Endpoint Protection

 View Only

  • 1.  Trojan.Clampi

    Posted Jul 10, 2009 02:40 PM
    Appears to be back - previously discussed tinyurl.com/ks3w4q


    It would appear that my clients on SEP are protected, it seems to be blocking and cleaning the malicious "uninstall.exe" and "2.exe" files.


    My SAV10 clients, on the other hand, are getting infected faster than we can keep up with it.

    Is Symantec ever going to truly address cleaning this as other vendors have?


  • 2.  RE: Trojan.Clampi

    Posted Jul 10, 2009 03:04 PM
    Hi Kaumell,

    I see that some rapid release definitions were created today to detect new variants of this malware:

    Trojan.Clampi:
    * Initial Rapid Release version January 18, 2008 revision 040
    * Latest Rapid Release version July 10, 2009 revision 033
    * Initial Daily Certified version January 17, 2008 revision 033
    * Latest Daily Certified version July 10, 2009 revision 032
    * Initial Weekly Certified release date January 23, 2008

    Apply them and scan again your systems.
    If you have some samples of this malware, you should submit them to our Security Response.

    Regards,




  • 3.  RE: Trojan.Clampi

    Posted Jul 10, 2009 07:24 PM
    Same issue here. I'm running full scans, I'll let you know how it goes.


  • 4.  RE: Trojan.Clampi

    Posted Jul 10, 2009 08:26 PM
    No hits what so ever. What exactly are the new defs looking for with this revision? I have c:\windows\system32\2.exe crashing NTVDM which is the tell tale Clampi sign..


  • 5.  RE: Trojan.Clampi

    Posted Jul 10, 2009 10:02 PM
    Symantec has mapped this...
    Please see link below:

    http://www.symantec.com/security_response/writeup.jsp?docid=2008-011616-5036-99

    Thanks...


  • 6.  RE: Trojan.Clampi
    Best Answer

    Posted Jul 11, 2009 04:36 AM
    Always, download the latest available rapid release (no a specific version) and run a full scan in safe mode:

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008052116163448

    If nothing is detected and you have some infected files, submit them to our security response and we will release the new rapid release definitions.

    Regards,




  • 7.  RE: Trojan.Clampi

    Posted Jul 13, 2009 10:07 AM
    The latest RapidRelease seems to have done the trick for my SAV clients. SEP clients continued to be fine.

    I'm attempting to come up with a script or plan to execute in a logon script to remove the malicious code from the registry, and find and eliminate the psexec service on machines that have it.

    Thanks for the help.


  • 8.  RE: Trojan.Clampi

    Posted Jul 15, 2009 02:33 PM
    There appears to be a new variant running loose, Trojan.Clmapi!gen, and the latest (7/15/2009 rev016) is picking it up, but not killing it. Help Desk is having users call questioning the pop-up that SEP caught it, but then have to manually tell it to "remove risk now"

    I'm also curious if there is a way for SEP, or any centralized software, to clean the registry entries that seem to enable this little devil to update itself.