This infection is detected by Sophos under various names and according to the logs comes in different flavours:
* Sus/Tiotua-A (reinfects PC and is located in system32\csrcs.exe, but also on Flashdrives with [random filename].exe)
aka
* Mal/Tiotua-A (csrcs.exe)
On these infected PCs i have more detections of other malware:
* Mal/Bredavi-A (no path and filename)
* Troj/Taterf-D (no path and filename)
* Mal/AutoInf-A (no path and filename)
* Mal/AutoInf-B (no path and filename)
* Sus/NullAtEP-A (C:\Windows\system32\SETAE.tmp
* HIPS/RegMod-001 (C:\Windows\system32\csrcs.exe)
* HIPS/RegMod-002 (C:\Windows\system32\csrcs.exe)
* HIPS/RegMod-009 (C:\Windows\system32\csrcs.exe)
* HIPS/RegMod-014 (C:\Windows\system32\csrcs.exe)
The problem I have is that this is an ongoing problem since about 4 weeks on about 30 PCs in one particular school only. Again: as the Sophos Console v3.1 doesn't show filenames and paths for most malware it makes analyzing the threat level and infection grade difficult. Actually I was hoping that every next day will bring updated IDEs with enhanced cleanup routines, but i'm waiting basically 4 weeks now. I'm about to let those machines being reimaged, but i wonder if anybody else has come up with this malware and if Sophos needs samples.
My policy for these infected PCs is:
* detect and block suspicious behaviour
* cleanup (and if not possible delete Virus)
* delete suspicious files
* Scheduled Scan once a day
Thanks in advance.
This thread was automatically locked due to age.
