catch up.....;)