Endpoint Protection

Back to discussions
Expand all | Collapse all

W97M.Downloader Security risk

  • 1.  W97M.Downloader Security risk

    Posted May 01, 2015 05:58 AM

    I'm getting email alerts telling me some of my SEP clients are infected with W97M.Downloader Security risk. Yesterday I logged on to one of the clients (Win 7) and ran a full scan - it came back with no threats found. I left it overnight incase the threat had been removed and SEPM was just being slow to update, but I've been bombarded with more emails overnight.

    What's happening that SEPM can identify it but the SEP client full scan doesn't see it?

    I've googled for how to get rid of it and seen a few suggestions - is the Symhelp tool the best way to remove it?



  • 2.  RE: W97M.Downloader Security risk

    Posted May 01, 2015 06:17 AM

    Upload a suspected infected file (Retail)

    https://submit.symantec.com/websubmit/retail.cgi

    you can run Symantec Power Eraser

    How to run Symantec Power Eraser with the SymHelp utility

    https://support.symantec.com/en_US/article.TECH203683.html



  • 3.  RE: W97M.Downloader Security risk

    Posted May 01, 2015 06:31 AM

    Hi fred2k,

    One initial thought: were these threats detected and removed by Auto-Protect?

    I'm getting email alerts telling me some of my SEP clients are infected with W97M.Downloader Security risk. Yesterday I logged on to one of the clients (Win 7) and ran a full scan - it came back with no threats found.

    If Auto-Protect has already removed the threat, then it would no longer be on that endpoint.

    What exactly do those alerts say?

    W97M.Downloader is a fairly serious risk.  It's basically an Office document with malicious macros that arrives and attempts to download a malicious payload onto the computers.  This payload is often cryptolocker.

     

    If W97M.Downloader is detected by manual scan rather than Auto-Protect, run SymHelp with Threat Analysis Scan on that computer to ensure that W97M.Downloader has not downloaded anything else.

    How to run the Threat Analysis Scan in Symantec Help (SymHelp)
    http://www.symantec.com/docs/TECH215519 
     

    Please keep this thread up-to-date with your progress!

    Many thanks in advance,

    Mick



  • 4.  RE: W97M.Downloader Security risk

    Posted May 01, 2015 07:43 AM

    James007 - I ran the Symhelp threat analysis but it came back with only "good" results.

    Mick2009 - the email alerts say "Quarantined Auto-Protect" but I'm getting several emails a day, each with many instances so it's an ongoing problem.. so if it's not showing up in a full AV scan, or the Symhelp threat analysis what can I do?



  • 5.  RE: W97M.Downloader Security risk

    Posted May 01, 2015 08:21 AM

    It sounds like you have email auto-protect enabled and SEP is deleting infected emails?



  • 6.  RE: W97M.Downloader Security risk

    Posted May 01, 2015 12:48 PM

    According to the email alerts, some have been deleted, and others were quarantined. I logged onto the system again and took a look at the threat log (think that's what it was called - tab next to scan results).. it showed 1,500 instances of this W97M.Downloader... all of which were quarantined.

    I tried to repair then but that failed, so permanently deleted as many as I could (I think all but about 30 in the end).. but is this just going to keep happening? There must be some way to irradiate this.



  • 7.  RE: W97M.Downloader Security risk

    Posted May 01, 2015 01:06 PM

    What type of attachment is it? You should block at your mail gateway



  • 8.  RE: W97M.Downloader Security risk

    Posted May 02, 2015 08:52 AM

    W97M.Downloader is Macro Viruses. These are usually targeted with a very low detection rate. I've seen samples that are only 5 minutes old with 0/59 detections on virustotal.

    They are Word, Excel or Powerpoint files. They are specially crafted documents that contains macrocode that starts up CMD.exe, powershell.exe or Cscript.exe, that again download other malware. I have had some sucess creating an application controll that blocks. Winword.exe, excel.exe from launching cmd.exe, powerhselll.exe and cscript.exe. This will eliminate the the threat if SEP doesn't detect it with auto-protect.

    Still be warned, I've seen at some sites where the customer is using special legit third party plugins in Office that will start cmd.exe etc. These will brake if using this application control rule.

    If you see the detection repeatedly comming from the same machines. Check their mailbox. It might be that it is not cleared in the mailbox and is repeatadly beeing downloaded and quarantined locally.

     

     

     



  • 9.  RE: W97M.Downloader Security risk

    Posted May 05, 2015 09:42 AM

    Brian: Auto Protect is enabled under Virus & Spyware Protection - Auto Protect (tab), but I can't see any mention of email auto protect - is that something different? Where do I check that setting?

    In answer to your other question, the file types it picks up are .tmp and .xls. I have just searched in Outlook for .tpm (found nothing) and .xls. I saved all the .xls attachments to a folder, and ran the most in depth and invasive search I could from SEP and it found nothing at all.

    TORB: SEP is detecting new instances of W97M.Downloader several times a minute. Sometimes it deletes them, but most times it quarantines them. See attached screen shot for more info.

    So to summarise, are you guys suggesting that all these instances which are being detected are coming from one source, and that should be in an email attachment (in the form of a Word, Excel, or Powerpoint file)? And do if I can locate that email and delete it then that will be the end to this?



  • 10.  RE: W97M.Downloader Security risk
    Best Answer

    Posted May 05, 2015 10:02 AM

    Thanks for the screenshot. These are actually false positives, see here:

    When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

    http://www.symantec.com/docs/TECH102953



  • 11.  RE: W97M.Downloader Security risk

    Posted May 05, 2015 11:50 AM

    Ok thanks Brian.. is that also true for the APQ*.tmp files as well?

    I have amending the group policy setting for "When New Virus Definitions Arrive" to Do nothing but didn't any change yet... should the client pickup the setting on its next heart beat?

    One other question related to that article - it said to delete the old dwh*.tmp files I had to stop the Symantec Endpoint Protection service by:

    1. Click Start, then Run
    2. Type: smc -stop

    ..but when I do this it says it doesn't recognise SMC.  I also tried disabling SEP but it was still detecting dwh and apq files so it can't have been disabled. What's the easiest way to close / stop SEP clients?



  • 12.  RE: W97M.Downloader Security risk

    Posted May 05, 2015 12:36 PM

    Yes, same goes for APQ*.tmp files.

    Yes, your changes will take affect on the next heartbeat.

    Not sure, I can stop smc by running that command. Maybe try a reboot?



  • 13.  RE: W97M.Downloader Security risk

    Posted May 18, 2015 08:10 AM

    Just to let you know that it appears the first suggestion in this article http://www.symantec.com/docs/TECH102953  apparently did the trick - i.e. Disable rescanning of the local quarantine upon receipt of new virus definitions. 

    ..with the side note that for a couple of days after applying the settings I was still gettings virus alert emails, so be patient after implimenting the change!