Thomas Brockmann 0 Posted December 10, 2021 Posted December 10, 2021 Hi, yesterday, we had some strange events on one of our notebooks. The mouse moves by itself, emails delete themself from Outlook, etc. ESET Endpoint Security is installed on the notebook. So we make a scan and ESET says everything is fine. Later i boot the notebook with a LINUX USB stick and made a scan with F-Secure. The F-Secure found Trojan.tr/patched.ren.gen in windows\SysWOW64. Maybe a false/positiv, but for security reasons i use an image to install the OS new. A false/positiv would not explain the strage events. After the new Installation the notebook runs perfect. Question is why the F-Secure found it and ESET not.
Administrators Marcos 5,453 Posted December 10, 2021 Administrators Posted December 10, 2021 In order to tell whether the file is actually malicious and subject to detection, please email it in an archive protected with the password "infected" to samples[at]eset.com or provide the SHA1 of the file at least.
itman 1,802 Posted December 10, 2021 Posted December 10, 2021 (edited) Here's F-Secure's definition of the malware: https://www.f-secure.com/v-descs/trojan_w32_patched.shtml . Since it was detected in a Windows directory, the file was probably locked by the OS preventing Eset access to it. The question is how could the malware get access to the file? Prior installation of a user mode rootkit? Edited December 10, 2021 by itman
safety 8 Posted December 11, 2021 Posted December 11, 2021 (edited) an example of such infections ( \ WINDOWS \ SYSTEM32 \ RPCSS.DLL): https://www.virustotal.com/gui/file/6ce495e7665f81d15c50efafc6bb7710bed1fcfcff6e075e8473f14ef6060e62/detection The uVS functionality made it possible to quickly collect modified files in quarantine to be sent to the virlabs of ESET, DrWeb, Kaspersky. A few days later, the first detection appeared: first from ESET / Win32 / Patched.IB /, then from LC / Trojan.Win32.Patched.pj /, then from DrWeb / Trojan.Starter.2229 / However, there is currently no correct treatment of the modified rpcss.dll with antivirus utilities from the active system. only replacing the infected file with a clean one treated with a script from uVS: zoo %Sys32%\RPCSS.DLL EXEC cmd /c "rename %sys32%\rpcss.dll rpcss.dll.old" EXEC cmd /c "rename %sys32%\dllcache\rpcss.dll rpcss.dll.old" EXEC cmd /c "copy rpcss.dll %sys32%\rpcss.dll" EXEC cmd /c "copy rpcss.dll %sys32%\dllcache\rpcss.dll" czoo restart Edited December 11, 2021 by safety
Recommended Posts