Page 1 of 1

zsm1319.exe

PostPosted: Wed Jul 08, 2009 1:43 am
by cmora
hi.

We are detecting in our terminal server some process named zsm1319.exe. that process are executed by a rdp process.

we found in internet info about this pocess and is a virus.

How can i control that virus in my terminal server?

we are using escan AV 9.0.824.465

thanks in advance

PostPosted: Thu Jul 09, 2009 12:48 pm
by Varghese
Can you send us this file as a password protected zip?

PostPosted: Thu Jul 09, 2009 1:00 pm
by cmora
the process is executed for the rdp process. I dont have a copy of that file, because was removed with a bitdefender tool.

How can i protect the rdp sessions?

thanks in advance

PostPosted: Thu Jul 09, 2009 1:11 pm
by Varghese
But if you start an rdp session again won't it come back again?

That way you could send it back you can use procexp.exe to find the path of the file. If its initiated by rdp it might not necessarily be a malware.

But with the sample handy we will be in a better position to assist you in this case.

PostPosted: Fri Jul 10, 2009 2:39 am
by cmora
hmm

The problem is appearing again. How can i take a copy of the infected files to send you?

Thanks in advance

PostPosted: Fri Jul 10, 2009 12:27 pm
by Varghese
Use procexp.exe to find the path of the process running.

Once you get it, using winrar add it to archive. Do not forget to password protect it.

Once this is done sent the file over to us at samples@mwti.net.
We will analyze the file and let you know the status of the same.