Over the last two weeks a few users "contracted" some pieces of malware. Initially there was no specific detection but Mal/Generic-L, Sus/CFNBehav-A (see the link for details). Later it was HIPS/ProcInj-001 and HIPS/RegMod-014 alerts. Identities were created or updated (within hours) for various Troj/Agent-xxx, Troj/FakeAV-xxx and several others.
On Monday I had again two reports and looking a the computer details I found that there had been a few detections but no outstanding alerts. Inspecting the computers the already known problems were found: executables in the users Application Data folder started from HKCU\....\Windows\...\Run, mgrls32.exe located in the RECYCLER started from HKCU\...\Windows NT\...\Winlogon, executables with three-digit names and so on. Quite easy for a human (like me) to detect but no alerts even with paranoid scanning turned on.
Given that this junk is "visible" I wonder how it evades (generic) detection (and Windows' security BTW) - I think that for example something started from the RECYCLER should always be suspicious. But I'm sure Sophos is working on it.
Second thought: As obviously the "payload" consisted of several items and some of them had been detected and cleaned up I might have been alerted earlier (although it wouldn't have made much difference) without automatic cleanup and deny access only.
Christian
This thread was automatically locked due to age.
