Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trickbot issue on production network.


  • Please log in to reply
1 reply to this topic

#1 garethp1

garethp1

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 16 April 2018 - 10:16 AM

I am having an issue with Trickbot virus on our production network.  We run Symantec Endpoint protection on all workstations (~30).  We have a Server 2008 R2 Exchange server as well as 4x Server 2012 R2 servers running various applications, the servers do not run antivirus.  

 

My Symantec Endpoint Protection notified me of the infection last week on Thursday.  The infection was installed on every PC on my network simultaneously. We found stsvc.exe on the root of C: as well as a folder called NetDefender under the %APPDATA% folder on any user that logged in.  There was a Scheduled Task call MSNetValidation (or something close to that) that was set to run on logon to call the malware.

 

It is my opinion that the Symantec definitions 'caught up' once we were already infected, because the malware was active and a reboot was required to remove it on every computer.  

 

I manually removed the scheduled task and the offending files from the servers, then installed Symantec Endpoint and scanned to be safe.  I also loaded Malwarebytes on the servers and scanned.  All of these scans came back clean after manually removing the files.

 

This all happened last Thursday.  Today (Monday), I got a notification from Symantec that it again detected stsvc.exe as infected Trickbot on every unit in the building.  This time it required no intervention and was automatically cleaned immediately, which tells me the malware was not executed yet.  I found the stsvc.exe on my servers again as well, but it wasn't executed as there was no scheduled task or netdefender folder so I just deleted it.

 

Now, all that said, I'm trying to figure out what process is causing everything to get infected and what steps I should take from here.  I found that Trickbot can propogate via network shares here:

https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/

 

But all computers and servers are fully updated through the 2017-04 Cumultive updates, so I'm not sure what else needs to be done.

 

Thanks!



BC AdBot (Login to Remove)

 


#2 xpictoc

xpictoc

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 16 April 2018 - 04:44 PM

I am having the same exact issue, matching dates as well, started last Thursday, seemed to have contained it then. Then started infecting all user machines on Monday (today). Not having any luck slowing it down, but the antivirus does seem to be detecting it/quarantining it. Any progress on your end?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users