Endpoint Protection

 View Only

  • 1.  W32.VBNA.b Worm Removal

    Posted Oct 29, 2012 02:50 PM

    For the past few weeks, I have received an intermittent warning from Symantec about W32.VBNA.b worm. It says there is activity from it, but it does not quarantine it or take any action. I have looked online forever and can not find a solution. Apparently it is a pretty bad worm that lets others remotely control your computer. If anyone can help me out, I would appreciate it, I've tried everything.

    Thanks,

    Chris



  • 2.  RE: W32.VBNA.b Worm Removal

    Posted Oct 29, 2012 02:57 PM

    Have you run a full scan on the system with the latest definitions?

    See these as well:

    Power Eraser tool

    http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default

    How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitionshttp://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

    Support Tool with Power Eraser Tool included

    http://www.symantec.com/business/support/index?page=content&id=TECH105414&locale=en_US

    How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files 

    http://www.symantec.com/business/support/index?page=content&id=TECH141402



  • 3.  RE: W32.VBNA.b Worm Removal

    Trusted Advisor
    Posted Oct 29, 2012 03:14 PM

    Hello,

    Worm Win32.VBNA.b is a network-aware worm infection, which is also regarded by many experts as cloaked malware.

    http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24580

    In your case, I would suggest the below Plan of Action:

    1) Make sure ALL Computers are installed with Symantec EP with latest / updated with virus defintions.

    2) Install ALL Latest Microsoft Secuirty Patches / Sevice Packs on ALL machines.

    3) Make sure ALL the client machines are using the Latest Vendor Patches installed.

    4) Disable Auto play with GPO

    http://support.microsoft.com/kb/953252

    5) Disable the System Restore with GPO

    http://support.microsoft.com/kb/283073

    6) Disable Scheduled Tasks with GPO

    http://support.microsoft.com/kb/310208

    7) Enable Security Auditing with GPO

    http://support.microsoft.com/kb/300549

    8) Incase of any shared / mapped drives present, make sure these are password protected.

    9) Scan ALL the machines...

    In case of a Suspicious file, zip the container Folder and when you open the zipped folder, you may see the Threat file in it.

    Submit the .zip folder to Symantec Security Response Team on 

    https://submit.symantec.com/websubmit/essential.cgi

    We also offer a self-service site to analyze files, at http://www.threatexpert.com, which can give you more information on the files you submit to it.

    Also, check these Articles:

    Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 

    https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

    Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

    http://www.symantec.com/business/support/index?page=content&id=TECH98929

    Hope that helps!!



  • 4.  RE: W32.VBNA.b Worm Removal

    Posted Oct 30, 2012 05:32 AM

    Hi Chris,

    "Thumbs up" to the advice, above!

    I gather that this is a IPS detection rather than AV - what do the logs say about the source computer where the traffic came from?  It would be a good idea to give that source computer a full scan.

    Also: which Symantec products and component are you using?  With that info at hand, some admins here on the forum may be able to pass on recommendations based on their experiences.

    With thanks and best regards,

    Mick