Thansk for the additional list of hostnames, Ben. Perhaps not coincidentally, we have had an increase in Chrome force quitting.
It's great to share intel, even if we do not use a common AV client.
I have been collating the files into a RAR and submitted this to virustotal.com. The following shows who has (at leadt inpart) defs for this
We're still infected with this thing and seeing further problems with access to chrome and firefox. We setup a new share and restored clean files from backup to a seperate server which then also became infected. Are the triggers sitting on PC's or server as I don't think blocking the DNS/ips has had any effect? Hopefully tonights updates will have an impact..
Thought I would post this in case it helps anyone
For our network, we can see which computeris renaming all the files by opening computer management andclicking ‘open files’, you can see the user there.
Then click Sessions and see the IP address / Hostname
This thread has started on Sophos:
They've classified it Caphaw-E
There's a couple more hosts on there I didn't know about:
Now take a look at other Caphaw variants:
Does the pattern look similar? Note the external DNS requests.
Neil list was send in an email my a Microsoft tech that we have a case open with.
We also blocked the authoritative nameserver that some of the domains have in common: 184.108.40.206
This will prevent machines resolving these domains even if the IP changes.Message was edited by: londondragon on 22/08/12 04:37:10 CDT
Excuse if this has been mentioned before but until you can get clean we have been able to 'live' with the virus by finding the infected users (owners of the 'thumbs.db2, etc...) and removing their mapped drives. They still have some shortcuts to area's they need, which I only allow them to move files to their machine to work on, but the short cuts dry up while they are in that state. I had a slight delay in success with that after NOT stopping their login script remaking them on login but aside from that.
I have fought with this since the 14th and you can't help but be impressed. We had 5 out of 9 shares hit regularly and each would have a chosen 'hive' for the variations of 'Thumbs.db, $Recycle, Desktop.ini and Pagefile.sys. It might be a low level directory of in some cases 5 deep in a folder unaccessed for about 2 years with 2 .doc's of old car hire records from 2009! All infected users seemed to work as a collective to use that folder for their payload.
Thanks for all the collected info this forum has been a great source of info!
We're starting to make some progress on this virus. We've monitored it in a sandbox and redirect DNS for the already mentioned domains to a honeypot webserver running a PHP script that dumps the POST variables. This will allow us to see what clients are infected.
It seems to be uploading a base64 string, of which we don't know the contents. McAfee's Threat Advisroy on BackDoor-FHI also notes this behaviour.
The latest DATs (6811) seem to be picking up the thumbs and lnk files etc but this is not the point of entry for the virus. On the infected client machines we are starting to see a pattern of Java class files and tmp.exe files being detected:
(McAfee DAT - Generic Exploit!ksf & Generic Exploit!kql, Stinger - no detection, Kaspersky - Exploit.Java.CVE-2011-3544.ht & Exploit.Java.CVE-2011-3544.io)
(McAfee DAT - BackDoor-FHI, Stinger - FakeAlert-SecurityTool.fg, Kaspersky - Trojan-Dropper.Win32.Dycler.dl)
(Looks suspicious but not being flagged up yet - sample sent to McAfee Labs)
We have already updated Java/Flash/Adobe Reader as soon as the virus hit, but this seems to be pointing at initial entry via Java.
I advise everyone to deploy the latest Java updates, and please post here if you are seeing anything similar.