Jump to content

Continued Win32/trickbot.ak and Win32/Kryptik.GJRP activity


Recommended Posts

Hello. We have continued activity on different systems from these two trojans showing up on our ESET Remote Administrator. What is odd (to me) is that activity is showing up on systems that never so much as opened a web browser. ESET is terminating connections and deleting, but the logs are full of this over and over.

 

I've done some searching, but I do not know why systems continue to get reinfected, especially ones that are never logged on or use email / web browser.

 

What is the next step with this? I am not sure if getting boot logs and such from these will do anything, since its various systems doing it, so there has to be something that continues to infect them? Much help would be appreciated. Should we reach out to support?

Link to comment
Share on other sites

In another recent posting on Win32/Kryptik, he had it on his server. From there it could spread to network devices. So I would concentrate on making sure your server is not infected with it.

Link to comment
Share on other sites

  • Administrators

This is a good example of how disabling the LiveGrid feedback system can negatively affect cleaning capabilities. I've requested a suspicious file from the user's machine and recommended to enable submission of suspicious files. With that enabled, the suspicious file would have already been submitted through LiveGrid and a detection would have been added for proper recognition and cleaning.

Link to comment
Share on other sites

To follow up, I ran Windows Update on the infected systems (and all the systems, afterwards) to bring everything up to date, and it appears to have resolved the reinfection issue. Thank you.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...