Endpoint Protection

 View Only
  • 1.  Trojan.Paccyn!inf and Trojan.Zeroaccess attack

    Posted Nov 16, 2011 03:26 AM
      |   view attached

    Hello,

    Yesterday I had a Trojan "attack" on my computer and I want to share some information.

    The first symptom was some strange requests to unblock from Microsoft XP Firewall (Yes we still use XP) about "normal" software such as Explorer, ...

    Then endpoint found 2 trojan removed them and ask me to reboot. I did the reboot after 20 minutes (I had to finish a work...)

    After the reboot Bluscreen with a problem on the SPTD.sys driver.

    I found another SPTD.sys driver, put it on my hdd (with a Win7 PE CD), success in booting and had a lot of trojan, downloader found by Endpoint.

    Each time I boot endpoint found new infected files but doesn't resolve the issue!

    Yesterday night after some google search, I discover that IE brings me in strange web sites (symantec forum was not accessible). after disabling the automatic configuration of the PROXY of IE, I finally reach some forums and I installed combofix that successfully delete the risk.

    I still have an issue with endpoint, it is up to date but have the "!" sign on the icon and a warning in the status (see attached PNG)

    If this can help you to update endpoint, i can also attach logs or any other file. 

    Above is the list of the symantec endpoint Risk found.

     

    Risk Filename Original Location Status Date
    Trojan Horse 80000000.$ C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ Infected 15/11/2011 16.52
    Trojan.Paccyn!inf EvtEng.exe C:\Programmi\Intel\WiFi\bin\ Infected 15/11/2011 16.52
    Trojan Horse 80000000.$ C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ Infected 15/11/2011 16.52
    Trojan.Paccyn!inf DisplayLinkUserAgent.exe C:\Programmi\DisplayLink Core Software\ Infected 15/11/2011 16.52
    Downloader 800000cb.$ C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ Infected 15/11/2011 16.52
    Trojan Horse 800000cf.$ C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ Infected 15/11/2011 16.52
    Downloader 800000cb.$ C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ Infected 15/11/2011 16.52
    Trojan Horse 80000000.$ C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ Infected 15/11/2011 16.52
    Trojan Horse 800000cf.$ C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ Infected 15/11/2011 16.52
    Downloader 800000cb.$ C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ Infected 15/11/2011 16.52
    Trojan Horse 800000cf.$ C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ Infected 15/11/2011 16.52
    Trojan Horse 800000cf.$ C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ Infected 15/11/2011 16.52
    Downloader 800000cb.$ C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ Infected 15/11/2011 16.52
    Trojan.Paccyn!inf vmnat.exe C:\WINDOWS\system32\ Infected 15/11/2011 20.54
    Trojan Horse 80000000.$ C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ Infected 15/11/2011 20.54
    Downloader 800000cb.$ C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ Infected 15/11/2011 20.54
    Trojan.Paccyn!inf WLIDSVCM.EXE C:\Programmi\File comuni\Microsoft Shared\Windows Live\ Infected 15/11/2011 20.54
    Trojan Horse 800000cf.$ C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ Infected 15/11/2011 20.54
    Trojan.Paccyn!inf fbserver.exe C:\APPLIC\FIREBIRD\bin\ Infected 15/11/2011 20.54
    Trojan.Paccyn!inf FortiSSLVPNdaemon.exe C:\WINDOWS\system32\ Infected 15/11/2011 20.54
    Downloader 800000cb.$ C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ Infected 15/11/2011 10.32
    Trojan.Zeroaccess Desktop.ini C:\WINDOWS\assembly\GAC_MSIL\ Cleaned 15/11/2011 10.32
    Trojan.Paccyn!inf S24EvMon.exe C:\Programmi\Intel\WiFi\bin\ Infected 15/11/2011 10.35
    Trojan.Paccyn!inf ccSvcHst.exe C:\Programmi\File comuni\Symantec Shared\ Infected 15/11/2011 10.35
    Trojan.Paccyn!inf agrsmsvc.exe C:\WINDOWS\system32\ Infected 15/11/2011 10.35
    Trojan.Paccyn!inf DeviceManager.exe C:\Programmi\File comuni\DeviceHelper\ Infected 15/11/2011 10.35
    Trojan.Paccyn!inf fbguard.exe C:\APPLIC\FIREBIRD\bin\ Infected 15/11/2011 10.35
    Trojan.Paccyn!inf IAANTMON.EXE C:\Programmi\Intel\Intel Matrix Storage Manager\ Infected 15/11/2011 10.35
    Trojan.Paccyn!inf jqs.exe C:\Programmi\Java\jre6\bin\ Infected 15/11/2011 10.35
    Trojan.Paccyn!inf LSSrvc.exe C:\Programmi\File comuni\LightScribe\ Infected 15/11/2011 10.35
    Trojan.Paccyn!inf NMSAccessU.exe C:\Programmi\CDBurnerXP\ Infected 15/11/2011 10.35
    Trojan.Paccyn!inf RegSrvc.exe C:\Programmi\File comuni\Intel\WirelessCommon\ Infected 15/11/2011 10.35
    Trojan.Gen SeaPort.exe C:\Programmi\Microsoft\Search Enhancement Pack\SeaPort\ Infected 15/11/2011 10.35
    Trojan.Paccyn!inf Rtvscan.exe C:\Programmi\Symantec\Symantec Endpoint Protection\ Infected 15/11/2011 10.35
    Trojan.Paccyn!inf vmware-authd.exe C:\Programmi\VMware\VMware Workstation\ Infected 15/11/2011 10.35
    Trojan.Paccyn!inf vmware-usbarbitrator.exe C:\Programmi\Common Files\VMware\USB\ Infected 15/11/2011 10.35
    Trojan.Paccyn!inf WLIDSVC.EXE C:\Programmi\File comuni\Microsoft Shared\Windows Live\ Infected 15/11/2011 10.35
    Trojan.Paccyn!inf hpqWmiEx.exe C:\Programmi\Hewlett-Packard\Shared\ Infected 15/11/2011 10.35
    Trojan.Paccyn!inf Com4QLBEx.exe C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\ Infected 15/11/2011 10.35
    Trojan.Paccyn!inf FortiSSLVPNdaemon.exe C:\WINDOWS\system32\ Infected 15/11/2011 18.15


