Hello everyone.
Trojan.Winlock
Sonar detects.
After rebooting windows locked.
Sonar allows not signed the application access to disk sectors.
Hello everyone.
Trojan.Winlock
Sonar detects.
After rebooting windows locked.
Sonar allows not signed the application access to disk sectors.
part of it is not detect so that then on restart LOCK.
I would say if it is the correct type of infection Norton can't do anything for removal now as it is the Boot Sector.
Quads
Unllock code should be
code: 35735733
Quads
PRIOR wrote:Hello everyone.
Trojan.Winlock
Sonar detects.
[...]
Hi PRIOR
I'm assuming that you are testing this sample. Are you able to test this sample again?
If so, please move the 'vir-300.exe' sample from your Desktop subdirectory (c:\users\vashl\desktop\vir-300\) to a non-desktop location eg. c:\test\vir-300\ or another non-desktop directory of your choosing, and execute the 'vir-300.exe' sample again.
I'm interested in seeing if SONAR successfully blocks all components of this sample if it is executed from a non-desktop directory/sub-directory.
Thanks in advance.
Hi elsewhere
It was a test. Of course I'm not hard to repeat.
Unfortunately the result is not associated with the desktop.
This is a concern. Previously, Norton did not allow to change the boot sector.
reiterative
Thanks PRIOR, much appreciated.
A few more questions/things to check:
Thanks in advance (again)!
Hi elsewhere
Filename: vir-300.exe
Threat name: SONAR.Heuristic
Full Path: Not Available
____________________________
Details
Very Few Users, Mature, Risk High
Origin
Downloaded from? Unknown
Activity
Actions performed: 5
____________________________
On computers as of 10.03.2013 at 15:44:29
Last Used 10.03.2013 at 15:44:29
Startup Item No
Launched Yes
____________________________
Very Few Users
Fewer than 5 users in the Norton Community have used this file.
Mature
This file was released more than 31 days 1 month ago.
High
This file risk is high.
SONAR Protection monitors for suspicious program activity on your computer.
____________________________
Source: External Media
?Source File:
winrar.exe?File Created:
vir-300.exe?
____________________________
File Actions
File: c:\users\vashl\desktop\vir-300\vir-300.exeRemoved
Event: Running process: c:\users\vashl\desktop\vir-300\vir-300.exeTerminated
____________________________
System Settings Actions
Event: PE file creation: c:\users\vashl\appdata\local\temp\x2z8.exe (Performed by c:\users\vashl\desktop\vir-300\vir-300.exe, PID:3440)No action taken
Event: Process start (Performed by c:\users\vashl\desktop\vir-300\vir-300.exe, PID:2308)No action taken
Event: Process start: c:\users\vashl\desktop\vir-300\vir-300.exe, PID:2740 (Performed by c:\users\vashl\desktop\vir-300\vir-300.exe, PID:2308)No action taken
____________________________
File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available
The file is currently stored on my system for testing purposes.
Сurrently removed DI
Hi PRIOR
Thanks again for all your help in answering my questions.
My main concern is the 'No Action Taken' behaviour of SONAR. That implies that there may be a product defect at work here.
If possible, can you test the sample against an older version of the Norton product eg 2011 to see if the SONAR feature in that product detects and handles the sample properly?
Thanks in advance!
Hi elsewhere
Conducted two tests.
testing system: VMware 9.0.2, windows 7 x64
1. NIS 18.7.2.3
all updates
Full Path: Not Available
____________________________
____________________________
On computers as of:
16.03.2013 at 11:36:18
Last Used:
16.03.2013 at 11:36:18
Startup Item:
No
Launched:
Yes
____________________________
____________________________
Few Users
Fewer than 50 users in the Norton Community have used this file.
____________________________
High
This file risk is high.
____________________________
Threat Details
SONAR Protection monitors for suspicious program activity on your computer.
