Endpoint Protection

Hi Guys,

Just had an incident where we had this 'Fake Microsof security essentials Alert' on a machine, but SEP was unable to detect any virus or malware, etc.

More details on this below:

http://www.bleepingcomputer.com/virus-removal/remove-fake-microsoft-security-essentials-alert

I'm currently running SEP 11.0.4014.26 , with both antivirus and network threat protection definitions dated 16/09/2010 ( as of this writing ).

Can anyone assist with identifying what this malware is called in SEP, and how I can use SEP to remove this malware?

Many thanks in advance!

Cheers,

Rob

been in the wild from a long time

can you please submit those files to symantec.so that it can be detected in next virus defs releases

https://www-secure.symantec.com/connect/forums/what-microsoft-security-essentials-found-endpoint-missed

If you  have  already  identified the Malware  files, then you could  go to http://submit.symantec.com/gold( depends on your support ), and submit the  file.

If the Malware files are not yet  identified, then kindly run the SEP support  tool, with only the load point  option selected, and once the report  is run, save the load point logs, and post  it over here...

I believe it referred to as simply "Downloader"

SEP is not only not stopping them, it is not detecting anything wrong with full scan.

The Above People are correct.

You will have to submit the Suspicious files to the Symantec Security response team and they will email you back leting you know more about the Type of Threat.

Again, Symantec does not identify the files with file name. it identifies files with thier hash value.

incase if you are not carrying a valid contract or its expired, then you could also submit the suspicious file to the www.threatexpert.com for more info and submit the files there. The same is also owned by Symantec.

I picked this one up on what appeared to be a legitimate Adobe update.   Norton is not picking this one up currently.   It has blocked all my browers (chrome, IE,etc) now whenever I try and launch a browser window that same message pops up regarding the trojan.   It has also blocked my desktop access.  So I am not sure how to find the files to send up to Norton.  Any idea on  this one folks?

Run Process Explorer, try to open a browser and you should see it start and then stop. Process Explorer will highlight the new process in Green and then in Red if it gets killed. If a process tries to kill your browser session, you should be able to see which one and further investigate from there.

Make sure to the set the Difference Highlighting Duration to 9 seconds

Options ---> Difference Highlighting Duration ---> set to 9 seconds

Try Norton Power eraser. It successfully removed the threat from my machine.

http://security.symantec.com/nbrt/npe.asp?lcid=1033

Hope this is of help.

Regards,

Chitta

Microsoft Security Essentials Alert virus.  We have had two such infections over last two days.  Symantec is aware of a variant of this virus:

• https://www-secure.symantec.com/connect/blogs/latest-and-most-convincing-rogue-av-social-engineering
• http://www.symantec.com/security_response/writeup.jsp?docid=2010-090610-2408-99&tabid=3

While Symantec will not currently prevent infection, a full scan (and only a Full scan) will detect associated files after removing two files associated with the infection.

We appear to have been hit with a new version of the same animal noted in the two links.  There may be a newer threat write-up (please let me know if this is so), though I was not able to find it at the time of this post.

Have submitted two associated files (users folder\documents and settings\application data\hotfix.exe and users folder\documents and settings\desktop\mstsc.exe), to symantec and asked for virus definitions to prevent infection.

If you are having these symptoms but the files don't match the original threat write-up, perhaps you could try what we had to do here to remove the threat:

NOTE:  I've written these from an IT Staff standpoint, so for many of the steps previous IT knowledge is assumed.  If you need assistance on any menu items try searching for the task/item on support.microsoft.com.  Also, I will not be checking back to this post and will not be able to answer any questions:

1. Login as a user with admin privileges, other than the user that was infected.

• e.g. if your normal user login is Administrator, then create a new user and add that new user to the Administrator's Group

2. Login as the new/other user

3. Turn off System Restore

4. Goto C:\Documents and Settings\infectedusername\Local Settings\Application Data\ & C:\Documents and Settings\infectedusername\Application Data\

• If you see the file "hotfix.exe" in either of these folders -- delete it

5. Goto C:\Documents and Settings\infectedusername\Desktop\

• If you see the file "mstsc.exe" -- delete it

NOTE: this is the name of a valid Windows file (installer for MS Terminal Services Client), however, the desktop is not its proper location.  One should not delete this file from any other location.

6. Precautionary/Optional steps

• Goto c:\windows\prefetch -- delete contents (do not delete the folder, just its contents).  This is the folder where programs cache copies of their installers for recovery.
• Delete infecteduser's temp internet files and temp files from C:\Documents and Settings\infectedusername\Local Settings\Temp and C:\Documents and Settings\infectedusername\Local Settings\Temporary Internet Files (not the folders, just the content of those folders)
• Delete c:\Windows\temp\     files (again, not the folder, just the contents)

7. Run LiveUpdate on Symantec AV to get most current definitions

8. Run Full System Scan

• Delete any threats/hits

9. Reboot and login as the infecteduser

• Pop-up should not return.  If it does...well, unfortunately you're still infected and just know that you have my sympathy.

Cheers.

Norton Power Eraser http://security.symantec.com/nbrt/npe.asp?lcid=1033 as already written is a nice and fast solution to delete this threat.