Endpoint Protection

We've had a couple of instances of Windows servers harboring something called VMProxy.sys. I can't find anything on it in Google other than a reference on Twitter and what look to be mostly Chinese web sites. We have a meeting on how to look for this tomorrow morning and I don't know much more about it, but am trying to gather information.

Update with the malware name in the title.

Hello,

Please Work on this Article to submit the Suspicious files:

We've also experience VMProxy.sys on two servers of which one blue-screened this morning.  We had uploaded information to Symantec and had an incident open most of the day only to discover after an 102 minutes on the phone that it was determined to be non-malicious.  I have not been able to interpret the many Asian blogs on this topic yet, but I suspect there is more here than realized.

It had actually been hiding in our environment since late May. Nothing caught it. When we submitted files to Microsoft and Symantec, they added the fingerprints to their Safety Scanner and definitions, respectively. We have since found it in about 8 devices out of around 750.

Symantec identifies it as Trojan.Gen.2 and it usually shows up in the c:\windows\system32\spoolv.exe file, which is not a valid file. SpoolSv.exe is a valid file. The Microsoft Safety Scanner identfies it as Mangzamel.A. If you run that tool, it can take 5 or more hours depending on the number of files on the system.

Before we had a successful way to scan a host, we were able to see outbound network activity bound for IP 202.172.40.232 in Singapore.