locked
Trojan Win32 Siapag RRS feed

  • Question

  •  

    OneCare found this and advised me to clean which it did successfully

    But why did  it ask me instead of just getting on with it?

     

    I looked up the trojan on the intenret but found no specific reference

    I was trying to work out how it got in. Could it have come with an e-mail?

    Any ideas?

     

    Wednesday, August 6, 2008 8:43 AM

Answers

  • Microsoft has completed the investigation into this issue and found that the signature was incorrectly identifying lsass.exe as Trojan:Win32/Siapag.A. However, this only affected customers running a pre-release version of Windows XP Service Pack (SP3). Customers running others versions of Windows and customers running the released version of Windows XP SP3 were not affected.

     

    As part of our standard process, Microsoft released an updated signature (Version 1.41.145.0 and higher) that resolved this issue on August 6, 2008. OneCare customers will automatically receive an update.  To check your signature version, see OneCare’s Help | About.

     

    Customers who believe they have encountered this issue should contact Microsoft Customer Service and Support for assistance as indicated at http://support.microsoft.com.

     

    Special thanks to the forum moderators and individual users who were able to assist and provide alternative methods to restore LSASS.EXE

     

    Eddy Hsia

    Program Manager

    Windows Live OneCare

     

    Friday, August 8, 2008 5:33 PM

All replies

  • This same virus was found on 3 machines and they all crashed after LOC cleaned the file. Also, LOC seems to be the only scanner that list this as a virus. How come I don't see it at Mcafee, NAV, AVG, and others? Is it a flash positive?

     

    Wednesday, August 6, 2008 2:50 PM
  • I have this on all three of my machines. It first emanated yesterday (5th Aug) and got my other two today. LOC said it couldn't handle the file and told me to click on it for more info. I did so and got a message that my files in Win XP SP3 were being replaced by unauthorised files. The machine rebooted itself and after showing the POST screen and the WINXP logon screen, it just sat at a blank screen. The cursor was present and responded to the mouse - but nothing else would come up. I did a full reload on the smallest machine and got it all working, but have left SP3 off. I still get the warning that LOC has found the virus but I DO NOT CLICK ON IT as it  would  seem that to do so is "curtains" again.

    If anyone knows how to recover from the blank screen stage I would be grateful to know.

    Its taken me 9 hours of work to get back to a working computer.

    I have sent a pointedly worded email to tech support at LOC, no reply yet - but watch this space.

     

    Wednesday, August 6, 2008 3:10 PM
  • Ray, you can open OneCare, click on change settings, go to the logging tab, click create a support log, and then view the report that opens in your browser, scrolling to the virus and spyware section to see the specific location of the infection.

     

    OneCare typically prompts when a file is found to be infected on access, but action is automatic if it is found during a scan,

     

    -steve

     

    Wednesday, August 6, 2008 3:21 PM
    Moderator
  •  mydogaragon wrote:
    This same virus was found on 3 machines and they all crashed after LOC cleaned the file. Also, LOC seems to be the only scanner that list this as a virus. How come I don't see it at Mcafee, NAV, AVG, and others? Is it a flash positive?

     

     

    See this:

    http://www.microsoft.com/security/portal/SearchResults.aspx?query=Win32%2FSiapag

     

    -steve

    Wednesday, August 6, 2008 3:26 PM
    Moderator
  • I note some people have had problems cleaning this trojan.

    However, onecare cleaned up my computer with not problems and no crashes.

    I was just curious that i had been promted to clean it and puzzled as to how it might have got there.

    Wednesday, August 6, 2008 3:43 PM
  • Dear Steve,

    Thanks for the quick reply, but that link has no information on it.  It just list dates that they were found with no technical info.  I find this very odd, and it's even stranger that no other AV firm list this when you have detection dates as early as 7-1-08. One would think the rest of the world would know about this virus.  A google search has nothing of value to say about it.  I would love to have details on this virus.

    B

    Wednesday, August 6, 2008 3:59 PM
  • The odd thing about viruses is that each company tends to name them differently. So, it is highly likely that this trojan goes by another name for different a/v vendors.

    -steve

     

    Wednesday, August 6, 2008 4:21 PM
    Moderator
  • Steve is correct.  Take a look at how various vendors identify VirTool:WinNT/Siapag!gen.A(Suspicious):

     

    http://virscan.org/report/8f09dcc23e240174e55030647ebf1e0f.html

    http://virscan.org/report/39975748998d6f59d98da54976e6c0c8.html

     

    You can confirm detections identified in your support log by sending the files involved to VirusTotal:

    http://www.virustotal.com/

    Wednesday, August 6, 2008 4:26 PM
  • Dear Steve,

    I respect what you say, but with most viruses out there, details are posted about the viruse and when investigated  one can see the different variants and names.  With no info posted about this virus and what it does or how it is loaded I still have to wonder what is going on.

    B

     

    Wednesday, August 6, 2008 4:53 PM
  • Dear Dave,

    I took a look at these reports before coming to the forum. If you look closely you will see only LOC scanner detecting this virus. None of the other AV scanners come up with this.  And while they may name the virus differently, they must scan for the name used by the author and this usually turns up with a google search.

