0 Replies Latest reply on May 25, 2012 3:51 PM by DC-SG

    Alert on win3ksyspro.exe

    DC-SG

      Hello.

      I got an alert from Threat Expert about  win3ksyspro.exe being written to %Windir%\system32\.  I am looking for way

       

      1)  To write a custom IPS rule to prevent this threat or something similar.

      2)  and to  configure VSE 8.x to scan %Windir%\system32:win3ksyspro.exe.

       

      I appreciate your help in advance.

       

      Best Regards,

       

      DC-SG

       

      ++++ Submission Summary:

      • Submission details:
        • Submission received: 23 May 2012, 01:17:06
        • Processing time: 8 min 17 sec
        • Submitted sample:
          • File MD5: 0x1D4E74574BD8FDE793D85CBE59F8A288
          • File SHA-1: 0xF3D73CF039A86B64FCE40E690D6AC34E90A7CC7A
          • Filesize: 45,056 bytes

      Technical Details:

       

      File System Modifications
      • The following file was created in the system:
      #Filename(s)File SizeFile Hash
      1[file and pathname of the sample #1]45,056 bytesMD5: 0x1D4E74574BD8FDE793D85CBE59F8A288
      SHA-1: 0xF3D73CF039A86B64FCE40E690D6AC34E90A7CC7A
      • The following Alternate Data Stream was created in the system:
      #ADS name(s)ADS SizeADS Hash
      1%Windir%\system32:win3ksyspro.exe45,056 bytesMD5: 0x1D4E74574BD8FDE793D85CBE59F8A288
      SHA-1: 0xF3D73CF039A86B64FCE40E690D6AC34E90A7CC7A
      • Note:
        • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

      ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++