Possible new virus variant *updated post 30*

Quote from marg_fan : You do know that yahoo at least pretends to virus check files before you download them? I do agree it isn't a great test. I wanted to see if it would catch the virus/trojan because I wasn't having any luck with anything else. Our WSUS does push out OS and Office updates. Java is/was a version behind because it hadn't passed our validity testing yet (not within my scope). I'm not sure about the Flash version. I will check on that.

Java is getting hit very hard right now with stuff. http://krebsonsecurity.com/2012/0...oit-packs/ Q/A has to either work over time to get this approved when an update comes out so you can do your job and protect systems or remove it. Most people actually dont need it on their machines for business uses. Flash is the same way. It also got emergency updates this week. Patched systems rarely have problems. Unpatched systems almost always do.

IT sounds like you know you have a virus but those are not the correct install directories for google talk or skype so you know you have a problem right there. Also do you allow such applications in a business environment? IF you did not (I am guessing this si the case) then that should be a red flag right there.

Quote from LiquidRetro : Java is getting hit very hard right now with stuff. http://krebsonsecurity.com/2012/0...oit-packs/ Q/A has to either work over time to get this approved when an update comes out so you can do your job and protect systems or remove it. Most people actually dont need it on their machines for business uses. Flash is the same way. It also got emergency updates this week. Patched systems rarely have problems. Unpatched systems almost always do. IT sounds like you know you have a virus but those are not the correct install directories for google talk or skype so you know you have a problem right there. Also do you allow such applications in a business environment? IF you did not (I am guessing this si the case) then that should be a red flag right there.

Thanks for the link. We have added a fingerprint block [symantec.com] to our Symantec Endpoint Protection policies and are forcing out the update. It should block the execution of the virus until we find an efficient way to remove it.

As for patching java and flash, this may force us to change our policy of testing before releasing the patches. They will need to figure out which is worse; an update that breaks an application or something getting through.

Thankfully it appears to only be an annoyance at this point.

Quote from marg_fan : Thanks for the link. We have added a fingerprint block [symantec.com] to our Symantec Endpoint Protection policies and are forcing out the update. It should block the execution of the virus until we find an efficient way to remove it. As for patching java and flash, this may force us to change our policy of testing before releasing the patches. They will need to figure out which is worse; an update that breaks an application or something getting through. Thankfully it appears to only be an annoyance at this point.

Ya it is kind of a different security model in today's world of 0 day exploits. Policy and training can help this along though. The model of don't install it if you don't need it helps a lot. Making users run as not admin helps. If you have to use IE, enforce it for internal use only. Use Firefox or Chrome or IE9 for actual web browsing. Apply updates very shortly after they are out. This is really true with security related updates.

Combofix only works if you get it from a real source otherwise you just get something that puts a virus on your computer.

Quote from handyguy : Combofix only works if you get it from a real source otherwise you just get something that puts a virus on your computer.

http://www.bleepingcomputer.com/d...s/combofix

Quote from marg_fan : You do know that yahoo at least pretends to virus check files before you download them? I do agree it isn't a great test. I wanted to see if it would catch the virus/trojan because I wasn't having any luck with anything else. Our WSUS does push out OS and Office updates. Java is/was a version behind because it hadn't passed our validity testing yet (not within my scope). I'm not sure about the Flash version. I will check on that.

Well that is good, and i understand the QA testing part. If your systems are patched and your users do not do anything "to stupid" then hopefully you should be pretty well protected.

About the only thing we have found out so far is that someone else submitted the file to virscan.org on the 15th of this month (matching MD5 hash). I rescanned it there and it again passed all 36 virus checks.

Our fingerprint block is working. People get a message that "the handle is invalid" if they (for some reason) manually launch the file. Hopefully there isn't something else we haven't found.

Are your users set up as admins or power users?

As far as the updates to Adobe Reader, Adobe Flash and Java -- these updates are "usually" tested pretty well before they are put out, so I would not be too worried about "testing" them before you deploy. There is a great deal of push to get these updates installed ASAP due to exploits in the older versions, and I think Adobe and sometimes Java take a little too long to get the newer update out that blocks the concern for the people. This gives a BIG window for hackers to do their thing and take advantage of the holes.

I know you are zoned in on one issue, but we need more info on what the users are allowed to do and what they are not allowed to do. If you have an office full of admins who can install software, download whatever they want and go wherever they want with no firewall rules to block things, then you need to go back to basics and start locking down the network to keep your people from doing whatever they want on your system. You can't keep nasties out, even with virus protection, if your users are allowed to do whatever and go wherever.

It's NOT their computer -- it's the computer they USE at work, for work purposes only.

If you have people accessing their personal email accounts and visiting Facebook or other social sites, they can click on whatever link and infect your network pretty quickly.

Virus protection cannot stop users who get a pop up and click on it and allow something to be loaded. It may detect it, but it won't stop the download of an infection it doesn't have it in it's definitions, or if the user just cancels out when something is found because they can and they are annoyed with it and want to go on with their day.

Is your virus protection set to update several times during the day, or just once a day, or once a week, or ?

No word from Symantec yet. No more reports of slow systems since implementing the fingerprint block. Our logs do not show any unusual traffic through our firewall. We are continuing to watch the situation though.

With a few individual exceptions, social media sites are blocked. File sharing sites are blocked. While we do not disable downloads, everything is automatically scanned by our anti-virus software. I've been told our anti-virus is set to check every two hours for updates and it pushes them out when we receive them.

Still no word from Symantec. It did clean a virus for me over the weekend. It flagged combofix (that I downloaded from bleeping computers) as a trojan.

I guess Symantec doesn't like the competition.

Nothing out of the ordinary yet this morning.

Quote from marg_fan : Still no word from Symantec. It did clean a virus for me over the weekend. It flagged combofix (that I downloaded from bleeping computers) as a trojan. I guess Symantec doesn't like the competition. Nothing out of the ordinary yet this morning.

Last week yahoo spammed the shit out of my global business. Got so bad we had to block yahoo email for several hours. I blame u!

sounds like bad files to me..

always be suspicious of odd files stored or loaded from user profile directories (especially if 'directory' in OP sample path is random or gibberish), and i don't think EXEs of these names belong in the same folder nor should they be binary identical.

Have you tried submitting the file to us on our malwarebytes forums?

http://forums.malwarebytes.org/in...owforum=51

We can get it added in hours if you submit it. We update 5-7 times a day.

Drop me a pm on the forum and i will look at it as soon as possible.