  • 2.  RE: Trojan.Paccyn!inf and Trojan.Zeroaccess attack

    Broadcom Employee
    Posted Nov 16, 2011 04:15 AM

    Hi,

    As per screen-shot you are using only Antivirus & Antispyware feature.

    It's recommended to use all the SEP feature i.e 

    Antivirus & Antispyware

    Proactive Threat Protection (PTP)

    Network Threat Protection (NTP)

    Also it's giving an error file system auto protect not functioning correctly.

    If possible install all the features of SEP & repair SEP.

    You can add/modify SEP features from add/remove programs.

    What's your SEP version ? Latest SEP versions are SEP RU7 MP1 & SEP 12.1

    Update your operating System with all latest service pack & windows patches.

    Make sure your third party software's are not creating any security loop hole.(if possible update them also)

    I hope it will help you !!



  • 3.  RE: Trojan.Paccyn!inf and Trojan.Zeroaccess attack

    Posted Nov 16, 2011 05:18 AM

    "It's recommended to use all the SEP feature i.e"

    It is the choice of our IT I can't change that...

    I II will ask about SEP installation and keep you informed

    "Update your operating System with all latest service pack & windows patches"

    I'm up to date

     

    And what about the fact endpoint doesn't clean this Trojan? Because of SEP absence?

    Regards



  • 4.  RE: Trojan.Paccyn!inf and Trojan.Zeroaccess attack

    Broadcom Employee
    Posted Nov 16, 2011 05:28 AM

    since it has detected the infection, it would be good to scan in safe mode first.



  • 5.  RE: Trojan.Paccyn!inf and Trojan.Zeroaccess attack

    Broadcom Employee
    Posted Nov 16, 2011 05:44 AM

    Hi,

    Check following articles

    Trojan.Paccyn!inf

    http://www.symantec.com/security_response/writeup.jsp?docid=2011-051913-0956-99&tabid=2 

    Trojan.Zeroaccess 

    http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=3

    You are not using SEP all features .Request your IT to check Symantec recommendation.

    Security Best Practices for Protecting a Business Environment from Common Threats

     
    Online scan for virus and threat
     
    I hope it will help you !!!