Just figured I’d pass on a nasty infection I’m cleaning up, in case anyone else sees the same type of hit, or has advice for cleanup.

User was infected by an e-mail – “Check Shipping Status / Tracking Information” type e-mail that is common. I don’t have a sample of the e-mail, user had already deleted it (and cleared deleted items). Machine is Win-7 64 SP1, fully patched, with fully up to date Java (7u21) and Flash (11…..169), installed. User has no admin privileges.

Only symptom is popups from Symantec Endpoint Protection’s Email protection service flagging and blocking outbound e-mails with similar titles – distributing itself, probably as part of a botnet. I immediately pulled it from the network when the user brought it to me, and have been scanning it offline, in safe mode. No hits from Malware Bytes full scan, no hits yet on Symantec full scan – we’ll see in the morning. Hijack this doesn’t show me anything unusual in startups/services. Nothing obvious in the system logs. At this point, I’m figuring this is a new exploit that isn’t detected yet by common definitions, the machine is owned and part of a botnet, and reformatting and reimaging.

Nasty bit is that there would have been no detection of a problem until someone in the networking group came knocking on my door reporting an issue, or some other symptoms had manifested --- except that Symantec Email protection flagged/blocked some of the outgoing messages. Would have been a lot nicer if it stopped the infection or caught it in a scan, though…

Shaun Leininger
Information Technology Professional
Department of Anthropology
517-884-0388