I am seeing multiple entries on one machine that reference spoolsv.exe. Has anyone seen this is this malware related? I have included an example below. Thanks.
Event Type: McAfee Host Intrusion Prevention
IP Address: 0.0.0.0
Signature ID: 2779
Exceptions Allowed: False
Event Time: 2011-10-18 02:56:58
Event Class: Files
User Name: NT Authority\Local System
This is related to a new HIGH severity siganture from Oct 2011 content. This signature prevents the SPOOLSV.EXE process from executing a .TMP file, which is how the TDSS Rootkit is installed. Submit samples of .TMP files to McAfee Labs for analysis, and find out what's writing these temp files (and resolve this). Spoolsv.exe executing a .TMP file is highly suspicious.
[New] Sig 2779: TDSS Rootkit Infection
This event indicates an attempt to infect the system by TDSS rootkit
- This signature is set to HIGH by default.
We have recently gotten several calls from users who got this HIPS intrusion detection sig 2779, and in all cases the users were printing a pdf file from an outlook email or from IE. Looking at the logs, it is the spoolsv.exe executing a firstname.lastname@example.org file that is the culprit. These email@example.com files are synonmous with printing pdf files. In our cases the users are on Windows XP with various versions of Adobe acrobat, and its not the same file but not all files that are causing this when printed so its very odd. After thorough investigation, these machines all seem clean of TDSS. Not sure where this threat is coming from or if some pdf files have something particular about them that are causing this...any more insight would be appreciated!
I would suggest contacting the application vendor (Adobe) that is performing this action. Execution of .tmp files by spoolsv.exe is how the TDSS rootkit is being installed, and while your specific situation may not be a rootkit install attempt, this application behavior should be reviewed.
We disabled system restore and ran a full scan of the machine and only found a Generic PWS.ch (Trojan). The machine continues to get the 2779 events. Would this be a false positive?
It is my opinion that HIPS signature 2779 is flawed and triggering false positives. I believe the spoolsv.exe process is reading .tmp files from the temp directory in processing a print job, which is normal. However, for whatever reason, and not on every pdf file or other file types that first create .tmp files before printing, HIPS seems to see the the spoolsv.exe process as executing on some of these .tmp files which is the signature and triggers the TDSS rootkit infection attempt alert. After extensive investigation, there is no evidence of the TDSS rootkit so far, which is not to say that with a very small chance that its a very new and extremely well hidden rootkit. But with all due respect, I think this signature is triggering false positive intrusion detections for the TDSS rootkit.
I would tend to believe that my detection is a false positive as well. We followed the instructions on McAfee Labs to detect and remove the TDSS Rootkit but no rootkit was found. All Engines and DATs are up to date. I still get ~ 2500 hits on the 2779 everyday from the same machine.
By any chance on that machine you are getting ~2500 hits per day - is there a local printer installed, specifically an HP? Another commonality I have discovered with our detection intrusions is that these particular users have a local HP printer installed that are getting this.