Unrecognized threat

Norton Security | Norton Internet Security
1

I discover a threat not recognized by NIS 2009. I checked it by VirusTotal site and only 5 engines report it that is about some trojan Vundo.

 

http://www.virustotal.com/analisis/acd81148cb4963aaed0d529aaad793ad 

 

I'm trying to find way to send file directly to Symantec. Only found email address: avsubmit@symantec.com Is there better way like VirusTotal way? I hope I removed threat through recovery console but I can't be certain when AV doesn't recognize it.

2

something is still here. I discover that something preventing Automatic Updates service to be enabled. I manually eneable it but when refresh it service is still disabled.

3

Malwarebytes cleaned my computer. There is a log:

 

Malwarebytes' Anti-Malware 1.30

Database version: 1402

Windows 5.1.2600 Service Pack 3

 

16.11.2008 19:47:12

mbam-log-2008-11-16 (19-47-12).txt

 

Scan type: Quick Scan

Objects scanned: 53422

Time elapsed: 6 minute(s), 56 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 8

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 10

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

C:\WINDOWS\system32\awtqrqom.dll (Trojan.Vundo.H) -> Delete on reboot.

 

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{deb6af86-8b0f-491f-a378-ce3b9565b761} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{deb6af86-8b0f-491f-a378-ce3b9565b761} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{deb6af86-8b0f-491f-a378-ce3b9565b761} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\xml.xmlordersexport (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\xml.xmlordersimport (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\xml.xmlstatemetexport (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Security Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\awtqrqom -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtqrqom  -> Delete on reboot.

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\WINDOWS\system32\awtqrqom.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\moqrqtwa.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\moqrqtwa.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\Teodora\Local Settings\Temporary Internet Files\Content.IE5\PIDVTAF4\upd[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\casino1.ico (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\casino2.ico (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\casino3.ico (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Teodora\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\Teodora\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\Teodora\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.

 

4

You can Submit all Files to symantec here: https://submit.symantec.com/websubmit/retail.cgi.

 

Is you Issue Resolved or are you still noticing odd behaviour?

5

When you say unreconigized, do you mean that Norton did not reconigze the file as malicious on

  •  Virustotal?
  •  Running an on-demand scan of the file itself?
  •  Running a full system scan?  
6
Tech0utsider wrote:

When you say unreconigized, do you mean that Norton did not reconigze the file as malicious on

  •  Virustotal?
  •  Running an on-demand scan of the file itself?
  •  Running a full system scan?  
I mean NIS 2009 didn't recognize it. When I wanted to see one wmv file Windows Media Player asked for some codec I started it and nothing happend. I suspected it could be some malware and checked NIS history. NIS noticed actions by file as low risk. I saw that it created two dll files which are binary same. It made some modifications in registry according Internet Explorer. I tried to delete those files but only one I was able to delete. Second was already active. Then I started to find way to send this file to find out is it malicious? I found Virustotal link and sent file to them. On their site only five engines told me it is a trojan. So I knew I have infection now. I posted message here to find out how to post file to Symantec, because all protection were active in the time when I started problematic file. Running on the file itself didn't find anything. I isolated it in specific folder and then started scan on that folder. I used quick scan and it didn't found anything even I knew that threat is active in memory. When I installed Malwarebyte and run quick scan it noticed threats (log in previous message) and remove them from the system after reboot. That's my general story. To be honest I did this (even I suspected it could be malware) because I wanted to test NIS. I have plans to resell NIS and NAV 2009 to my customers so I want to know what to excpect in real life.
 Problem statrted from file which name was ia_player_flash_codec_plugin.exe.
 

 

Message Edited by mickey72 on 11-16-2008 11:51 PM
Message Edited by mickey72 on 11-16-2008 11:53 PM
Message Edited by mickey72 on 11-16-2008 11:54 PM
7

Well one more thing that this threat did is to unable me to turn off System Restore (actually I want it to restart it). 

 

To resolve that I used those instructions: 

 

1. Click Start, Run and type regedit.exe and press Enter

2. Navigate to the following key:

HKEY_LOCAL_MACHINE \ Software \ Policies \ Microsoft \ Windows NT \ SystemRestore

In the right-pane:

  • Delete the value DisableConfig
  • Delete the value DisableSR

3. Exit the Registry Editor. 

 

 

8

Could just be a False Positive. Did you "install" the codec on your "Guest/Restricted" account, "Limited", or "Administrator"?

 

I am sure that SONAR would have picked it up; however there may have not been enough time.

 

And, did you set your Heruistics on "Aggressive", "Auto", or "Off"? 

Message Edited by Tech0utsider on 11-16-2008 06:25 PM
9
Tech0utsider wrote:
Could just be a False Positive.

 

If Malwarebytes Detected this, may it isn't a F.P. from Norton...

 

It could be that M.A.-M. missed this too if the User is still having Issues.

Message Edited by Floating_Red on 11-16-2008 11:26 PM
10
Floating_Red wrote:
Tech0utsider wrote:
Could just be a False Positive.

 

If Malwarebytes Detected this, may it isn't a F.P. from Norton...

Vundo is considered adware.

 

There is a fine line between Adware, and crapware. Some AVs are a little conservative, and some are more liberal in describing Adware. 

11
Tech0utsider wrote:

Could just be a False Positive. Did you "install" the codec on your "Guest/Restricted" account, "Limited", or "Administrator"?

 

I am sure that SONAR would have picked it up; however there may have not been enough time.

 

And, did you set your Heruistics on "Aggressive", "Auto", or "Off"? 

Message Edited by Tech0utsider on 11-16-2008 06:25 PM
Account is Administrator.
 
Sonar was by default auto. At the moment it is aggressive. 
 
I'm looking now at program control. Is it good to block rundll32.exe to access Internet? I think that malware worked this way. Any suggestion in this direction? 

 

12

According to SONAR. I found in its log (System Activity Monitoring) a details what was happened when file was executed. Maybe that information could be valuable for Symantec tech but I don’t know how to get it in some text form. Any advise?

13

Just submit it to Symantec Security Response. I believe the link is on the first page. Keep the tracking # which will arrive by e-mail.

14

I got message from Symantec Security Response stuff. I can confirm that this Vundo trojan is recognized now by Norton 2009 AV software.

 

But there is another variant of Vundo trojan that still is not recognized. I sent that second file too, so I except it will be recognized soon.

Details at VirusTotal could be found if you follow this link http://www.virustotal.com/analisis/70d1dbc706f283d0424d9267da6254b6 

Message Edited by mickey72 on 11-17-2008 10:59 PM
15

Initial file which causes a problems is identified now by Norton AV/IS 2009 as a TrojanHorse. This means that this threat is not unrecognized anymore .

16

Rundll is often leveraged by malware....such as Vundo.

 

However, rundll is also used for legit purposes. 

17

And try uploading the files to virustotal again to see if their copy of Norton can reconigze it…