Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 4244 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mal/Generic-L, Sus/CFNBehav-A and sdra64.exe

QC

I've seen several Mal/Generic-L detections reported lately. As they are infrequent and are dealt with by Sophos one way or the other I didn't think much about them. Today one has been detected on a co-workers machine right across the hall. Since the quarantine was empty (probably because of scan-on-write) I changed cleaning to "move", obtained the sample and sent it to Sophos. We first suspected something from a website (using Firefox) but as there were more detections (several minutes to more than half an hour apart) and also when Firefox was closed I started a scan (with HIPS scanning enabled). This time something turned up: sdra64.exe in the system32 directory detected (in the rootkit scan phase) as Sus/CFNBehav-A.

I've sent in this one too and am waiting for the results.     

Christian

:2431


This thread was automatically locked due to age.
Parents
  • 0

    We've experience something similar here. It was travelling around by USB, and we believe it had been picked up at a twinned school as part of the 6th form - students crossing between sites. From memory it was the same 3 HIPS references you made initially (RegMod-001 + 014 + ProcInj-001) that were detected. Though after submitting some samples Troj/Frethog-P was the released for detection, quickly followed by variants R and T.

    It was affecting the user settings, whereby the user couldn't change settings to show hidden files etc. Though the option was there to select it, but by the time all had been okayed, it had kicked in and prevented viewing hidden files again. In all honesty, MalwareBytes Anti Malware did a good job of cleaning all the fragments (but at that point, we were unable to submit the files to Sophos - so MBAM was an added bonus).

    We changed from alert only for suspicious behaviour etc to block, and also changed settings to disable autorun, which was all run of the mill - though we haven't seen any further instances of infection since making these changes, BUT we have seen plenty of detections. So all in all, a quick resolution and an IDE within 24 hours, and the promise of a more family orientated IDE to follow. I believe that it overlapped with Mal/Generic-L

    :2543
Reply
  • 0

    We've experience something similar here. It was travelling around by USB, and we believe it had been picked up at a twinned school as part of the 6th form - students crossing between sites. From memory it was the same 3 HIPS references you made initially (RegMod-001 + 014 + ProcInj-001) that were detected. Though after submitting some samples Troj/Frethog-P was the released for detection, quickly followed by variants R and T.

    It was affecting the user settings, whereby the user couldn't change settings to show hidden files etc. Though the option was there to select it, but by the time all had been okayed, it had kicked in and prevented viewing hidden files again. In all honesty, MalwareBytes Anti Malware did a good job of cleaning all the fragments (but at that point, we were unable to submit the files to Sophos - so MBAM was an added bonus).

    We changed from alert only for suspicious behaviour etc to block, and also changed settings to disable autorun, which was all run of the mill - though we haven't seen any further instances of infection since making these changes, BUT we have seen plenty of detections. So all in all, a quick resolution and an IDE within 24 hours, and the promise of a more family orientated IDE to follow. I believe that it overlapped with Mal/Generic-L

    :2543
Children
No Data
Unfiltered HTML