Win32 / Patched.GP trojan appearing overninght on multiple nodes

[dsi-ap]

Hi all,
Need some advice.

Our weekly scan picked up hidden files infected by what ESET AV v4 reported as: Win32/Patched.GP trojan

The files vary in size from 68KB to 110KB or around that size..also file creation date is set too 1st August 2008 at 2PM. The file attributes on these infected files are set too 'RHSA'.
Also the file version displayed for the infected files is portrayed to be Notepad.
When checking notepad date creation date, it was 17th Feb 2007.

Not sure we can trust the creation date on these files when the all appears on ESET alerts this morning on 4 separate nodes 3 of which where folder-shares, the 4th location is..

After doing websearches on this trojan, alot of the top search results are from spyware sites?

Anyone able to offer some input on what could of happened here..
Was anew virus signature release able to pick this threat, after a file was dormant for so long or could it be possible for it to appear overnight on 4 nodes.

The later scenario of spreading through share's seem feasible but still does not explain the reason why these file trying to maskarade as a system exacutable like Notepad.exe

[dsi-ap]

To add to this, the file names created with a 1st august 2008 2PM creation date that have so far found are:
tgngg.pif, foekl.exe, aeclc.pif & ovgxe.exe

[3GUSER]

Could post a few full logs from a computer to show what exactly was located and where it is ?

Patched trojans are generally serious infections that infect legitimate files and replace them with malicious ones .

[danieln]

Quote:

Originally Posted by dsi-ap

tgngg.pif, foekl.exe, aeclc.pif & ovgxe.exe

I think there is a bug in the virus and sometimes it infects a copy of notepad.exe in the incorrect way, resulting in creating harmless non-working undetected junk files.
Status of corrupted files cannot be always accurately determined.
My colleague was able to create detection for the files you mentioned since in this case they are most probably created as a result of malware activity. The purpose of this detection is just to help the customers to identify the non-working junk files created by the malware.

[Marcos]

It is a copy of Notepad improperly infected by Sality virus which rendered it non-functional. We've seen it created by various legit processes, including a signed avguard.exe. Could you post the relevant records from the threat log here?

[kian]

Please help, i've also encountered a variant of Win32/Patched.GP trojan

i was scanning my USB & ESET found this as a threat:

G:\tieygq.pif - a variant of Win32/Patched.GP trojan

should i be worried?.. it says error while deleting, though i'm not sure if it has infected my pc.

is there anything i can do with this? any advice?.. Thanks.

[toxinon12345]

Quote:

Originally Posted by kian

i was scanning my USB it says error while deleting

USB is write protected?

Have you tried deleting such file manually using Windows Explorer?

Or from a Cmd the following command
del /F G:\tieygq.pif

[dsi-ap]

Quote:

Originally Posted by Marcos

It is a copy of Notepad improperly infected by Sality virus which rendered it non-functional. We've seen it created by various legit processes, including a signed avguard.exe. Could you post the relevant records from the threat log here?

danieln/Marcos,

Here are some logs from one of the servers with best logs results.
If there is any further info you need let me know.

Thanks

Code:

13/01/2011 09:46:30	D:\Boot sector;D:\	58817	1	0	Completed
13/01/2011 09:45:50	D:\share1\foekl.exe	1	1	0	Completed
13/01/2011 09:42:33	D:\share1\foekl.exe	1	1	0	Completed
12/01/2011 23:00:57	A:\Boot sector;E:\Boot sector;A:\;E:\;C:\Boot sector;D:\Boot sector;C:\;D:\;A:\Boot sector;C:\Boot sector;D:\Boot sector;E:\Boot 

sector	180293	1	1	Completed

----

Column Name	Value
Scan Id	Scan 1292
Client Name	server1
Computer Name	server1
MAC Address	0014cc1baa22
Primary Server	ESET-RAC
Date Received	2011-01-13 09:51:33
Date Occurred	2011-01-13 09:45:50
Scanned Targets	D:\share1\foekl.exe
Scanned	1
Infected	1
Cleaned	0
Status	Completed
User	domain\admin1
Type	Local user via context menu
Scanner	On-demand scanner
Details	Ready
-----------
Column Name	Value
Scan Id	Scan 1291
Client Name	server1
Computer Name	server1
MAC Address	0014cc1baa22
Primary Server	ESET-RAC
Date Received	2011-01-13 09:46:33
Date Occurred	2011-01-13 09:42:33
Scanned Targets	D:\share1\foekl.exe
Scanned	1
Infected	1
Cleaned	0
Status	Completed
User	domain\admin1
Type	Local user via context menu
Scanner	On-demand scanner
Details	Ready
---------
Column Name	Value
Scan Id	Scan 1290
Client Name	server1
Computer Name	server1
MAC Address	0014cc1baa22
Primary Server	ESET-RAC
Date Received	2011-01-13 09:46:33
Date Occurred	2011-01-12 23:00:57
Scanned Targets	A:\Boot sector;E:\Boot sector;A:\;E:\;C:\Boot sector;D:\Boot sector;C:\;D:\;A:\Boot sector;C:\Boot sector;D:\Boot sector;E:\Boot sector
Scanned	180293
Infected	1
Cleaned	1
Status	Completed
User	
Type	Locally scheduled
Scanner	On-demand scanner
Details	Ready

In the event logs for that server and others i saw nothing obvious relating to the date this was detected as viral activity as well.