I had the same virus spreading in a quite large number of machines, where SEP was deleting the win.exe file but it keeps shpwing up in the risks log :)
I've spent a fair time analyzing this anf here is what I came up with
Here is what happens:
SEP identifies this risk as a Backdoor.Trojan, and deletes win.exe/winxp.exe file fron sytem32 folder as an action. The problem is that this isn't enough :) there are still other files, and registery keys that are creating the file again and agian.
I won't go in deep with the details of how it works, but there is still no definition for it. So here is the solution I've done, which has been pretty good in blocking this threat:
- Created an Application control policy rule which does the following:
blocks wscript.exe process from being called, besides from legitimate known processes.
Terminates wscript.exe process if it triws to read/write any if those files or registrey keys
blocks read/write attemtps of the following files:
system32/winxp.jpg - win.exe - wscript.exe - winfile.jpg
blocks read/write attempts of the following registrey keys:
HKLM\software\microsoft\windows\currentversion\run\CFTMON
HKLM\software\microsoft\windows\currentversion\run\riigdt
and any registrey entry including a vaule of :
winxp.jpg - win.exe - wscript.exe - winfile.jpg
Once thoe policy have been appied, I've deployed a batch file that cleans all previosuly infected machines, doing the following:
- Kills running wscript.exe processes
- Deletes the created files winxp.jpg - win.exe - wscript.exe - winfile.jpg
- Deletes the mentioned registrey entries, as well as other ones under "windowsNT\currentversion\image file execution" which was pointing some applications to execute win.exe instead of the targeted application
- Deletes a key named shell which is created under mountpoints, and points to win.exe/winfile.jpg to execute whenever you try access the drive
I know its wasn't that much work, but it had remediated the infection, and prevented it from occuring back :) but still there isn't a signature for it, although I've uploaded it for analysis quite a few weeks ago