Win32 / Patched.GP trojan appearing overninght on multiple nodes

Discussion in 'ESET NOD32 Antivirus' started by dsi-ap, Jan 13, 2011.

Thread Status:
Not open for further replies.
  1. dsi-ap

    dsi-ap Registered Member

    Joined:
    Jul 4, 2005
    Posts:
    118
    Location:
    UK
    Hi all,
    Need some advice.

    Our weekly scan picked up hidden files infected by what ESET AV v4 reported as: Win32/Patched.GP trojan

    The files vary in size from 68KB to 110KB or around that size..also file creation date is set too 1st August 2008 at 2PM. The file attributes on these infected files are set too 'RHSA'.
    Also the file version displayed for the infected files is portrayed to be Notepad.
    When checking notepad date creation date, it was 17th Feb 2007.

    Not sure we can trust the creation date on these files when the all appears on ESET alerts this morning on 4 separate nodes 3 of which where folder-shares, the 4th location is..

    After doing websearches on this trojan, alot of the top search results are from spyware sites?

    Anyone able to offer some input on what could of happened here..
    Was anew virus signature release able to pick this threat, after a file was dormant for so long or could it be possible for it to appear overnight on 4 nodes.

    The later scenario of spreading through share's seem feasible but still does not explain the reason why these file trying to maskarade as a system exacutable like Notepad.exe
     
  2. dsi-ap

    dsi-ap Registered Member

    Joined:
    Jul 4, 2005
    Posts:
    118
    Location:
    UK
    To add to this, the file names created with a 1st august 2008 2PM creation date that have so far found are:
    tgngg.pif, foekl.exe, aeclc.pif & ovgxe.exe
     
  3. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    Could post a few full logs from a computer to show what exactly was located and where it is ?

    Patched trojans are generally serious infections that infect legitimate files and replace them with malicious ones .
     
  4. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    I think there is a bug in the virus and sometimes it infects a copy of notepad.exe in the incorrect way, resulting in creating harmless non-working undetected junk files.
    Status of corrupted files cannot be always accurately determined.
    My colleague was able to create detection for the files you mentioned since in this case they are most probably created as a result of malware activity. The purpose of this detection is just to help the customers to identify the non-working junk files created by the malware.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It is a copy of Notepad improperly infected by Sality virus which rendered it non-functional. We've seen it created by various legit processes, including a signed avguard.exe. Could you post the relevant records from the threat log here?
     
  6. kian

    kian Registered Member

    Joined:
    Jan 17, 2011
    Posts:
    1
    Please help, i've also encountered a variant of Win32/Patched.GP trojan

    i was scanning my USB & ESET found this as a threat:

    G:\tieygq.pif - a variant of Win32/Patched.GP trojan

    should i be worried?.. it says error while deleting, though i'm not sure if it has infected my pc.

    is there anything i can do with this? any advice?.. Thanks.
     
  7. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    USB is write protected?

    Have you tried deleting such file manually using Windows Explorer?

    Or from a Cmd the following command
    del /F G:\tieygq.pif
     
  8. dsi-ap

    dsi-ap Registered Member

    Joined:
    Jul 4, 2005
    Posts:
    118
    Location:
    UK
    danieln/Marcos,

    Here are some logs from one of the servers with best logs results.
    If there is any further info you need let me know.

    Thanks

    Code:
    13/01/2011 09:46:30	D:\Boot sector;D:\	58817	1	0	Completed
    13/01/2011 09:45:50	D:\share1\foekl.exe	1	1	0	Completed
    13/01/2011 09:42:33	D:\share1\foekl.exe	1	1	0	Completed
    12/01/2011 23:00:57	A:\Boot sector;E:\Boot sector;A:\;E:\;C:\Boot sector;D:\Boot sector;C:\;D:\;A:\Boot sector;C:\Boot sector;D:\Boot sector;E:\Boot 
    
    sector	180293	1	1	Completed
    
    ----
    
    Column Name	Value
    Scan Id	Scan 1292
    Client Name	server1
    Computer Name	server1
    MAC Address	0014cc1baa22
    Primary Server	ESET-RAC
    Date Received	2011-01-13 09:51:33
    Date Occurred	2011-01-13 09:45:50
    Scanned Targets	D:\share1\foekl.exe
    Scanned	1
    Infected	1
    Cleaned	0
    Status	Completed
    User	domain\admin1
    Type	Local user via context menu
    Scanner	On-demand scanner
    Details	Ready
    -----------
    Column Name	Value
    Scan Id	Scan 1291
    Client Name	server1
    Computer Name	server1
    MAC Address	0014cc1baa22
    Primary Server	ESET-RAC
    Date Received	2011-01-13 09:46:33
    Date Occurred	2011-01-13 09:42:33
    Scanned Targets	D:\share1\foekl.exe
    Scanned	1
    Infected	1
    Cleaned	0
    Status	Completed
    User	domain\admin1
    Type	Local user via context menu
    Scanner	On-demand scanner
    Details	Ready
    ---------
    Column Name	Value
    Scan Id	Scan 1290
    Client Name	server1
    Computer Name	server1
    MAC Address	0014cc1baa22
    Primary Server	ESET-RAC
    Date Received	2011-01-13 09:46:33
    Date Occurred	2011-01-12 23:00:57
    Scanned Targets	A:\Boot sector;E:\Boot sector;A:\;E:\;C:\Boot sector;D:\Boot sector;C:\;D:\;A:\Boot sector;C:\Boot sector;D:\Boot sector;E:\Boot sector
    Scanned	180293
    Infected	1
    Cleaned	1
    Status	Completed
    User	
    Type	Locally scheduled
    Scanner	On-demand scanner
    Details	Ready
    
    In the event logs for that server and others i saw nothing obvious relating to the date this was detected as viral activity as well.
     
    Last edited: Jan 20, 2011
Thread Status:
Not open for further replies.