Endpoint Protection

Hi There,

Is there someone who could look at the attached zip file and tell me how to protect my system against future attacks. My SEP is up to date but it cant find this. The infection seems to be called rioahim.exe. What it seems to do is change the attributes of the folders to hidden and then create shortcuts to the folders. Only thing is the shortcuts are actually to the infected file. It seems to change network folders, then when a user tried to access the folder, unaware that it is a shortcut, they get infected. I was able to just delete the rioahim file and other associated files, but the trouble is removing the hidden status.

The only way I have been able to do this is with the attrib -h command line function. Now I have to go through roughly 30 folders individually to remove the hidden property. Would anyone know of an easier way to do this, as having to type attrib "folder name" -s -h ( and sometimes -r aswell) is taking a bit of time.

I have a feeling it came from an SD-Card from one of my users, unintentionally. I did notice that SEP was removing the rioahim.exe and rioahim.src files, so it is at least picking up that the files are bad but it is not getting rid of the dll files.

Please can someone let me know when there is more info about this. The only thing i found online was, http://www.prevx.com/filenames/3184973258685196133-X1/RIOAHIM.EXE.html but I think this is jsut a bot response as it is one of those annoying sites that doesn't really help.

Submit the zip file to the following link.

Web URL: http://www.symantec.com/business/security_response/submitsamples.jsp

You will get response from the Security Team about the submission.

Submit the files to symantec.Refer this KB
How to Use the Web Submission Process

Thank-you, I was trying to find the link where I could submit a request but just couldn't find it and this problem was starting to irrate me. It seems as if it is a VB type script, (i think). I never opened it up or anything as I was afraid of further infections. I was able to do the folder rename fairly easily, its jist that it is a pain to have to do work that you never intended on doing.

Anyway, thanx for the link, i will go and submit it through there.

Please use the given in my first post as the link in Aravind's article would work but I will ask for a Technical Contact ID. If you don't have that it won't work.

attrib -s -h * /d will unhide all the hidden files and subfolders.

  +   Sets an attribute.
  -   Clears an attribute.
  R   Read-only file attribute.
  A   Archive file attribute.
  S   System file attribute.
  H   Hidden file attribute.
  [drive:][path][filename]
      Specifies a file or files for attrib to process.
  /S  Processes matching files in the current folder
      and all subfolders.
  /D  Processes folders as well.

If you need assistance with submitting the files to security response. Please contact Symantec Technical support and they will guide you for further process.

For more information, please follow the kb  as below:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009042217073548

You can also submit files to Threat Expert for analysis.

http://www.threatexpert.com/default.aspx

FYI, I removed the file that you posted in this thread. In the future please do not post suspected invected files to the forum, it puts other users at risk of infection.

Thanks,
Thomas