Endpoint Protection

Hi All,

I have a file that’s creating problems with mapped network drives. The File name is windll.exe. does anyone know if this is a legitimate windows file or is it something else. 

What’s Happening - on some of our network shares two files are being created

1. autorun.ini
2. Recycler\ RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\windll.exe

The autorun.ini file contains the below text, and as you can see it points to the recycler folder.

[autorun]
;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\windll.exe
icon=shell32.dll,4
shellexecute=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\windll.exe
label=PENDRIVE
action=Open folder to view files
shell\Open=Open
shell\Open\command=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\windll.exe
shell\Open\Default=1

I have been able to track down the which workstations are creating the two files by looking at the security permissions on the autorun.ini file and then doing a search on the workstations C: generally the windll.exe file will be found in a folder of its own name in either the “C:\windows\windll.exe\windll.exe” or “C:\Documents and Settings\USERNAME\Application Data\windll.exe” and has also been found in prefetch.

The end result is users drive icons change to folders.

Symantec product info:
SEPM Version 11.0.6100.645 with latest definition file.

Actions taken so far:
Updated client AV and run a full system scan.
Tried to delete / rename the windll.exe file but it recreates its self in both the client workstations and on the network shares.

 

Any ideas?

Thanks in advance.

This definitely looks like a WORM to me Submit the file to 

http://www.symantec.com/business/security_response/submitsamples.jsp

Symantec will create defs for it. Meanwhile you can submit this file to threatexpert.com (which is also owned by symantec)

Thanks Vikram, will submit the two files now.

Hi,

Once you submitted files you will receive tracking number, you can share your tracking number so we can give update on same.

You will not have access to check status of your tracking number.

It is recommended to install all the Symantec features AV / PTP/ NTP with latest definitions.Always make sure that your computers are receiving definitions regularly.

You can upgrade your product to latest built.

You windows machines should have all the latest windows updates /Patches.

Disable Autorun.

Please follow best practice guide to handle virus issue.

http://www.symantec.com/business/support/index?pag...

You can also log a case through web portal.

http://www.symantec.com/business/support/index?page=content&id=HOWTO31132

http://www.symantec.com/business/support/index?page=content&id=TECH71023

Hello,

Work smart and cleverly in Automated Manner.

Walk through the steps provided in the Symantec Article as below:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

Hi

Big thanks to the team at Symantec, I got to work this morning and noticed the windll.exe file is now being zapped. have run a manual scan over our file servers whcih appears to have a clean bill of health as there isn't any sign of the fil, also as a check/balance measure I have done a windows serach on the file windll.exe which returned no results, yesterday it found 20+ copies of the file.

Thanks to Vikram for helping me get started.