Endpoint Protection

Hi,

At my log I have this:

56935    25/11/2015 08:47:38    Intrusion Prevention    Critical    Incoming    TCP    10.1.0.102    8080    N/A    10.100.194.174    62262    N/A    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE    26353    72445    System Infected: W32.Extrat RAT Activity    arquivo.dynns.com:81/123456789.functions        xxxxx    yyyyy    Default    3    25/11/2015 08:47:42    25/11/2015 08:47:46    [SID: 26353] System Infected: W32.Extrat RAT Activity attack blocked. Traffic has been blocked for this application: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

56936    25/11/2015 08:47:44    Intrusion Prevention    Critical    Incoming    TCP    10.1.0.102    8080    N/A    10.100.194.174    62298    N/A    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE    26353    72445    System Infected: W32.Extrat RAT Activity    arquivo.dynns.com:81/123456789.functions        xxxxx    yyyyy    Default    3    25/11/2015 08:47:48    25/11/2015 08:47:52    [SID: 26353] System Infected: W32.Extrat RAT Activity attack blocked. Traffic has been blocked for this application: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

What I have to do to stop the message? See the img attached.

Have you run a full system scan with the latest content on the infected machine?

You can also try a threat analysis scan, see here:

TECH215519: 'How to run the Threat Analysis Scan in Symantec Help (SymHelp)'

Norton Power Eraser is also an option:

https://security.symantec.com/nbrt/npe.aspx

If neither of these work then you can try a thrid party tool.

Honestly, if you can just re-image the machine to ensure it's clean.

Your system is infected by a (new variant of) Trojan that is not known to the AV component of SEP. But the traffic created by this trojan (to receive commands or to download more infections in to your computer) is known to the IPS component of SEP. Hence the IPS is blocking the infection.

About attack: https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26353

About infection: https://www.symantec.com/security_response/writeup.jsp?docid=2012-111221-3742-99

All you need to do is to find the (unknown) infection file and submit it to Symantec so that Symantec can release a new definition with a remedy to this variant of the infection. I would suggest you to contact Symantec Technical Support to get help on finding the (unknown) infection file.

Notes:

Do NOT create an exclusion for this traffic in IPS. It will make the situation worse.

You can use "Norton Power Eraser" (a Symantec tool) to find the suspicious files. But I would suggest to not to fix the issue with this tool before collecting samples of the infection (to submit to Symantec). Because, W32.Extrat is a worm that spreads by copying itself to removable drives and P2P networks. Hence it is possible that this infection is on more than one computer in the network. Submitting the file to Symantec will help removing the infection from them all automatically.

Portal to submit suspicious files to Symantec for analysis: https://submit.symantec.com/websubmit/essential.cgi

Hello,

Request you to please check the Link below:

System Infected: W32.Extrat RAT Activity

https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26353

W32.Extrat

https://www.symantec.com/security_response/writeup.jsp?docid=2012-111221-3742-99&tabid=2

The worm is related to the following remote access tools (RATs):

Xtreme RAT
Spy-Net RAT
When the worm is executed, it creates the following file:
%Windir%\installdir\server.exe

The worm opens a back door on the compromised computer, allowing an attacker to perform the following actions:

Access files
Steal stored passwords
Issue commands
Activate and view a webcam
Record keystrokes
Create an HTTP proxy
Connect to a control server on TCP

The worm may inject itself into iexplore.exe, or any customizable process. 

BLOG from Symantec Security Response Team

W32.Extrat: Syrian Conflict Used To Deliver Xtreme RAT

http://bit.ly/WJB1Mt