Hi,

We have had a problem since Friday afternoon where the majority of our PC's across Europe (500) are affected by these Trojans. We use Symantec Endpoint which finds these and cleans them but they re-appear. A symptom too is that PC's receive a "16 bit NTVDM.exe" error message. Have googled and checked the Symantec page but no major help offered other than update the definitions and run a scan.

Anyone else come across these problems? Please help, I am really struggling to contain this problem in our organization.

Regards

MG

Technical Details for Backdoor.Trojan: http://www.symantec.com/security_response/writeup.jsp?docid=2001-062614-1754-99&tabid=2.

We have the same issues and it seems there is no solution yet.

---

jthuynh007 wrote:
We have the same issues and it seems there is no solution yet.

---

Hello! 

have you followed the Web Links' instructions provided (above)?

Also, what Threat(s) are you having Issues with?  Please provide the exact Names.

To be honest with you I have not gone through checking out the registry settings on every PC that seems to be infected, I was rather hoping that either the latest definition file would fix it or Symantec would release an ".exe" fix.

Many PC's are receiving the 16 bit MS-DOS subsystem error which points to 1.exe or 2.exe but I notice that Symantec have released an updated definition file today (late in the day UK time) so hopefully scanning PC's using this definition will resolve the problem.

MG

This is one of the best ways to make sure the Threats are Gone.  Please try the Web Page instructions first and let us know how it goes.

---

MikeGoodson wrote:

To be honest with you I have not gone through checking out the registry settings on every PC that seems to be infected, I was rather hoping that either the latest definition file would fix it or Symantec would release an ".exe" fix.

 

Many PC's are receiving the 16 bit MS-DOS subsystem error which points to 1.exe or 2.exe but I notice that Symantec have released an updated definition file today (late in the day UK time) so hopefully scanning PC's using this definition will resolve the problem.

 

MG

---

Hi,

We have had a problem since Friday afternoon where the majority of our PC's across Europe (500) are affected by these Trojans. We use Symantec Endpoint which finds these and cleans them but they re-appear. A symptom too is that PC's receive a "16 bit NTVDM.exe" error message. Have googled and checked the Symantec page but no major help offered other than update the definitions and run a scan.

Anyone else come across these problems? Please help, I am really struggling to contain this problem in our organization.

Regards

MG

The "fix" for Trojan.Dropper as documented by Symantec is to run a virus scan, the "fix" for Trojan.Clampi is to run a scan and check for some registry keys sitting in HKCU\Software\Microsoft\Internet Explorer\Settings but users are infected by this problem don't have all the keys listed.

What I mean by that is what the Symantec page tells you to look for, certain data values for each string or binary value, our PC's do not have the corresponding data values.

As I have said before, running a full scan finds and cleans the issue but so far, it returns within a couple of hours to those same PC's.

Any help other than pointing me to Symantec pages (that we have already looked at) appreciated.

Thanks

MG

Mike

Pls try this

Download malwarebytes from http://www.malwarebytes.org/  and install it and update it

Do a quick scan and remove the infections, reboot and ur prob is solved. 

I downloaded the file and installed on two PC's.

On the first I scanned, it found the backdoor.bot file, cleaned it but an hour later the file as we know it, 2.exe, returned.

On the second PC I removed the admin shares of C$ and Admin$ before running the scan and fixing. After rebooting I again removed the admin shares and on this PC, the file 2.exe has not returned. 

Does anyone else agree that the trojan is being propagated using Admin shares on PC's?

Thanks

MG

Hey guys,

We are having the same issue here. We have a network of roughly 200 PCs and it is blowing through them like nothing. End Point catches it, we delete the files and then shortly after that they are back. My suspicion is that we have a PC somewhere that doesn’t have Symantec on it and it is probing all of the other devices and re-infecting them. Many of these PCs are up-to-date with Microsoft patches so there has to be some other vulnerability.

Any ideas?

Thanks,

Drew

I think that the main server attached to the network comps is infected, try removing malware from server.

I've spent a good deal of time researching this particular threat since we were hit with it a few days back. Here are some high level details, if you want more send me a pm and we can talk in detail. Keep in mind this is for the variant that started spreading around the globe on Feb 26th, 2009

On a few occasions the file 2.exe was found in a handful of users IE temp folders. This is an indication that our initial victims got hit by browsing the web.

Once it is inside the environment is uses the PSEXESVC (PSEXEC) to spread to other machines across your network. It is interesting because it actually downloads its own version of psexec in this case it is called 1.exe. The file 1.exe is not picked up as a threat by Symantec since it really is just a renamed version of psexec. A side effect of all of this psexec usage is a large number of user profiles under documents and settings.

