I am having an issue with Trickbot virus on our production network. We run Symantec Endpoint protection on all workstations (~30). We have a Server 2008 R2 Exchange server as well as 4x Server 2012 R2 servers running various applications, the servers do not run antivirus.
My Symantec Endpoint Protection notified me of the infection last week on Thursday. The infection was installed on every PC on my network simultaneously. We found stsvc.exe on the root of C: as well as a folder called NetDefender under the %APPDATA% folder on any user that logged in. There was a Scheduled Task call MSNetValidation (or something close to that) that was set to run on logon to call the malware.
It is my opinion that the Symantec definitions 'caught up' once we were already infected, because the malware was active and a reboot was required to remove it on every computer.
I manually removed the scheduled task and the offending files from the servers, then installed Symantec Endpoint and scanned to be safe. I also loaded Malwarebytes on the servers and scanned. All of these scans came back clean after manually removing the files.
This all happened last Thursday. Today (Monday), I got a notification from Symantec that it again detected stsvc.exe as infected Trickbot on every unit in the building. This time it required no intervention and was automatically cleaned immediately, which tells me the malware was not executed yet. I found the stsvc.exe on my servers again as well, but it wasn't executed as there was no scheduled task or netdefender folder so I just deleted it.
Now, all that said, I'm trying to figure out what process is causing everything to get infected and what steps I should take from here. I found that Trickbot can propogate via network shares here:
But all computers and servers are fully updated through the 2017-04 Cumultive updates, so I'm not sure what else needs to be done.