Endpoint Protection

We are experiencing a virus calling itself thumbs.db2 or variant .dbh, or dbP.

It targets Microsoft Office files seemingly Word , Excel and Powepoint, hiding the original file it replaces it with a modified shortcut .

So the original file called in this instance "Application"  is hidden and replaced with a shortcut, this has the properties

C:\WINDOWS\system32\cmd.exe /C start cmd.exe /C if exist \Immediacy\Training\TrainingPPoint\devleoper\c#\thumbs.dbg start \Immediacy\Training\TrainingPPoint\devleoper\c#\thumbs.dbg && start "" excel.exe "Applications.xls"

Have issued a change to Group Policy to stop CMD from running  to limit it spreading.

Reading other Forums it uses an Active X exploit spreading by attatchment in email, An Archive file containing the word document and fputlsd.dll, Active X calls this fake dll creates thumbs.db files the detected bn spreads.

Although Symantec can detect the virus and quarantine it , there doesnt appear to be a fix anywhere on other fortums, and we are about to post a copy upto Symantec for evaluation.

We are led to beleive CA Entrust, Malware Bytes, Kaspersky and AVG are known not to detect it at this time.ve

If anyone has any further experience or has found a method of cleaning this virus would be grateful to hear via the Forum.

Dave

hi,

What version SEPM you are using ?

We are using 12.1.1000.157 RU1

Oi
THUMBS.DB2 é conhecido como:
Backdoor.Capshaw
THUMBS.DB2 hash:
■ MD5: ac1da38646893c8689371051da2ff1ca
Como detectar rapidamente THUMBS.DB2 presença.

%% \ Temp vírus
Arquivos:
■ % Temp% \ virus \ $ RECmCLE.BIN
■ % Temp% \ virus \ desktop.iqi
■ % Temp% \ virus \ thumbs.db2

hugs

If anyone your system are infected please use this tool.

Is your system infected? Symantec tools to help clear an infection

https://www-secure.symantec.com/connect/forums/your-system-infected-symantec-tools-help-clear-infection

Edit.

http://arstechnica.com/civis/viewtopic.php?f=15&t=1180656

del *.lnk /s
attrib -h /s *.xls*
attrib -h /s *.doc*
attrib -h /s *.ppt*
dir thumbs.db2 /s /ah
pause
 

Hello,

I would request you to submit these Threat files to the Symantec Security Response Team on - 

https://submit.symantec.com/websubmit/essential.cgi

OR

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 

This seems to be very similar to the Trojan.Shylock and the variant Trojan.Shylock!gen6

A trojan horse that intercepts traffic and tries to add malicious code to it.

Most commonly, the threat is experienced as detection on a file called thumbs.db[x], where X can be a letter or a number.a trojan horse that intercepts traffic and tries to add malicious code to it.

Make sure you have all the machines updated with Latest Microsoft Security Patches and Service Packs and Symantec's Latest Virus Definitions.

Hope that helps!!

I can confirm that Symantec detects this MD5 (ac1da38646893c8689371051da2ff1ca) as "Trojan Horse" since 16 August. 

Please do check the MD5 / submit any suspicious files that are in your organization!

With many threats, the only Remediation possible is deletion of the threat and restoring any files that have been corrupted or damaged from a known good backup.

Hope this helps! &: )

Good Morning All,

Firstly thank you all very much for taking the time to respond to our plight, I thought we were at last getting on top of things after the fire we also had last week.

We uploaded the files to Symantec yesterday 15:30 GMT but had no response to confirm receipt will chase them next.

It is being identified as Trjojan.Shylock so at least we know what wer are dealing with..

Once again many thnaks for your inputs..

Kindest Regards

Dave

Hello,

Symantec's Latest variant of Detection from Trojan.Shylock is Trojan.Shylock!gen7

Could please PM me with the Tracking #  which you may receive after submit the file to the Symantec Security Response along with Email address through which the submission was done?

I would request you to submit the files on:

http://www.threatexpert.com/submit.aspx

Note: ThreatExpert is owned by Symantec.

Hope that helps!

Followers of this thread will be interested in this new blog:

New Trojan.Shylock wave
https://www-secure.symantec.com/connect/blogs/new-trojanshylock-wave

hmm how's the update dbradberry?

i haven't seen this threat yet... hopefully will never see them..

any specific patch for Java/Windows?

Sometimes, the use of MD5 trasformador helps to know the exact file name.

Hi Dave,

check this look here. I think it helps you.

http://www.symantec.com/security_response/writeup.jsp?docid=2012-082310-2840-99

Followers of this thread will be interested in this new blog:

The Shylock “LNK” Awakening
https://www-secure.symantec.com/connect/blogs/shylock-lnk-awakening

Mick2009

Thanks for the link the information contained within it describes quite well what we have experienced.

Hello,

Here is the Latest BLOG added in reference to the Java 0-day

Java 0-Day Coverage

http://bit.ly/NHJhid

Hope that helps!!