cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: Strange issue with doc en XLS files become hidden.

Thansk for the additional list of hostnames, Ben.  Perhaps not coincidentally, we have had an increase in Chrome force quitting.

It's great to share intel, even if we do not use a common AV client.

I have been collating the files into a RAR and submitted this to virustotal.com.  The following shows who has (at leadt inpart) defs for this

https://www.virustotal.com/file/6a9e331a561460b4b7a243142da165242acb171bd2eb4be2b5d90ab72ba850bd/ana...

Level 7
Report Inappropriate Content
Message 72 of 118

Re: Strange issue with doc en XLS files become hidden.

We're still infected with this thing and seeing further problems with access to chrome and firefox. We setup a new share and restored clean files from backup to a seperate server which then also became infected. Are the triggers sitting on PC's or server as I don't think blocking the DNS/ips has had any effect? Hopefully tonights updates will have an impact..

Re: Strange issue with doc en XLS files become hidden.

Thought I would post this in case it helps anyone


For our network, we can see which computeris renaming all the files by opening computer management andclicking ‘open files’, you can see the user there.

Then click Sessions and see the IP address / Hostname

Re: Strange issue with doc en XLS files become hidden.

This thread has started on Sophos:

http://community.sophos.com/t5/Sophos-Endpoint-Protection/Thumbs-db2-hidden-files-on-shares-virus-ur...

They've classified it Caphaw-E

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Caphaw-E/detailed...

There's a couple more hosts on there I didn't know about:

  • stat-servise.cc
  • str-main.su

Now take a look at other Caphaw variants:

http://www.sophos.com/en-us/search-results.aspx?refine=1a1e9ea6979a493dba64e1b2ced03044&search=capha...

Does the pattern look similar? Note the external DNS requests.

Re: Strange issue with doc en XLS files become hidden.

Here is a list sent by Microsoft:

e-guard.su

e-statistics.cc

e-system.cc

first-service.cc

on-protec.su

stat-service.cc

str-main.su

www-guard.su

www.protection.su

Re: Strange issue with doc en XLS files become hidden.

LD - do you have a source link please?

I noticed that when authenticating to gmail, the site requests would bounce between mail.google.com and e-system.cc.

Re: Strange issue with doc en XLS files become hidden.

Neil list was send in an email my a Microsoft tech that we have a case open with.

We also blocked the authoritative nameserver that some of the domains have in common: 84.32.116.155

This will prevent machines resolving these domains even if the IP changes.

Message was edited by: londondragon on 22/08/12 04:37:10 CDT
Level 7
Report Inappropriate Content
Message 78 of 118

Re: Strange issue with doc en XLS files become hidden.

Excuse if this has been mentioned before but until you can get clean we have been able to 'live' with the virus by finding the infected users (owners of the 'thumbs.db2, etc...) and removing their mapped drives. They still have some shortcuts to area's they need, which I only allow them to move files to their machine to work on, but the short cuts dry up while they are in that state. I had a slight delay in success with that after NOT stopping their login script remaking them on login but aside from that.

I have fought with this since the 14th and you can't help but be impressed. We had 5 out of 9 shares hit regularly and each would have a chosen 'hive' for the variations of 'Thumbs.db, $Recycle, Desktop.ini and Pagefile.sys. It might be a low level directory of in some cases 5 deep in a folder unaccessed for about 2 years with 2 .doc's of old car hire records from 2009! All infected users seemed to work as a collective to use that folder for their payload.

Thanks for all the collected info this forum has been a great source of info!

Regards,

Rob

Re: Strange issue with doc en XLS files become hidden.

BTW as off this morning online-upd.at is resolving to new IP address: 95.211.29.34

Re: Strange issue with doc en XLS files become hidden.

Hi,

We're starting to make some progress on this virus. We've monitored it in a sandbox and redirect DNS for the already mentioned domains to a honeypot webserver running a PHP script that dumps the POST variables. This will allow us to see what clients are infected.

It seems to be uploading a base64 string, of which we don't know the contents. McAfee's Threat Advisroy on BackDoor-FHI also notes this behaviour.

The latest DATs (6811) seem to be picking up the thumbs and lnk files etc but this is not the point of entry for the virus. On the infected client machines we are starting to see a pattern of Java class files and tmp.exe files being detected:

/appdata/locallow/sun/java/deployment/cache/6.0/32/4e7ceca0-21a6fae3/Photo.class

     (McAfee DAT - Generic Exploit!ksf & Generic Exploit!kql, Stinger - no detection, Kaspersky - Exploit.Java.CVE-2011-3544.ht & Exploit.Java.CVE-2011-3544.io)

E9E3.tmp.exe

     (McAfee DAT - BackDoor-FHI, Stinger - FakeAlert-SecurityTool.fg, Kaspersky - Trojan-Dropper.Win32.Dycler.dl)

E36D.tmp.exe

     (Looks suspicious but not being flagged up yet - sample sent to McAfee Labs)

We have already updated Java/Flash/Adobe Reader as soon as the virus hit, but this seems to be pointing at initial entry via Java.

I advise everyone to deploy the latest Java updates, and please post here if you are seeing anything similar.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community