Endpoint Protection

 View Only
  • 1.  Trojan.Adclicker :Clients PC showing infections from old file location

    Posted Sep 25, 2016 07:37 AM
      |   view attached

    We have few PC's  popping up with Trojan.Adclicker virus. Some quarantined and some infected. Upon investigation of the locations, its found that these are all IE temporary cache or Firefox cache. But these files were found from their old files which were copied to the machine as part of backup when the OS was updated 3 years ago.

    So why werent these definitons detected earlier? Why is it appearing now. These files have been residing in this PC location for past 3 years.

    Some of these are updated to 12.1.RU6 MP5 and some are still 12.1.RU6 MP4.

    Some cache flies show ClickFrauder. All are .js extensions and have the same SHA 256 values.

    905_8nmypt0d9w2g[1].js AAC6133C43B48D271052C7DFA14139894D4745C5E3348C67B80F1517FA136CB2
    905_8nmypt0d9w2g[1].js AAC6133C43B48D271052C7DFA14139894D4745C5E3348C67B80F1517FA136CB2
    905_8nmypt0d9w2g[1].js AAC6133C43B48D271052C7DFA14139894D4745C5E3348C67B80F1517FA136CB2

    Why are these appearing now? What is triggering them? This has appeared since last 2 week

     



  • 2.  RE: Trojan.Adclicker :Clients PC showing infections from old file location

    Posted Sep 25, 2016 08:43 AM

    a few reasons

    -symantec recently created a signature to detect this

    -auto-protect was broke on these machines

    -content was out of date and didn't contain the signature to detect these



  • 3.  RE: Trojan.Adclicker :Clients PC showing infections from old file location

    Posted Oct 03, 2016 04:17 AM

    So all this while the infected file was residing on th User's PC and waiting to be detected by this recently created Symantec definitions?

    I have more such detections appearing on random Pc yesterday also.

    Somebody please explain 



  • 4.  RE: Trojan.Adclicker :Clients PC showing infections from old file location

    Posted Oct 03, 2016 07:09 AM

    Hi ARPhilip,

    Thanks for the post.  This is not a False Positive.  MD5 317acfa97cee00faf6ea5da548f9234b does indeed meet Symantec's criteria for detection- it's "pay per click" malware.  Chances are these files were in a temp location and scans with current, improved definitions are now catching that old file.  Allow the .js to be deleted as per normal.

    Hope this helps!  Please do keep this thread up-to-date with your progress!

    With thanks and best regards,

    Mick