rFQfXT.bdKx

I have releaved a strange behaviour on a couple of computers with systemcenter endpoint protection 2012 installed and update.

the home folder locate on network all the files and folders are sobstitute by a link with the same name.

the link is like this:

C:\WINDOWS\system32\cmd.exe /C start /b "" "cmd.exe" /C if exist "rFQfXT.bdKx" start /b "" "rFQfXT.bdKx" && start /b "" "mydocument.doc"

the original file and folder are hidden.

if I set folder options to show "hidden files and folders" and remove the flag on "Hide protected operating system files (reccomended)" I can see the file rFQfXT.bdKx

I have submitted the file to https://www.microsoft.com/security/portal/submission/submit.aspx and I'm waiting a reply.

October 24th, 2013 1:39pm

Hi,

Thanks for your post.

I have confirmed that this malware has not been collected into MS.

What you did is a great way to share this malware with us and MS.

Best Regards

Quan Gu

Free Windows Admin Tool Kit Click here and download it now
October 25th, 2013 8:54am

thank you for your reply.

till now Microsoft doen't check my file, and I don't  know how to ensure that the virus continue his infection.

is there some way to set the file name as a risk and SC EP block it?

October 25th, 2013 1:18pm

I've got the exact same problem, except its on a network share, so i have no idea who's infected with it. That file also shows up with a different filename: vUcAbNUj.wujp
  • Edited by acme64 Friday, October 25, 2013 6:14 PM
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2013 7:20pm

Hi,

We do not suggest you to inspect it. I think MS may need some time to take your application. So please be patience.

TO acme64: if you find some malwares that are already not in MS malware database, please also submit the sample. Thanks.

Thanks for your patience and support.

Best Regards

Quan Gu 

October 26th, 2013 8:08am

Hello all

now the virus seems to be recognized (1 week later :-( ) it is Backdoor:Win32/Caphaw.A

I don't understand well, this virus is around since long time and http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor:Win32/Caphaw.A but since yesterday it has been discovered and removed by our SCEP, so maybe is it a variant?

when a variant has been discovered, shouldn't change the name?

why when I submit a file, Microsoft don't inform me about nothing new , also if I check on my submission nothing has been updated. (https://www.microsoft.com/security/portal/submission/submissionhistory.aspx?SubmissionId=bc8a8f17-af09-496d-9776-f657549321de)

Free Windows Admin Tool Kit Click here and download it now
October 31st, 2013 1:12pm

Hi,

I am confused that you did not discuss with Win32/Caphaw.A but vUcAbNUj.wujp. Win32/Caphaw.A has been detected in 2011 year.If the vUcAbNUj.wujp is a variant of Win32/Caphaw, it should be recorded in MS.

Best Regards

Quan Gu

October 31st, 2013 9:57pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics