Trojan.Winlock

Hello everyone.

 

Trojan.Winlock

https://www.virustotal.com/ru/file/e97145905cec37c0c719afe16cedb1d836d260ae427ed2586479d42dab997a9f/analysis/1362594512/

 

Sonar detects.

 

07-03-2013 10-38-23.png

 

 

07-03-2013 10-38-48.png

 

07-03-2013 10-39-51.png

 

 

After rebooting windows locked.

 

 

 

07-03-2013 10-41-21.png

 

 

Sonar allows not signed the application access to disk sectors.

part of it is not detect so that then on restart LOCK.

 

I would say if it is the correct type of infection Norton can't do anything for removal now as it is the Boot Sector.

 

Quads

Unllock code should be

 

code: 35735733

 

 

Quads


PRIOR wrote:

Hello everyone.

 

Trojan.Winlock

https://www.virustotal.com/ru/file/e97145905cec37c0c719afe16cedb1d836d260ae427ed2586479d42dab997a9f/analysis/1362594512/

 

Sonar detects.

 

07-03-2013 10-38-23.png

 

 [...] 


Hi PRIOR

 

I'm assuming that you are testing this sample. Are you able to test this sample again?

 

If so, please move the 'vir-300.exe' sample from your Desktop subdirectory (c:\users\vashl\desktop\vir-300\) to a non-desktop location eg. c:\test\vir-300\ or another non-desktop directory of your choosing, and execute the 'vir-300.exe' sample again.

 

I'm interested in seeing if SONAR successfully blocks all components of this sample if it is executed from a non-desktop directory/sub-directory.

 

Thanks in advance.

 

Hi elsewhere

 

It was a test. Of course I'm not hard to repeat.
Unfortunately the result is not associated with the desktop.
This is a concern. Previously, Norton did not allow to change the boot sector.

 

reiterative

 

08-03-2013 22-40-33.png

 

 

08-03-2013 22-42-25.png

 

 

08-03-2013 22-43-15.png

Thanks PRIOR, much appreciated. :smileyhappy:

 

A few more questions/things to check:

 

  • Please open the 'vir-300.exe' entry in the Norton Security History (> SONAR Activity) and select the 'Copy to Clipboard' link at the bottom of this File Insight dialog box. Please paste the results into your next post. This feature holds more information than what is shown in the File Insight dialog. We're looking to see if there is an order of execution shown for the 'File Actions', 'System Settings Actions' and 'Suspicious Actions' Activity categories. 

 

  • If you right-click on 'vir-300.exe' and perform a Norton 'Insight Network Scan', what is the result?

 

  • If you right-click on 'vir-300.exe' and select 'Norton File Insight', what is the result?

 

  • Is the test static ie. the file is currently stored on your system for testing purposes or, are you downloading the file from a website each time you perform a test on it? I'm interested in seeing whether or not Norton's other protection features will block this file on download.

Thanks in advance (again)!

Hi elsewhere

 

Filename: vir-300.exe
Threat name: SONAR.Heuristic
Full Path: Not Available
____________________________

Details
Very Few Users,  Mature,  Risk High
Origin
Downloaded from? Unknown
Activity
Actions performed: 5
____________________________

On computers as of 10.03.2013 at 15:44:29
Last Used 10.03.2013 at 15:44:29
Startup Item No
Launched Yes
____________________________
Very Few Users
Fewer than 5 users in the Norton Community have used this file.
Mature
This file was released more than 31 days 1 month ago.
High
This file risk is high.
SONAR Protection monitors for suspicious program activity on your computer.
____________________________
Source: External Media
?Source File:
winrar.exe?File Created:
vir-300.exe?

____________________________

File Actions
File: c:\users\vashl\desktop\vir-300\vir-300.exeRemoved
Event: Running process: c:\users\vashl\desktop\vir-300\vir-300.exeTerminated
____________________________
System Settings Actions
Event: PE file creation: c:\users\vashl\appdata\local\temp\x2z8.exe (Performed by c:\users\vashl\desktop\vir-300\vir-300.exe, PID:3440)No action taken
Event: Process start (Performed by c:\users\vashl\desktop\vir-300\vir-300.exe, PID:2308)No action taken
Event: Process start: c:\users\vashl\desktop\vir-300\vir-300.exe, PID:2740 (Performed by c:\users\vashl\desktop\vir-300\vir-300.exe, PID:2308)No action taken
____________________________
File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available

 

10-03-2013 15-33-25.png

 

 

10-03-2013 15-34-04.png

 

 

 

The file is currently stored on my system for testing purposes.

 

Сurrently removed  DI

 

10-03-2013 15-38-35.png

Hi PRIOR

 

Thanks again for all your help in answering my questions.

 

My main concern is the 'No Action Taken' behaviour of SONAR. That implies that there may be a product defect at work here.

 

If possible, can you test the sample against an older version of the Norton product eg 2011 to see if the SONAR feature in that product detects and handles the sample properly?

 

Thanks in advance!

Hi elsewhere

 

Conducted two tests.
testing system: VMware 9.0.2, windows 7 x64

 

1. NIS 18.7.2.3

all updates

 

 

Full Path: Not Available
____________________________
____________________________
On computers as of:
16.03.2013 at 11:36:18
Last Used:
16.03.2013 at 11:36:18
Startup Item:
No
Launched:
Yes
____________________________
____________________________
Few Users
Fewer than 50 users in the Norton Community have used this file.
____________________________
High
This file risk is high.
____________________________
Threat Details
SONAR Protection monitors for suspicious program activity on your computer.
____________________________
Origin
Downloaded from  URL Not Available
Source File:
winrar.exe
File Created:
vir-300.exe
____________________________
File Actions
File: c:\users\vashl\desktop\vir-300\vir-300.exe
Removed
Event: Running process: c:\users\vashl\desktop\vir-300\vir-300.exe
Terminated
____________________________
System Settings Actions
Event: PE file creation: c:\users\vashl\appdata\local\temp\x2z8.exe (Performed by c:\users\vashl\desktop\vir-300\vir-300.exe, PID:4036)
No action taken
Event: Process start (Performed by c:\users\vashl\desktop\vir-300\vir-300.exe, PID:3012)
No action taken
Event: Process start: c:\users\vashl\desktop\vir-300\vir-300.exe, PID:1740 (Performed by c:\users\vashl\desktop\vir-300\vir-300.exe, PID:3012)
No action taken
____________________________
File Thumbprint - SHA:
Not Available
____________________________
File Thumbprint - MD5:
Not Available

 

MBR infected

 

 

 

2. NIS 18.1.0.37
no updates for the version of purity


Not Available
____________________________
____________________________
On computers as of:
16.03.2013 at 12:00:02
Last Used:
16.03.2013 at 12:00:23
Startup Item:
No
Launched:
Yes
____________________________
____________________________
Few Users
Fewer than 50 users in the Norton Community have used this file.
____________________________
High
This file risk is high.
____________________________
Threat Details
SONAR Protection monitors for suspicious program activity on your computer.
____________________________
Origin
Downloaded from  URL Not Available


Source: External MediaSource File:
winrar.exe
File Created:
vir-300.exe

____________________________
File Actions
File: c:\users\vashl\desktop\vir-300\vir-300.exe
Removed
____________________________
File Thumbprint - SHA:
Not Available
____________________________
File Thumbprint - MD5:
Not Available

 

 

 File is deleted before the request UAC.

MBR not infected. Good.

 

 

 

Thanks PRIOR

 

From the results above, NIS 18.1 could successfully block the sample but, just like version NIS v20,  NIS 18.7 failed to block the sample.

 

This is a severe defect.

 

I've asked the moderators to get someone from the SONAR development team involved in this thread as a matter of urgency.

 

 

 

intresting. any news? 

Hi everyone.


News is, but bad.
Once again faced with direct contempt employees Symantec, users' messages about vulnerable products.

 


A month passed.
Repeat the test.

 

06-04-2013 19-47-48.png

---------------------------------------------------------------------------------------------------------------------------------------------------------------------

06-04-2013 19-50-22.png

 

Filename: vir-300.exe
Full Path: C:\Users\VASHL\Downloads\vir-300.exe

____________________________

Details
Stability Unknown,  Few Users,  Mature,  Bad

Origin
Downloaded from ?Unknown

Activity
Actions performed: Suspicious actions performed: None

____________________________


Developers Not Available
Version 1.1.0.0
Identified 06.04.2013 at 19:46:30
Last Used Not Available
Startup Item No

____________________________


Unknown
This program crash history is not known.

Few Users
Fewer than 50 users in the Norton Community have used this file.

Mature
This file was released more than 31 days 2 months ago.

Bad
There are many indications that this file is untrustworthy.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------

 


launch vir-300.exe

 

06-04-2013 19-51-33.png

 

06-04-2013 19-52-25.png

 

Filename: vir-300.exe
Threat name: SONAR.Heuristic
Full Path: Not Available

____________________________

Details
Few Users,  Mature,  Risk High

Origin
Downloaded from? Unknown

Activity
Actions performed: 5

____________________________


On computers as of 06.04.2013 at 19:50:34
Last Used 06.04.2013 at 19:50:34
Startup Item No
Launched Yes

____________________________


Few Users
Fewer than 50 users in the Norton Community have used this file.

Mature
This file was released more than 31 days 2 months ago.

High
This file risk is high.

SONAR Protection monitors for suspicious program activity on your computer.



____________________________



Source: External Media
?Source File:
winrar.exe?File Created:
vir-300.exe?

____________________________

File Actions

File: c:\users\vashl\downloads\vir-300.exeRemoved
____________________________

System Settings Actions

Event: PE file creation: c:\users\vashl\appdata\local\temp\x2z8.exe (Performed by c:\users\vashl\downloads\vir-300.exe, PID:3996)No action taken
Event: Process start (Performed by c:\users\vashl\downloads\vir-300.exe, PID:3860)No action taken
Event: Process start: c:\users\vashl\downloads\vir-300.exe, PID:1096 (Performed by c:\users\vashl\downloads\vir-300.exe, PID:3860)No action taken
____________________________

Suspicious Actions

(Performed by c:\users\vashl\downloads\vir-300.exe, PID:1096)No action taken
____________________________


File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available
________________________________________________________________________________________________

 

 


As a result, the MBR is infected

 

06-04-2013 19-53-55.png