Jump to content

Trojan.tr/patched.ren.gen was not detected by ESET Endpoint Security

Thomas Brockmann
 Share

Recommended Posts

Thomas Brockmann

Thomas Brockmann 0

Posted
Posted

Hi,

yesterday, we had some strange events on one of our notebooks.

The mouse moves by itself, emails delete themself from Outlook, etc.

ESET Endpoint Security is installed on the notebook.

So we make a scan and ESET says everything is fine.

Later i boot the notebook with a LINUX USB stick and made a scan with F-Secure. The F-Secure found Trojan.tr/patched.ren.gen in windows\SysWOW64.

Maybe a false/positiv, but for security reasons i use an image to install the OS new.

A false/positiv would not explain the strage events.

After the new Installation the notebook runs perfect.

Question is why the F-Secure found it and ESET not.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,070

Posted
  • Administrators
Posted

In order to tell whether the file is actually malicious and subject to detection, please email it in an archive protected with the password "infected" to samples[at]eset.com or provide the SHA1 of the file at least.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

Here's F-Secure's definition of the malware: https://www.f-secure.com/v-descs/trojan_w32_patched.shtml .

Since it was detected in a Windows directory, the file was probably locked by the OS preventing Eset access to it. The question is how could the malware get access to the file? Prior installation of a user mode rootkit?

Edited by itman
Link to comment
Share on other sites
safety

safety 8

Posted
Posted (edited)

an example of such infections ( \ WINDOWS \ SYSTEM32 \ RPCSS.DLL):

https://www.virustotal.com/gui/file/6ce495e7665f81d15c50efafc6bb7710bed1fcfcff6e075e8473f14ef6060e62/detection

The uVS functionality made it possible to quickly collect modified files in quarantine to be sent to the virlabs of ESET, DrWeb, Kaspersky. A few days later, the first detection appeared: first from ESET / Win32 / Patched.IB /, then from LC / Trojan.Win32.Patched.pj /, then from DrWeb / Trojan.Starter.2229 / However, there is currently no correct treatment of the modified rpcss.dll with antivirus utilities from the active system. only replacing the infected file with a clean one

treated with a script from uVS: 

zoo %Sys32%\RPCSS.DLL
EXEC cmd /c "rename %sys32%\rpcss.dll rpcss.dll.old"
EXEC cmd /c "rename %sys32%\dllcache\rpcss.dll rpcss.dll.old"
EXEC cmd /c "copy rpcss.dll %sys32%\rpcss.dll"
EXEC cmd /c "copy rpcss.dll %sys32%\dllcache\rpcss.dll" 
czoo
restart

 

Edited by safety
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...