Jump to content

Recommended Posts

Posted

Hi,

yesterday, we had some strange events on one of our notebooks.

The mouse moves by itself, emails delete themself from Outlook, etc.

ESET Endpoint Security is installed on the notebook.

So we make a scan and ESET says everything is fine.

Later i boot the notebook with a LINUX USB stick and made a scan with F-Secure. The F-Secure found Trojan.tr/patched.ren.gen in windows\SysWOW64.

Maybe a false/positiv, but for security reasons i use an image to install the OS new.

A false/positiv would not explain the strage events.

After the new Installation the notebook runs perfect.

Question is why the F-Secure found it and ESET not.

  • Administrators
Posted

In order to tell whether the file is actually malicious and subject to detection, please email it in an archive protected with the password "infected" to samples[at]eset.com or provide the SHA1 of the file at least.

Posted (edited)

Here's F-Secure's definition of the malware: https://www.f-secure.com/v-descs/trojan_w32_patched.shtml .

Since it was detected in a Windows directory, the file was probably locked by the OS preventing Eset access to it. The question is how could the malware get access to the file? Prior installation of a user mode rootkit?

Edited by itman
Posted (edited)

an example of such infections ( \ WINDOWS \ SYSTEM32 \ RPCSS.DLL):

https://www.virustotal.com/gui/file/6ce495e7665f81d15c50efafc6bb7710bed1fcfcff6e075e8473f14ef6060e62/detection

The uVS functionality made it possible to quickly collect modified files in quarantine to be sent to the virlabs of ESET, DrWeb, Kaspersky. A few days later, the first detection appeared: first from ESET / Win32 / Patched.IB /, then from LC / Trojan.Win32.Patched.pj /, then from DrWeb / Trojan.Starter.2229 / However, there is currently no correct treatment of the modified rpcss.dll with antivirus utilities from the active system. only replacing the infected file with a clean one

treated with a script from uVS:

zoo %Sys32%\RPCSS.DLL
EXEC cmd /c "rename %sys32%\rpcss.dll rpcss.dll.old"
EXEC cmd /c "rename %sys32%\dllcache\rpcss.dll rpcss.dll.old"
EXEC cmd /c "copy rpcss.dll %sys32%\rpcss.dll"
EXEC cmd /c "copy rpcss.dll %sys32%\dllcache\rpcss.dll" 
czoo
restart

 

Edited by safety
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...