Symantec Endpoint protection - Trojan.ADH.2

scs-paul
scs-paul used Ask the Experts™
on
I have a server on which SEP is finding and quarantining a file it marks as Trojan.ADH.2. When I look at the original location where it reports the file was found, this file does not exist.

When I run a full scan it does not find any infection. But if I run an exe it immediately detects this trojan and quarantines a file (not the exe) refer below quarantine details. I have replaced the exe in question with a file from a clean system and it then reports the same file as infected even when running the clean file.

Basically the exe is run and it then finds a file named II85hf3 in the directory containing the exe and quarantines the II85hf3 file.


Risk      Filename      Original Location      Status      Date
Trojan.ADH.2      II85hf3      C:\Program Files\Intentia\Movex Explorer v12Java\Bin\      Infected      19/04/2012 15:08
Trojan.ADH.2      II85hf3      C:\Program Files\Intentia\Movex Explorer v12Java\Bin\      Infected      19/04/2012 15:08
Trojan.ADH.2      II85hf3      C:\Program Files\Intentia\Movex Explorer v12Java\Bin\      Infected      19/04/2012 15:17
Trojan.ADH.2      II85hf3      C:\Program Files\Intentia\Movex Explorer v12Java\Bin\      Infected      19/04/2012 15:18

Any suggestions on removal?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sudeep SharmaTechnical Designer

Commented:
It could be just false positive. You can submit the file to the Symantec so that they could evaluate this.

https://submit.symantec.com/basic

Further, scan the system with other online scanner try any of the links below
ESET online scan
http://www.eset.com/us/online-scanner

Kaspersky Online Scan:
http://www.kaspersky.com/virusscanner

TrendMicro Online Scan:
http://housecall.trendmicro.com/

F-Secure Online Scan
http://www.f-secure.com/en_EMEA-Labs/security-threats/tools/online-scanner/

I hope that would help

Sudeep
This is a detection of a new variant that has not been analyzed and This should definitely be sent for analysis. Send it to virustotal and it will eventually get picked up by the antivirus vendors in there signature database.

But if I run an exe it immediately detects this trojan and quarantines a file (not the exe) refer below quarantine details
From your symptoms without actually seeing the file myself would appear its using DLL Injection in the process and CreateProcessW is most likely hooked allowing it to know when a process is created. You might be better off running a antirootkit like GMER and post the log here.

Author

Commented:
Russell - would I send off the exe or the file that gets quarantined? I assume the file that gets quarantined would be sent as I can replace the exe with a clean file and it has the same effect.

Trying to run GMER on the server (Windows server 2003) caused it to lock up and had to be power cycled.
The file that gets quarrentined. The antivirus is blocking this renamed dll or driver file. Those random names you see are either or of those 2.

Ok, hmm what kind of processor is the server running with? Also is it a x86 or x64 environment?

Author

Commented:
It is an old server running X86 environment with a Pentium 4 2.8Ghz.
@Moh10ly, what are you talking about? Norton is stopping the infection. The problem is there is a startup point that it's missing to remove. I would say it's doing what he payed for it to do. Norton is one of the most attacked AV's out there. Someone on this network accidentally downloaded it. He may not be able to shutdown this server to do that. It may be a old pruduction server, never know.

@scs-paul,
Gmer shouldn't be locking your machine. Something else is causing the problem. Did you get a chance to upload the file to virustotal?

Author

Commented:
Russell
I uploaded the file to virustotal and it came back with a 0/42 detection ratio. Screenshot attached.

Does this mean it is likely a false positive and if so how do I stop SEP from raising the threat notification?
2012-04-24-090404.jpg
How long have you had "Movex Explorer v12Java" installed for or did you even install this software? Was the quarantined file from SEP's quarantine restore? directly copying the file would not have the same results.

SEP is stopping it for a good reason. Its not normal for just any application to inject into another processes space. There are a few exceptions: Debugging, (Legit) Monitoring applications.

Author

Commented:
Russel

Movex Explorer v12Java has been installed on this machine for at least 6 years. This is used for our finance system.

Was the quarantined file from SEP's quarantine restore? directly copying the file would not have the same results.
Not sure what you are referring to here - I took a copy of the .VBN file from the quarantine directory and copied this to my machine (could not upload from the server due to our firewalls) and then uploaded to  virustotal.

We did have a user, who had a mapped drive to this server, get hit with the Smart Fortress 2012 trojan on the same day as this infection so I am not sure if this is related?  The users laptop was cleaned up and is fine now.
Rgr that! That would explain why it was not detected by virustotal. Antivirus software usually encrypt the files after quarentine so you dont get reinfected again. I always had to restore the infection to a selected directory that is in a excluded locations from SEP and then move to a USB for later upload.

Smart Fortress is scareware usually coupled with a rootkit. You guys wouldn't be the first ones I heard of getting infected by this year. Sadly enough. Since you bring that to attention. I would go for a offline virus scan to see what it picks up. Usually this is not a good idea since some antivirus software delete drivers that are patched by rootkits (*cough* hitman). Be careful with Norton Eraser too I haven't heard if they stopped that as well. Last incident I saw was with a ZeroAccess infection and they actually removed the TDL rootkit +1 for them, -1 for them not repairing the TDL chain leaving parts of the network non-functional. Its easy to fix though.

If the infection is not found by the offline scan we need to start looking for specific load points. The DLL Injection needs to be found first. If it finds a <some characters>.tmp/dll thats good! If it finds a sys file infected even better.

You will need:

- Autoruns from sysinternals
- specifically we are looking for load points like App_InitDLLs and Winlogon load points in the registry. Two highly recognised points for finding manipulated keys used for loading malware instead of legit processes.

