Endpoint Protection

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

Joke program problem

  • 1.  Joke program problem

    Posted Apr 27, 2009 12:08 AM
    Hi,

    Anybody knows the source of this or has similar experience:

    Virus found:Joke Program on [Computer name]

    IP Address: xxx.xxx.xxx.xxx
    User: [User name]
    Alert Date/Time: 2009-04-26 09:21:11
    DB insertDate/Time:2009-04-26 09:38:45
    Source: AV - Real Time Scan
    File/Path: C:/Documents and Settings/[user name]/Local Settings/Temp/Temporary Directory 1 for ultimate.zip/ULTIMATE.exe
    Actual Action: Left alone

    I've been receiving this alerts and I was wondering where did this file came from and how it got inside the network.
    I wasn't able to get the file since the IT guys treated the PCs and when they do that, they also cleaned the quarantine folder.





  • 2.  RE: Joke program problem

    Posted Apr 27, 2009 12:46 AM
    Take a look at the time at which it was detected and the compare that with the browsing history for the user. That should give a fair idea on where it came from.


  • 3.  RE: Joke program problem

    Posted Apr 27, 2009 03:02 AM
    Browsing history of what?
    I have looked into the IE history, either he deleted all his tracks, using another browser which is not allowed or didn't get this from the internet.


  • 4.  RE: Joke program problem

    Posted Apr 27, 2009 10:24 AM
     Look at the proxy logs if you use a proxy...


  • 5.  RE: Joke program problem

    Posted Apr 27, 2009 10:44 AM
    I would think this is coming from an Email that was received.  Hoenstly if it were from IE, (and not some other banned Browser) the temp file would be in C:\Documents and Settings\[user]\Local Settings\Temporary Internet Files

    If the file came from an Email, than you would generally see it in his Temp folder or if he opened directly from a web page.

    Do you have a Firewall?  Do your users "need" to have access to downloading *.zip files or any other form of archive for their daily tasks from the web?  It is good practice to remove these privileges unless other necessary and in those cases to create a rule to allow them to download what ever it is they need.

    Remember, alot of malicious code comes from .EXE, .VBS, .CMD, encapsulated in .ZIP, .RAR, .TAR, etc.


  • 6.  RE: Joke program problem

    Posted Apr 27, 2009 02:35 PM
    I have experienced this before. It came from email.


  • 7.  RE: Joke program problem

    Posted Apr 28, 2009 12:07 AM
    I don't have access to the firerwall logs. I checked the IE and it is set to direct connection.
    Users doesn't have the rights to download and software or use removable storage. I won't deny that some have the capability or knowledge to bypass some Windows policies.

    We also have a 3rd party spam filter maintained by another company. We'll be migrating to Symantec in a few weeks then it's another topic.


  • 8.  RE: Joke program problem

    Posted Apr 28, 2009 12:10 AM
    Not neccessarily, If you look at the complete path.
    ...Temporary Directory 1 for ultimate.zip/ULTIMATE.exe

    Which says that the file has been uncompressed here and not downloaded whereas the original file can be present anywhere.


  • 9.  RE: Joke program problem

    Posted Apr 28, 2009 12:10 AM
    Hi Pauli, do you remember the sender?
    Please post some more details. Thanks.


  • 10.  RE: Joke program problem

    Posted Apr 28, 2009 01:11 PM
    Please check the risk logs from the client workstation. This usually tells where the infection came from. (SAV)

    As what Sandeep said, it's on temporary directory the user tried to open the file. But I am sure that this came from email.


  • 11.  RE: Joke program problem

    Posted Apr 28, 2009 03:40 PM
    I used to have ULTIMATE.exe on a floppy many years ago and it would simulate formating the users hard drive as a joke.