Source of Malware Found on Hyper-V Virtual Host

Posted on 2014-08-03
Last Modified: 2014-11-12
MS System Center Configuration Manager Endpoint Protection found and quarantined the following Malware on one of our WS2K8 R2 Data Center Hyper-V virtual hosts. We're trying to find out the origins of the Malware. No one logs into this server. All it does is host VMs.   According to the MS malware information site, Win32/Pdfjsc  are a family of malicious PDF files that exploit vulnerabilities in Adobe Acrobat and Adobe Reader. Let me know your thoughts. Thanks!

Configuration Manager Endpoint Protection has detected malware on one or more computers in your organization

Collection name: Member Servers

Malware Name: Exploit:Win32/Pdfjsc.ALB
Number of infections: 1
Last detection time(UTC time): 8/2/2014 11:05:52 AM

These are the infections of this malware:
1. Computer name:
Domain: MyDomain
Detection time(UTC time): 8/2/2014 11:05:52 AM
Malware file path: file:_C:\Windows\Temp\TMP00000008298C185C10810A8E
Remediation action: Quarantine
Action status: Succeeded
To view further information about malware activity in your organization, run Malware Details Report.
Question by:kc4jesus
    LVL 14

    Expert Comment

    check the file creation date and see who logs on to that server and how
    LVL 25

    Expert Comment

    a pdf in ...\Temp would suggest someone did log on the server...

    check if the file is actually a pdf, and if yes you should be able to check the event log for unexpected logons. note that the file modification time should be kept while quarantining

    Author Comment

    No PDF, just a temp file
    Malware file path: file:_C:\Windows\Temp\TMP00000008298C185C10810A8E

    Could this be a false positive?
    LVL 25

    Accepted Solution

    a temp file can be mostly anything including a pdf. we can't tell unless you look. i'm unsure if you're allowed to upload a file that contains a virus in EE but pdf files start with  "%pdf-" and the version number. it is probably reasonably safe to open the file in notepad. note that it is also very likely that the computer is infected regardless what the antivirus may say.

    a false positive would seem unlikely in that case. you can upload the file to whatever scanning service of your choice (as long as it is a different antivirus provider) in order to confirm

    did you have a look at logon events in the event log ? the date of the file ?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
    The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
    This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
    This tutorial will show how to inventory, catalog, and restore media from legacy versions of Backup Exec into both 2012 and 2014 versions of the software. Select Storage from the tabs along the ribbon bar as the top: Ensure the proper storage devi…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now