Author

Commented:
Any assistance in reading the output from autoruns (file attached).

Autoruns has references to a pfqijix.dll file in the HKLM\System\CurrentControlSet\Services and has it as file not found - could this be the issue?  There are other file not found errors but I am not sure if they are legit.
AutoRuns.txt
Those are not legit. Either it has hooked certain areas to protect itself from removal or you have a driver in ring0 somewhere in your server doing so
e kind robin & frier tuck going on. Either way it's not looking too good right now.  Did you get a chance to scan offline by chance? I will take a closer look at the log in the morning it's pretty late here right now. Need to get some rest here.
I noticed you are running 2 types of antivirus at the same time. This is actually not a good idea. One conflicts with the other. Malwarebytes is made to run side-by-side with antivirus as it does not interfere with normal AV operations in kernel mode.

This is more of what I am talking about it shows the restore options for Nortons products.


The items I see here in autoruns is this:

"HKLM\System\CurrentControlSet\Services"
+ "uawcvfwn"	"The communication bridge to fax clients that use IPX, SPX or TCP/IP via RPC."	""	"File not found: C:\WINDOWS\system32\pfqijix.dll" <-- old entry
+ "brmvu"	"Provides SQL Server connection information to client computers."	""	"File not found: C:\WINDOWS\system32\pfqijix.dll" <-- new entry or possibly still old and the new one is unlinked from the process tree.

Open in new window

Doing a google search along with a more specific file verification search. You will notice that there is no reference to this file and these services have different service names for the same filename.
+ "Changer"	""	""	"File not found: C:\WINDOWS\System32\Drivers\Changer.sys"

Open in new window

You can right click and delete this using autoruns. It wont effect anything as its a orphaned registry key.

Older outdated andVulnerable Activex components installed.
+ "AcroIEHlprObj Class"	"Adobe Acrobat IE Helper Version 6.0 for ActivieX"	"Adobe Systems Incorporated"	"c:\program files\adobe\acrobat 6.0\reader\activex\acroiehelper.dll"

Open in new window

I have a pretty good idea of how this got into your computer and possibly why GMER actually crashed. I am betting it has to do with the 2 current antivirus solutions you have installed and running during its initial run.

Author

Commented:
Russell

Firstly thanks for the continued assistance and sorry for the delay in reply (we have had a public holiday here in Aus).


I removed the two pfqijix.dll entries from autoruns and have rebooted and it recreated one entry which shows file not found and again has a different description.

With regards to the 2 antiviruses - I assume you were talking of the Kaspersky reference in the autoruns as the second antivirus.  This was there as one of the earlier comments suggested using a different scanner to check for infection - when I tried to install the Kaspersky offline scanner tool it did not install correctly and I needed to reboot and then remove some files that were running on startup as it would try to reinstall each time and then fail.  So this makes two attempted installs that failed since this infection including GMEr.  With all that in mind I think there has only been one antivirus solution installed prior to the infection.

When you mention running an offline scan - can you elaborate on what this involves?  I am assuming you mean to remove the server from the network and then run a full scan using SEP - but can you advise if this is what you mean?
AutoRuns27-04-12.txt
I understand. A lot of people come here and suggest software without knowing the side effects. Installing 2 kinds of antivirus concurrently doesn't help the process. It actually does a few things to your computer depending on what type of package is added. If it's a bulk package antivirus like norton mixed with mcafee both there software conflict on monitoring and control of activity on the machine. If there is also the added overhead and possible other not so nice side effects. It already too late to advice against this as it was already done. Just keep in mind one AV is good enough to help for prevention. After a rootkit infection, it's already too late and needs to be scanned outside of the operatic system after infection proves to be extremely persistent.

When I say scan outside the system I mean use a bootable cd that contains a live bootable operating system different then the current machine it is being run on. This disk needs to have antivirus that allows you to scan but not remove. This way you can get a unaltered snapshot of the real filesystem in question without it being manipulated by the malware inside. Also note you will need to make a full file listing using a simple "Dir /a /h /s /S > before.txt" and do the same exact thing while your booted from the live disk. These 2 files are compared and you will find inconsistencies with the after.txt file. Once these inconsistencies are found they are carefully compared and tested for confirmations of malware.

That is where I come in. This is safe and proven. It's called a "Cross-View" approach. There are a few different registry keys that I keep seeing where the Infection is injected into memory as soon as they computer startsup. One of the keys uses the App_InitDLLs and the other uses Session Manager\KnownDll and finally. I haven't seen a confirmation yet for this infection, I would suspect the winlogon/notify key is also being used to start this malware as well.

Inside the current operating use system internals signature verification tool to scan both c:\windows\system32 and the drivers folder for unsigned files. Another spot is to look at the system32\config directory Due to this being a fortress infection. I will be in and out for the next 6 days as I am out on a trip. This should give you a good idea at least how to find the bad files defeating the file injection being currently used to hide files from you and prevent software removal.

Ignore the first part of this blog post about the tdsskiller and malwarebytes. Neosmart is a type of livecd example that has ClamAV already installed into it. You don't have to use this cd either. There are hundreds of other bootable disks like these for instance. Microsoft  security sweeper. It's a beta version but it works almost in the same fashion as the above method. Difference is it can update with a network connection and scan using a drag database list. Be sure if you use there boot disk that you make the disk from the same OS and architecture as you intend on using it on and that it is also clean too.


 Did you use eraser to delete dll files? We need to wipe out the driver that keeps showing itself after cleaning the bootup entries. Here is the link to the blog post.

Author

Commented:
Endeavouring to arrange a time to take this server offline to perform the checks suggested.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial