A real Virus warning - not messing about...

IT Troll · 18 Aug 2012 at 13:39

The virus will try to connect on 443 to online-upd.at (87.117.205.62) to obtain mutations. It is advisable to block/blacklist this as an extra precaution.

Drneb · 18 Aug 2012 at 17:22

thanks for the tip troll.

does anyone know how this comes in? spam email link perhaps?

IT Troll · 18 Aug 2012 at 17:47

Yes, spam email (often Hotmail) containing a link to a compromised website. The payload is delivered using javascript.

KIA · 18 Aug 2012 at 17:56

What did you fail to patch?

IT Troll · 19 Aug 2012 at 06:56

You only need one rogue PC which is behind the curve on AV updates (and a dumb user) and it can get in. Trouble is if that one PC has access to a share it will change files for malicious shortcuts. Assuming all other PCs are up-to-date, they will now start throwing virus alerts when users try to access their files. Cue lots of calls to the help desk and a repair job on the file share.

Nate75 · 19 Aug 2012 at 07:23

Good thread.

KIA · 19 Aug 2012 at 09:56

IT Troll said:
You only need one rogue PC which is behind the curve on AV updates (and a dumb user) and it can get in.

IT Troll said:
Yes, spam email (often Hotmail) containing a link to a compromised website. The payload is delivered using javascript.

Did it not exploit a software vulnerability?

Drneb · 19 Aug 2012 at 12:52

IT Troll said:
You only need one rogue PC which is behind the curve on AV updates (and a dumb user) and it can get in. Trouble is if that one PC has access to a share it will change files for malicious shortcuts. Assuming all other PCs are up-to-date, they will now start throwing virus alerts when users try to access their files. Cue lots of calls to the help desk and a repair job on the file share.

all our machines were up to date. in this case it was symantec who was behind the curve on updates. We have pretty good spam protection, but of course you can't stop them all. We have plenty of dumb users...

But I suppose someone has to get it first...

their rapid release highlighted thumbs and the variants but the release as of this morning is now picking up the shylock trojan. it seems that shylock might be distributing the thumbs.db2 - file im guessing of course, just seems like quite the coincidence.

blastman · 21 Aug 2012 at 12:02

this thread has much more detail;

https://community.mcafee.com/thread/47666?start=0&tstart=0

We appear to be over the worst. the AV blocking did the trick. We're currently updating all AV clients to the newer version, but still keeping a close eye on the AV reports and web access logs, just in case.

If anyone gets stuck with this, trust me an email and I'll offer some advice first hand.

Drneb · 31 Aug 2012 at 10:42

The AV finally squashed it. I had to do a deep level scan on our terminal servers and manually remove some string entries in the common load points manually as our sep power remover tool couldn't detect it.

all good now.

KIA · 31 Aug 2012 at 11:28

Point of entry = ?

blastman · 31 Aug 2012 at 16:04

KIA said:
Point of entry = ?

java 0-day exploit --> trojan --> downloads thumb.db2.

There are now about 4 or 5 versions kicking about.

symantec detailed information here;

http://www.symantec.com/connect/blogs/shylock-lnk-awakening

KIA · 31 Aug 2012 at 16:52

Far from 0day.

Oracle Java SE Rhino Script Engine Remote Code Execution Vulnerability (CVE-2011-3544) Patched by Oracle in October 2011.
Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507): Patched by Oracle in February 2012.

Why doesn't anyone take patching seriously?

Aod · 31 Aug 2012 at 18:21

Maybe if Java Patches weren't so obtrusive and disruptive, Patch Adoption wouldn't be such an issue

KIA · 31 Aug 2012 at 18:29

Aod said:
Maybe if Java Patches weren't so obtrusive and disruptive, Patch Adoption wouldn't be such an issue

You are right to a certain extent. Java definitely needs seamless background updates.

http://ivan.dretvic.com/2011/06/how-to-package-and-deploy-java-jre-1-6-0_26-via-group-policy/

It's usually easier to ditch it because it isn't required 99.9% of the time.

theheyes · 31 Aug 2012 at 18:31

Coincidentally, I've broadly uninstalled it on client machines today. I'm going to see if we can live without it.

bignev72 · 31 Aug 2012 at 18:40

I've had personal experience of this virus on a customer server.

It's a real pita.

Not 100% sure it's gone yet either.....

Infidelus · 31 Aug 2012 at 19:17

Java doesn't even get on my machines these days. Anything that requires it for installation ... doesn't get installed.

I note Oracle have finally got off their backsides and provided a patch today though.

theheyes · 31 Aug 2012 at 20:26

Infidelus said:
I note Oracle have finally got off their backsides and provided a patch today though.

And it looks like its been broken. Again.

bledd · 1 Sep 2012 at 00:49

Aod said:
Maybe if Java Patches weren't so obtrusive and disruptive, Patch Adoption wouldn't be such an issue

This is the problem. They should silently update.

Adobe Flash/Reader and Java are the main security holes on machines these days