Endpoint Protection

 View Only
Expand all | Collapse all

Yahoo Messenger Virus

Migration User

Migration UserJul 21, 2010 08:20 AM

Migration User

Migration UserJul 23, 2010 05:02 AM

Migration User

Migration UserJul 28, 2010 02:32 PM

Migration User

Migration UserOct 23, 2010 05:58 PM

  • 1.  Yahoo Messenger Virus

    Posted Jul 21, 2010 07:46 AM
    Hi all, We are running MR5 with IPS and Truscan enabled. We havent been able to get application and device control up and running due to the ammount of applications our users use. We have been getting infected with a virus than spreads through Yahoo messenger. An infected person sends you a link that looks like hxxp://facebookn.com/images.php and when the user clicks on this they get infected and their messenger starts sending out messages to all contacts with a virus link. I havent got a machine infected that I can get info of the infection and what files it installs/executes. Has anyone seen this before and blocked it?


  • 2.  RE: Yahoo Messenger Virus

    Posted Jul 21, 2010 07:48 AM

    If the URL is same all the time, then block the URL


    Title: 'How to block/allow website access using the Symantec Endpoint Protection Manager custom Intrusion Prevention Signature policy'
    Document ID: 2008070803545448
    > Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2008070803545448?Open&seg=ent




  • 3.  RE: Yahoo Messenger Virus

    Posted Jul 21, 2010 08:20 AM
    The URL varies unfortunately.



  • 4.  RE: Yahoo Messenger Virus

    Posted Jul 21, 2010 09:13 AM

    If you want you can block yahoo messenger, but i don't think  it will be  feasible.

    The URL that come are there similar in any form if yes we can use wild characters and create a genric URL


  • 5.  RE: Yahoo Messenger Virus

    Posted Jul 21, 2010 09:31 AM

    Not really. hxxp://ow.ly/2eohl?=www.facebook.com/photo.php is the latest link.

    The executable is called 2666425498736-JPG-www.facebook.com.exe but im guessing this will change.

     



  • 6.  RE: Yahoo Messenger Virus

    Posted Jul 21, 2010 09:52 AM

    If you had application and device control we could have tried with hash value of the exe


  • 7.  RE: Yahoo Messenger Virus

    Posted Jul 21, 2010 10:04 AM

    Yeah I've done that now, blocked the executables based on their hash. Looks to be doing the trick.

    Interestingly the Microsoft Security Esentials package detected and removed this...



  • 8.  RE: Yahoo Messenger Virus

    Posted Jul 21, 2010 10:32 AM

    Can you submit that executable to the Security Response Team or Threat Expert? We need to analyze this new threat and create a new defintion for detection.

    http://www.symantec.com/business/security_response/submitsamples.jsp

    http://www.threatexpert.com/default.aspx

    Thanks,
    Thomas


  • 9.  RE: Yahoo Messenger Virus

    Posted Jul 21, 2010 11:11 AM

    I cant upload until I validate our account, where do i get these details from?

    Account validation requires that you have either a Technical Contact ID, a Support Number or a Technical Case ID registered with your account. Please enter the required information and submit your request.



  • 10.  RE: Yahoo Messenger Virus

    Posted Jul 21, 2010 11:29 AM

    You can submitt it here https://submit.symantec.com/websubmit/retail.cgi


  • 11.  RE: Yahoo Messenger Virus

    Posted Jul 21, 2010 11:33 AM
    Whoever is in charge of purchasing your software/maintenance contracts should have that information or try contacting licensing at 1-800-721-3934 and select option 2.

    BTW, Theat Expert does not require a paid account to submit.


  • 12.  RE: Yahoo Messenger Virus

    Posted Jul 21, 2010 11:43 AM
    Submitted to threat expert and retail.

    Also 90% of the PC's here are x64 so that application and device control policy doesnt help much.




  • 13.  RE: Yahoo Messenger Virus

    Posted Jul 21, 2010 11:52 AM

    Please keep us updated on your issue.

    Thanks,
    Thomas


  • 14.  RE: Yahoo Messenger Virus

    Posted Jul 23, 2010 03:02 AM
    is there anyway to get rid of this? i am deployed overseas so i am limited on the help. please!! this is my only life line to my wife and kids


  • 15.  RE: Yahoo Messenger Virus

    Posted Jul 23, 2010 05:02 AM
    Use malwarebytes to get rid of it.


  • 16.  RE: Yahoo Messenger Virus

    Posted Jul 23, 2010 09:04 AM
    Can I use a custom IPS to block files containing the word facebook being downloaded?



  • 17.  RE: Yahoo Messenger Virus

    Posted Jul 27, 2010 10:27 AM


    First download the latest virus definitions.  Boot into safe mode and running a Disk Cleanup (right-click the C drive, Properties, Disk Cleanup) - that will delete all the files that are in these temporary locations, as well as IE's temporary files, etc. Perform a full system scan in safe mode.

    It is  recommended that you temporarily turn off System Restore. System Restore, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

    Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

    Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.


    If this fails to rid the infection, then try running the Norton Power Eraser Tool to remove this threat.

    http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default


  • 18.  RE: Yahoo Messenger Virus

    Posted Jul 27, 2010 11:48 AM

    These days it would better not to directly click hyperlinks in IM particularly from a stranger.


  • 19.  RE: Yahoo Messenger Virus

    Posted Jul 27, 2010 11:51 AM

    It looks like a dynamic link. When I click it now I am confronted with a 404 error now as below:

    HTTP/1.1 404 Not Found. The following page is not found: http://ow.ly/2eohl?=www.facebook.com/photo.php


    The address may have been copied incorrectly, please check the url.




  • 20.  RE: Yahoo Messenger Virus

    Posted Jul 27, 2010 11:54 AM

    I would also like to share a related article on this issue:

    http://www.securecomputing.net.au/News/125657,msn-messenger-spam-contains-trojan.aspx


  • 21.  RE: Yahoo Messenger Virus

    Posted Jul 28, 2010 02:32 PM

    Have defs been updated for this yet?


  • 22.  RE: Yahoo Messenger Virus

    Posted Jul 28, 2010 02:33 PM

    The last poster submitted it to threatexpert a week ago


  • 23.  RE: Yahoo Messenger Virus

    Posted Oct 23, 2010 04:43 PM

    A friend of mine apparently clicked on this and it looks like a program in the email sends emailsout to all those known addresses of my friend.  I what was sent to me was

    http// xositogi.ts5. com - Is not a legal url.  If there is a way to clean this computer can someone let me know how to clean the mess up on my friends computer.

     

    Jimgoff@comcast.net

     

    Thanks,

     

    Jim



  • 24.  RE: Yahoo Messenger Virus

    Posted Oct 23, 2010 05:58 PM

    Have you ran a full Virus Scan on this machine ?



  • 25.  RE: Yahoo Messenger Virus

    Posted Oct 24, 2010 12:12 AM

    Why don't you block facebook? There is no reason it needs to be allowed in the enterprise, except maybe from and HR perspective.



  • 26.  RE: Yahoo Messenger Virus

    Posted Oct 24, 2010 01:05 AM

    Hi,

    SEP isn't designed to block instant messanging traffic. There are ways you can use SEP to get results but they may not be ideal.

    If this is a large issue you may want to look into a product that is designed for this from Symantec or one of our competitors. Here's a link to a few of our options:

    http://www.symantec.com/business/messagelabs-instant-messaging-security

    http://www.symantec.com/business/im-manager

    The only real way using SEP to guarantee these sites are not accessible is to create a firewall rule with a whitelist of only the sites you want to allow and then block everything else.