Endpoint Protection

 View Only

  • 1.  Is anyone else seeing flash infected with Trojan.Adclicker?

    Posted Jan 19, 2011 11:50 AM

    We've been seeing a steady stream recently of detects for Trojan.Adclicker.  The file that is flagged in these detects is named flash10i.ocx, and it's located where we would expect Flash to be installed: c:\windows\system32\macromed\flash\flash10i.ocx .

    We haven't seen any network activity that might be associated with an adclicker trojan, so we can't figure out if we have a growing problem, or maybe just a bunch of false positives.

    Has anybody else seen this?  If it is a real problem, do you have any information about how it might be spread?  I've searched the web, but there's not much information out there, so I'm surprised we're seeing so many cases on our own network.



  • 2.  RE: Is anyone else seeing flash infected with Trojan.Adclicker?

    Posted Jan 19, 2011 12:54 PM

    Submit the file to Security Response for analysis ASAP. Please keep us posted on the outcome of the analysis.

     

    http://www.symantec.com/business/security_response/submitsamples.jsp



  • 3.  RE: Is anyone else seeing flash infected with Trojan.Adclicker?

    Posted Jan 19, 2011 01:19 PM

    The SEP client "cleaned" the file, so I don't have a sample to submit.

    I'll change the policy so the file will be quarantined next time we get a detect.



  • 4.  RE: Is anyone else seeing flash infected with Trojan.Adclicker?

    Posted Jan 31, 2011 01:03 PM

    We got another detect on Jan 27, and the file was quarantined.  I submitted the file from the quarantine on January 27.  No response yet -- not even an automated response.  Am I doing something wrong?



  • 5.  RE: Is anyone else seeing flash infected with Trojan.Adclicker?

    Posted Jan 31, 2011 01:08 PM

    I'm not sure why it's taking this long, hopefully something comes back soon...

    However, in the meantime, run the file through virustotal and it will check it against 40+ AV engines. This can hopefully give you a better idea regarding whether or not it is a false positive.

    http://www.virustotal.com/



  • 6.  RE: Is anyone else seeing flash infected with Trojan.Adclicker?

    Posted Jan 31, 2011 01:19 PM

    If you submitted through retail you will only receive the initial reply and nothing more. Please send me a private message with your submission number and I will check on the submission for you.

     

    Thomas



  • 7.  RE: Is anyone else seeing flash infected with Trojan.Adclicker?

    Posted Jan 31, 2011 07:15 PM

    When our AV detected Flash10i.ocx as a threat, it is normally saying that the threat code is using that file to 'compile' itself or a vulnerability within the Flash player is being exploited.

     

    Flash10i.ocx or version 10.1.82.76 are already 3 revisions behind iirc.
    Best to update your Flash plugin ASAP. http://get.adobe.com/flashplayer/