____________________________
Origin
Downloaded from URL Not Available
Source File:
winrar.exe
File Created:
vir-300.exe
____________________________
File Actions
File: c:\users\vashl\desktop\vir-300\vir-300.exe
Removed
Event: Running process: c:\users\vashl\desktop\vir-300\vir-300.exe
Terminated
____________________________
System Settings Actions
Event: PE file creation: c:\users\vashl\appdata\local\temp\x2z8.exe (Performed by c:\users\vashl\desktop\vir-300\vir-300.exe, PID:4036)
No action taken
Event: Process start (Performed by c:\users\vashl\desktop\vir-300\vir-300.exe, PID:3012)
No action taken
Event: Process start: c:\users\vashl\desktop\vir-300\vir-300.exe, PID:1740 (Performed by c:\users\vashl\desktop\vir-300\vir-300.exe, PID:3012)
No action taken
____________________________
File Thumbprint - SHA:
Not Available
____________________________
File Thumbprint - MD5:
Not Available
MBR infected
2. NIS 18.1.0.37
no updates for the version of purity
Not Available
____________________________
____________________________
On computers as of:
16.03.2013 at 12:00:02
Last Used:
16.03.2013 at 12:00:23
Startup Item:
No
Launched:
Yes
____________________________
____________________________
Few Users
Fewer than 50 users in the Norton Community have used this file.
____________________________
High
This file risk is high.
____________________________
Threat Details
SONAR Protection monitors for suspicious program activity on your computer.
____________________________
Origin
Downloaded from URL Not Available
Source: External MediaSource File:
winrar.exe
File Created:
vir-300.exe
____________________________
File Actions
File: c:\users\vashl\desktop\vir-300\vir-300.exe
Removed
____________________________
File Thumbprint - SHA:
Not Available
____________________________
File Thumbprint - MD5:
Not Available
File is deleted before the request UAC.
MBR not infected. Good.
Thanks PRIOR
From the results above, NIS 18.1 could successfully block the sample but, just like version NIS v20, NIS 18.7 failed to block the sample.
This is a severe defect.
I've asked the moderators to get someone from the SONAR development team involved in this thread as a matter of urgency.
intresting. any news?
Hi everyone.
News is, but bad.
Once again faced with direct contempt employees Symantec, users' messages about vulnerable products.
A month passed.
Repeat the test.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Filename: vir-300.exe
Full Path: C:\Users\VASHL\Downloads\vir-300.exe
____________________________
Details
Stability Unknown, Few Users, Mature, Bad
Origin
Downloaded from ?Unknown
Activity
Actions performed: Suspicious actions performed: None
____________________________
Developers Not Available
Version 1.1.0.0
Identified 06.04.2013 at 19:46:30
Last Used Not Available
Startup Item No
____________________________
Unknown
This program crash history is not known.
Few Users
Fewer than 50 users in the Norton Community have used this file.
Mature
This file was released more than 31 days 2 months ago.
Bad
There are many indications that this file is untrustworthy.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
launch vir-300.exe
Filename: vir-300.exe
Threat name: SONAR.Heuristic
Full Path: Not Available
____________________________
Details
Few Users, Mature, Risk High
Origin
Downloaded from? Unknown
Activity
Actions performed: 5
____________________________
On computers as of 06.04.2013 at 19:50:34
Last Used 06.04.2013 at 19:50:34
Startup Item No
Launched Yes
____________________________
Few Users
Fewer than 50 users in the Norton Community have used this file.
Mature
This file was released more than 31 days 2 months ago.
High
This file risk is high.
SONAR Protection monitors for suspicious program activity on your computer.
____________________________
Source: External Media
?Source File:
winrar.exe?File Created:
vir-300.exe?
____________________________
File Actions
File: c:\users\vashl\downloads\vir-300.exeRemoved
____________________________
System Settings Actions
Event: PE file creation: c:\users\vashl\appdata\local\temp\x2z8.exe (Performed by c:\users\vashl\downloads\vir-300.exe, PID:3996)No action taken
Event: Process start (Performed by c:\users\vashl\downloads\vir-300.exe, PID:3860)No action taken
Event: Process start: c:\users\vashl\downloads\vir-300.exe, PID:1096 (Performed by c:\users\vashl\downloads\vir-300.exe, PID:3860)No action taken
____________________________
Suspicious Actions
(Performed by c:\users\vashl\downloads\vir-300.exe, PID:1096)No action taken
____________________________
File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available
________________________________________________________________________________________________
As a result, the MBR is infected