    Once again, the thing I find very odd is NO tech data posted by MS, and other than the virus.org scans, this forum is all that turns up on a google search.

    B

     

    Wednesday, August 6, 2008 4:57 PM
  • B:

    I don't disagree with your concerns. I find it odd that no technical details are made available at the site, yet it is being detected and reported in the wild *and* it apparently is causing problems when removed in some cases. Ray seems to have been a lucky victim.

    -steve

     

    Wednesday, August 6, 2008 6:00 PM
    Moderator
  • Hello again,

    I just got a call from the same office where 3 systems crashed yesterday. A 4th has been hit and crashed. There are 12 systems at this office. If anyone can provide any info on what or where this is coming from, it would sure help me put a stop to it.  Thanks in advance.

    B

     

    Wednesday, August 6, 2008 7:36 PM
  • It would be awesome to know where this trojan is coming from.  OneCare rendered a laptop of ours unbootable after attempting to clean Trojan:Win32/Siapag.A this morning.  Any hope MS will get around to researching this one and posting details?  Thanks.

    --Ben

    Wednesday, August 6, 2008 11:24 PM
  • ok, few things:

     

    I've repaired dozens of these already.

     

    Symptoms are easy enough to spot, system detected a virus, asks for the windows sp3 cd then shuts down in 60 seconds, on rebooting though ends up at a blank screen with just the cursor, booting into safe mode and the task manager don't help.

     

    The files this virus infects is LSASS.EXE in the C:\WINDOWS\SYSTEM32 and C:\WINDOWS\SYSTEM32\DLLCACHE folders.

     

    The SOURCE of the virus is strange, turns out certain downloaded copies of the SP3 installer for windows (including the one from the windows update site) were pre-infected, no way microsoft would admit to this though.

    The way to repair a downed machine is fortunatly very simple:

    1. Boot off a Windows XP Home or Pro CD (Doesn't seem to matter which one).
    2. Start Recovery Console

    (In the next step, D is my CDROM, change the letter if neccessary)

    3. Type : copy d:\i386\lsass.ex_ c:\windows\system32\lsass.exe
    4. Type : copy d:\i386\lsass.ex_ c:\windows\system32\dllcache\lsass.exe

    5. Reboot system

     

    Windows should start fine.

     

    Anyhows, that should fix it for you Smile (Oh, and the original file off an SP2 XP cd won't be infected of course)

    Good luck to all,

    CorpBlitz
    Best Computers Burleigh (Aus QLD).

    Thursday, August 7, 2008 12:38 AM
  • Greaaaaaaaaaaat... I started a repair and decided to type in the virus name while waiting. the fix at the end here would have taken me minutes but I figured it was a lost cause. Sad

     

    Oh well It will be done soon. If anything isn't working correctly I can always do a restore from Sunday's backup then plug the drive into my cleaning rig and double check it with AVG and anything else. Smile I did this after the virus hit and one of the other cleaners pulled off 8 other infected files. Sad

     

    Thanks for the fix! I hope I will not have to do this but since this is not the only XO SP3 PC in the house running LOC it will at least save me time later. 

     

    Thursday, August 7, 2008 2:41 AM
  • Thanks to Ceridus-Aus for the fix, will be trying it later.

    I agree its definately something to do with Service Pack 3. I downloaded my SP3 from MS and whenever I download anything I save the download on a seperate drive in my machine and then instal from there (saves downloading again if I need the file again). I had downloaded SP3 quite awhile ago and put it on all 3 of my machines, yet it was only on 5th Aug that it struck - this equates roughly with the same time that everyone else was infected - so I suppose it was delayed to strike on that date?

    OCL reported the virus in a cabinet file of the SP3 download and again within Sytem32 in windows. It was also in a restore point on the drive containing the SP3 download. I've got rid of it on my main machine by reloading Windows and also formatting the drive used for storing the downloads. A lot of work!

    Thursday, August 7, 2008 6:09 AM
  • Actually Commanon, ALL machines that had the SP3 were infected, the thing is, OLC only just recieved a virus definition for the virus yesterday, so it only cropped up yesterday it didn't have anything to do with a 'set' timer.

    I'm not even sure it IS a virus, there is a possibility that OLC is giving the lsass.exe as a false positive (maybe there is an exact match in the code of the lsass.exe to some of the code in the actual siapag.a virus files so it picks it up using heuristics).


    Regardless, the virus definition update by OLC yesterday is responsible, so even if you have a winxp machine with SP3 loaded and OLC that hasn't 'got' the virus, update the OLC and run the full scan and it'll pretty much occur instantly.

    Thursday, August 7, 2008 6:22 AM
  • I got a reply from OCL technical about  this problem - pasted below:

     

     

    START

    From the information provided, I understand that OneCare was unable to delete or quarantine a virus (TrojanTongue Tiediapag.A) from your computer which made you reinstall the operating system. 

    Please correct me incase I have misunderstood this issue. 

    Dave, I truly understand the inconvenience you have encountered and apologize for the same. 

