Reporting new viruses?

Archive
1

Hi - I'm not really sure where to go for this, so I apologize in advance if this is the incorrect place - however:


Since yesterday I've been under attack from, what seems to be a brand new trojan.

 

I found no place to report new threats - and I'm not sure this is the place to do so, or whether Symantec provides such an option for its users - but I sort of wanted other users to be aware of it.

 

Symptoms:

Yesterday evening my computer was running idle. My music player (Winamp) was not running, my browser (Firefox) was not running either.

 

Suddenly I heard music playing for a couple of seconds (around 10-20 seconds) - before it stopped again.

 

At this time I started investigating what programs I might be running that would cause music playing.

 

A couple of minutes later a different song would start playing and this would infest itself for the rest of the evening - even after a complete cold boot of my computer.

 

Throughout the evening I would not only hear music, but TV Shows, Movies - not only in english but in turkish and dutch as well.

 

My Windows Audio Mixer recognized audio playing through my speakers, but did not identify the source of any program where it was coming from.

 

Eventually, checking the Task Manager and sorting my running processes by memory usage - I found the following suspecious files:

 

CLM.exe

CLT.exe

CLU.exe

clo.exe

 

Forcing one of them closed - would result in Windows errors for the remaining processes such as:

 

(ie. when closing CLM.exe):

 

"CLT stopped working and was closed"

 

As soon as I closed these, the "phantom" music would also stop playing.

 

However this would only be a temporary solution, as these programs would magically re-run themselves, and the music would start playing again.

 

Naturally I did a full Norton Internet Security Virus sweep - however it found no problems whatsoever.

 

When I ran a search for CLT.exe and CLM.exe - I discovered them on my computer (running Vista) in the Temp folder on the C: drive.

 

I re-scan these particular files with Norton Internet Security again, however (again) they were deemed Safe.

 

I then visited the Info page of these files (CLT.exe and CLM.exe) here on the Symantec website - to see how many people have used these (which was considerably low at around 4 people).

 

As soon as I did this - Norton SONAR apparently caught wind and identified these processes as Trojans.

 

It was identified as: Trojan.FakeAV!gen63 (http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2011-063002-2752-99&vid=41378)

 

However I found no information on random music playing.

 

As I write this - Norton SONAR is still continuesly processing new processes which this Trojan is trying to run - but given the low information on the trojan - this seems to be very very new.

 

On numerous occasions Windows also returned error messages on processes which stopped working which are named "Sacro" such as:

USacro setup F stopped working and was closed.

 

There have been no Google Search Results on USacro whatsoever.

 

I'm simply warning others here - if you seem to experience the same.

Additionally, I have provided Norton logs below - it is uncertain where this Trojan came from.

 

Best Regards.

 

---------------------------

 

 

Full Path: Not Available
____________________________
____________________________
On computers as of:
7/26/2011 at 8:14:33 PM
Last Used:
7/26/2011 at 8:40:16 PM
Startup Item:
No
Launched:
Yes
____________________________
____________________________
Very Few Users
Fewer than 5 users in the Norton Community have used this file.
____________________________
High
This file risk is high.
____________________________
Threat Details
SONAR Protection monitors for suspicious program activity on your computer.
____________________________
Origin
Downloaded from  URL Not Available

Source File:
qzgsn.exe
File Created:
eu2i.exe
File Created:
ics.exe
File Created:
clu.exe
____________________________
File Actions
File: c:\windows\temp\clu.exe
Removed
____________________________
File Thumbprint - SHA:
Not Available
____________________________
File Thumbprint - MD5:
Not Available
____________________________


 

 

 

 

 

Full Path: Not Available
____________________________
____________________________
On computers as of:
7/26/2011 at 8:14:13 PM
Last Used:
7/26/2011 at 8:39:40 PM
Startup Item:
No
Launched:
Yes
____________________________
____________________________
Very Few Users
Fewer than 5 users in the Norton Community have used this file.
____________________________
High
This file risk is high.
____________________________
Threat Details
SONAR Protection monitors for suspicious program activity on your computer.
____________________________
Origin
Downloaded from  URL Not Available

Source File:
qzgsn.exe
File Created:
eu2i.exe
File Created:
ics.exe
File Created:
clt.exe
____________________________
File Actions
File: c:\windows\temp\clt.exe
Removed
____________________________
File Thumbprint - SHA:
Not Available
____________________________
File Thumbprint - MD5:
Not Available
____________________________


 

 

 

 

 

 

 

 

 

Full Path: Not Available
____________________________
____________________________
On computers as of:
7/26/2011 at 7:56:15 PM
Last Used:
7/26/2011 at 7:56:15 PM
Startup Item:
No
Launched:
Yes
____________________________
____________________________
Very Few Users
Fewer than 5 users in the Norton Community have used this file.
____________________________
High
This file risk is high.
____________________________
Threat Details
SONAR Protection monitors for suspicious program activity on your computer.
____________________________
Origin
Downloaded from  URL Not Available

Source File:
qzgsn.exe
File Created:
eu2i.exe
File Created:
ics.exe
File Created:
clm.exe
____________________________
File Actions
File: c:\windows\temp\clm.exe
Restart Required
File: c:\windows\tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job
Removed
Event: Running process: c:\windows\temp\clm.exe
Terminated
____________________________
System Settings Actions
Event: Process start (Performed by c:\windows\temp\clm.exe, PID:5740)
No action taken
____________________________
File Thumbprint - SHA:
Not Available
____________________________
File Thumbprint - MD5:
Not Available
____________________________


 

 

 

 

 

Full Path: c:\windows\temp\clm.exe
____________________________
____________________________
On computers as of:
7/25/2011 at 7:55:32 PM
Last Used:
7/26/2011 at 6:41:15 PM
Startup Item:
No
Launched:
No
____________________________
____________________________
Very Few Users
Fewer than 5 users in the Norton Community have used this file.
____________________________
High
This file risk is high.
____________________________
Threat Details
Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.
____________________________
Origin
Downloaded from  URL Not Available

Source File:
googletys.exe
File Created:
pufh27.exe
File Created:
nfczkx.exe
File Created:
clm.exe
____________________________
File Actions
File: c:\windows\tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job
Removed
File: c:\windows\temp\clm.exe
Removed
____________________________
File Thumbprint - SHA:
da6d0c4d54a3c0ef685367083bd20af3cea20b3b5336eaecf057cdc771194d14
____________________________
File Thumbprint - MD5:
c3a915a8fd43c41f86a745da96314665
____________________________