locked
Successful Response (Alert Level 5) RRS feed

  • Question

  • I just received the following alert from one of the pc's on my network

    Description: Client Security has detected and successfully responded to the following threat:
    - Threat name: Trojan:Win32/Meredrop
    - Performed action: Quarantine

    I immediatly connected to the pc with pslist to see the list of processes runing on it and found 3 weird programs

    12170.exe
    16317.exe
    642.exe

    Also found an entry in the run key of the user pointing to one of these executables. They were all found in the following folder C:\DOCUME~1\(Removed)\LOCALS~1\Temp\

    I've used Trendmicro online scanner to scan those files and it came back with the following

    Detected Malware
    Cryp_Xed-18

    I know I can submit this malware to Microsoft but Forefront said "Client Security has detected and successfully responded to the following threat"

    So what should I do, obviously it was not removed, slowly loosing fate in this product as this is not the first time I see this sort of behaviour. Anyone else?

    The client is running Windows XP with the following Forefront version

    Virus Definitions Version
    1.57.907.0 (Virus Definitions built on 5/5/2009 8:58:57 PM)

    Spyware Definitions Version
    1.57.907.0 (Spyware Definitions built on 5/5/2009 8:58:57 PM)

    • Edited by Sysgen Wednesday, May 6, 2009 7:49 PM
    Wednesday, May 6, 2009 7:44 PM

Answers

  • Did we not detect those 3 files/processes at all?  If so I'm guessing that we found 1 of several processes for malware that was on the system and like you mentioned we did not have detection for the others.  Zip the other's one up and submit them at http://www.microsoft.com/security/portal submit a virus sample button.  If you want a quicker response time on the files just call in an open a case with Microsoft Support.  The case for submitting a new piece of malware is a free case and we can submit it at a higher priority and work with you to get this resolved.

    Thanks
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Wednesday, May 6, 2009 7:57 PM

All replies

  • Here is the report for that PC

    5/6/2009 3:16:24 PM

    Microsoft Forefront Client Security Real-Time Protection agent has taken action to protect this machine from spyware or other potentially unwanted software.
    For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Meredrop&threatid=2147575279
    Scan ID: {89418674-ACCE-4D5F-B39D-F83EAD9CFFCE}
    User: (Removed)
    Name: Trojan:Win32/Meredrop
    ID: 2147575279
    Severity: Severe
    Category: Trojan
    Alert Type: Spyware or other potentially unwanted software
    Action: Quarantine

    5/6/2009 3:05:19 PM

    Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Microsoft Forefront Client Security can't undo changes that you allow.
    For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Meredrop&threatid=2147575279
    Scan ID: {5BBC0055-757D-4B14-80AF-44CF970A78F4}
    Agent: On Access
    User: (Removed)
    Name: Trojan:Win32/Meredrop
    ID: 2147575279
    Severity: Severe
    Category: Trojan
    Path Found: file:C:\Documents and Settings\(Removed)\Local Settings\Temporary Internet Files\Content.IE5\GPSFOJC3\item[1].gif
    Alert Type:
    Process Name: C:\Documents and Settings\(Removed)\Local Settings\Temporary Internet Files\Content.IE5\GPSFOJC3\softwarefortubeview.40009[1].exe
    Detection Type: Concrete
    Status: Suspend

    5/6/2009 3:05:19 PM

    Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Microsoft Forefront Client Security can't undo changes that you allow.
    For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Meredrop&threatid=2147575279
    Scan ID: {F43AA265-4474-4F26-A44E-4D4C35A1FF26}
    Agent: On Access
    User: (Removed)
    Name: Trojan:Win32/Meredrop
    ID: 2147575279
    Severity: Severe
    Category: Trojan
    Path Found: file:C:\DOCUME~1\(Removed)\LOCALS~1\Temp\13644.exe
    Alert Type:
    Process Name: C:\Documents and Settings\(Removed)\Local Settings\Temporary Internet Files\Content.IE5\GPSFOJC3\softwarefortubeview.40009[1].exe
    Detection Type: Concrete
    Status: Suspend

    Wednesday, May 6, 2009 7:47 PM
  • Did we not detect those 3 files/processes at all?  If so I'm guessing that we found 1 of several processes for malware that was on the system and like you mentioned we did not have detection for the others.  Zip the other's one up and submit them at http://www.microsoft.com/security/portal submit a virus sample button.  If you want a quicker response time on the files just call in an open a case with Microsoft Support.  The case for submitting a new piece of malware is a free case and we can submit it at a higher priority and work with you to get this resolved.

    Thanks
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Wednesday, May 6, 2009 7:57 PM
  • Sample submited. Let see what they find.

    To answer your question, no, as you can see in the report it did detect some process as malware but these 3 process where not detected at all.

    Thanks
    Stephane

    Wednesday, May 6, 2009 8:07 PM
  • They were viruses afterall, just strange that it detected it as Trojan:Win32/Meredrop and the files I submited were these

    Submitted Files

    =============================================

    +---12170.exe [TrojanDownloader:Win32/Renos.DZ]
    +---16317.exe [TrojanDownloader:Win32/Renos.DZ]
    +---642.exe [TrojanDropper:Win32/Divapad.A]

    Shouldn't the viruses contain our name, initials or something :)

    Thursday, May 7, 2009 2:23 PM