    I would like to inform you that no security software is 100% perfect. Each virus has many different variants (10-15 variants). For instance, if ‘A’, ‘B’ & ‘C’ are three different security software, some of the variants might be detected by ‘A’ security software; some might be detected by ‘B’ and some other by ‘C’. 

    Everyday, new viruses and spyware are formed and all the manufacturers of the security software (Windows Live OneCare, Norton, McAfee, AVG, etc. ) keep updating their database in order to provide protection to their respective users. But there is always a possibility that some of the users get infected with the newly formed virus or spyware which might not be updated by the security software they are using. 

    However, I appreciate your kindness in writing back to us and informing about this. I will forward your query to the Software and Development Team of Microsoft and they will further update their database with this (TrojanTongue Tiediapag.A)  variant of virus and spyware. 

    Dave, incase if you have not reinstalled the operating system on the other machine, we can initiate the same collection process which will help us in updating our database. Please visit the below mentioned link for the same –

    http://support.microsoft.com/kb/921159 

    If you have any concerns regarding this issue, you can reply to this mail and we will get back to you as soon as possible. It is our pleasure to be of assistance. We are looking forward to your reply. 

    Regards,

     

    NAME NAME NAME

    Microsoft Customer Service and Support

    Email: [deleted]

    Online support at: http://support.microsoft.com

    Security Updates at: http://www.microsoft.com/protect 

     

    Windows Live OneCare: Give your computer continuous Anti-Virus and Firewall protection, along with regular tune-ups and back-ups to maintain its performance.

    ENDS

     

     

     

    So it looks like its abit of hard luck we are all having! Notice how they got the ad for OCL in at the end!

    Continuous anti-virus protection? I think not!

    Thursday, August 7, 2008 4:40 PM
  • Since this is getting a bit of traction in several threads, I've locked the other threads and am directing discussion to this one. I notified the OneCare team about all of these threads.

    Based on the discussions so far, it seems that there are two things happening -- and I must clarify that this is my opinion as a user/customer, as I am not a Microsoft employee and I'm the one speculating -- the detection of the the infection in SP3 lsass.exe would seem to be a false positive. However, an updated signature file, after Ray reported getting the infection is doing something more aggressive in the removal routine, causing XPSP3 to become unusable on reboot. Assuming this to be the case, I'm hoping that a new signature file can be deployed very quickly to limit the damage. On the other hand, if there really is an infected file in the SP3 download, then Microsoft would need to shut down the deployment of the update until it can be repaired and redeployed and I trust that this would also happen very quickly. I have 3 XP SP3 machines at home that are running OneCare, but all were updated to SP3 weeks ago and haven't had a full scan or tune-up within the last few days, so I can't tell you if all SP3 machines would be rendered useless on detection during a full scan as speculated above, though it is certainly possible. Unfortunately, all 3 of those machines are off-line right now, so I can't even test it out remotely.

    I'll post back as soon as I learn more about the status of the investigation.

    I've also unmarked my previous post to Ray as the answer for this thread and will leave it open until such time as we get a definitive answer.

    -steve

     

    Thursday, August 7, 2008 4:45 PM
    Moderator
  • Looking at what has been said, it could be I had no problem because I fairly regularly use the sfc utility as housekeeping  so I might have pre-empted a major problem, but I am not really sure.

    sfc is a stange and little known utility but it has fixed a few problems in Win 98 for me  over the years and so  I run the XP version now

     

    Perhaps OnceCare should incorporate it!

    Thursday, August 7, 2008 4:59 PM
  • Ceridan,

    I would personally like to say thank you for your post and resolution, it worked like a charm. I had previously spent two evenings, two hours per with tech support while they tried to correct this issue. The last tech I spoke with suggested that I back up, format the hard drive and then do a clean XP install. I would have had to done so on two PC's.

     

     You saved me a lot of time and frustration, thanks again!  

    Friday, August 8, 2008 11:07 AM
  • Microsoft has completed the investigation into this issue and found that the signature was incorrectly identifying lsass.exe as Trojan:Win32/Siapag.A. However, this only affected customers running a pre-release version of Windows XP Service Pack (SP3). Customers running others versions of Windows and customers running the released version of Windows XP SP3 were not affected.

     

    As part of our standard process, Microsoft released an updated signature (Version 1.41.145.0 and higher) that resolved this issue on August 6, 2008. OneCare customers will automatically receive an update.  To check your signature version, see OneCare’s Help | About.

     

    Customers who believe they have encountered this issue should contact Microsoft Customer Service and Support for assistance as indicated at http://support.microsoft.com.

     

    Special thanks to the forum moderators and individual users who were able to assist and provide alternative methods to restore LSASS.EXE

     

    Eddy Hsia

    Program Manager

    Windows Live OneCare

     

    Friday, August 8, 2008 5:33 PM
  • Thanks, Eddy.

     

    Although the fix highlighted earlier in this thread will get you up and running once again, thankfully, since the problem only affects pre-release version of XPSP3, you should then remove SP3 and download it from Windows Update.

    -steve

    Friday, August 8, 2008 5:58 PM
    Moderator