2.exe uses 1.exe (psexec) to connect to other machines uses the credentials of the currently logged in user. If this user has administrator rights to the next target then 2.exe is executed on that remote box. If this process fails to connect, then 2.exe will try to connect as administrator/blank password, guest/blank password, or NoGuest/blank password. The presence of NoGuest on the machine is interesting in its own right but that is more in depth than I care to get here. Even though NoGuest is a renamed guest a count it appears that this account has modified security descriptors and its rights have been modified.

How do you fix this?

1. You need to tighten up the local administrator account across all servers and workstations. Users should not be logging in with privileged accounts. They should have two accounts, one for the interactive login and another they can use with the RUNAS command while doing their administrative tasks.

2. If the machine has been infected you will see that there is now a psexec services installed on the machine and it should be set to manually start. You should change this to be disabled. If you have a valid need you can secure it properly after you get your outbreak under control.

3. Ensure that all accounts have strong passwords and that any Guest or NoGuest accounts are disabled.

Now that we talked about the propagation method on the internal network lets go deeper.

2.exe is in the system32 folder, it executes and performs a buffer overflow against Iexplore.exe. IE then launches in a hidden window and starts to download additional files from servers in India and China.

Uninstall exe takes over and starts doing an inventory of the infected machine. At this point 2.exe will delete itself by calling cmd.exe /c >>null && del 2.exe.

Registry and process traces show that uninstall.exe will read various registry keys gathering info, such as registered organization, terminal service settings etc. This information must be sent back to the command control servers but I can never seen it get transferred as all of the HTTP traffic is encrypted or encoded. If you do a netstat on the infected machines chances are you will not see the sessions listed, they appear to hidden.

Keep in mind that if you allow these machines to continue to communicate with command and control you run the risk of them autoupdating, as well as stealing info, proxying traffic etc.

block the http traffic to the c&c servers

stop psexec from working

disable restore points

run a full scan and you should be ok.

Hopefully, this quick post can help some poor soul who is infected. Like I said if you want more details or need additional assistance pm and we can dig into the details.

All these advices are rather useless because it has to do with malware on the server. Please gho to the frum provided by Yogesh earlier. That forum is especially for your environment. They can help you out much better

Im not sure how the "advices" are useless. It is more specific than the old Technical Write Up that was provided earlier. This is a new variant that Symantec did not start detecting until this past Saturday, other vendors such as Kaspersky didn't detect until Sunday. All of the old "advices" are not relevant to situation experienced by the person who started the thread.

The virus DOES spread on workstations as well as servers, so your "malware on the server" comment is also off base.

I DO agree with you that this is not the correct "frum"; however, this is where two users were asking for help so this is where I posted accurate, relevant, and timely information to help them stop the continual propagation.

 If I ever find myself soliciting help from the Norton or Symantec community I will make certain that I "gho to the frum".

In the meantime someone searching "Trojan Clampi" on Google will be able to find the needed info right here since this is currently in the number 1 position. It is all about helping those in need, not about being right, and not about racking up a bunch of posts.

Very well put SecurityPro, I am sure deep down some people were trying to help but it seems others spend their days trawling through these forums offering no sensible advice other than "try a malware scan" or "you are in the wrong forum"......they don't realise that most people who post are a) Already working in an IT environment and b) Are stuck and need help.

Thanks again FOR YOUR HELP.

MG

I think Stu is concerned that you may not get the assistance or information that you need on this board because it is retail oriented to Norton Internet Security and Norton Antivirus.  Very few people on this board have any experience with Endpoint.  While some of the troubleshooting will obviously be the same, the products are not.  That could be why you are not getting any “sensible advice.”  You need to be talking to the people who actually deal with your specific situation.

SecurityPro,

Just a quick thanks for the details. You confirmed a few of my suspicions and are working on few things this morning to slow/stop the spread.

Drew

Drew,

I know I am posting in the wrong forum but thought I would detail how we have stopped the spread.

1. Remove the default admin shares from all of our PC's (C$ and Admin$ (C:\Windows)) via the registry and restart all PC's to ensure the admins shares are not running.

2. Look for 2.exe running in C:\Windows\System32

3. Ensuring we have the latest definition files and running a full system scan.

I believe that removing the admin shares will stop the Trojan propagating and the scan will remove the virus.

Best

MG

Sorry, after point 2 I should have said "Look for 2.exe running in C:\Windows\System32 and if found, remove it.