Tempedreve Battleplan
Tempedreve is a file infector that attacks files on remote drives and shares. Without an understanding of how it spreads and the will to put measures in place to stop and eradicate the threat, there will be a constant cycle of attempts to re-infect. With the need for a stand-alone fixtool to repair these infected files, the cycle is vicious.
Vectors of Attack
Once a Tempedreve variant is in memory, it infects files on local and remote drives using “the Pull” and “the Push”
- The Push An infected machine looks at the list of drives connected to it and systematically attempts to infect files on those drives. If network shares are listed as mapped drives, it will spread to these as well. As the malicious code is injected into the target file and saved to the hard drive, AV detects the write process and attempts to clean the file. In the case of most Tempedreve variants, the file cannot be repaired without a standalone fixtool and the AV will convict the file as Tempedreve.(variant)!inf. The !inf suffix indicates this is a dangerous infected file that the AV cannot repair.
- The Pull This process is less easily understood. Infected machines now have infected versions of known files sitting on their shares and drives. If the infected machine has not been quarantined, a user opening an infected file remotely (like a spreadsheet, or an accounting program for example) launches the threat directly into the user machine’s memory. Because file-level antivirus does not scan memory, the threat can now actively attempt to infect files on any remote drives and shares it can see. Even if the local user’s machine has AV definitions that detect the Tempedreve variant. Files on these other drives are now subject again to The Push, infected in memory and detected as !inf as they are written back to the hard drive.
Mitigation
The Pull can be mitigated easily, by enabling network scanning or simply quarantining the infected machines until the infected files have been repaired or removed. This will prevent the threat from launching from a remote host directly into the local memory and therefore skipping the file write process that is essential to AV programs.
The Push can be halted by preventing write access to the shares or by quarantining the infected machines until the infected files have been repaired or removed.
Cleanup
Once you have blocked the vectors, the threat should no longer be spreading. Audit the network environment for not only infected machines, but for machines that are unprotected or under-protected. These machines should be cleaned using the appropriate Tempedreve Fixtool, a reboot to remove the possibility of the threat still running in memory, and a complete AV scan to verify there are no additional detections. Only then should the machine be reintroduced to the network. The sudden appearance of infected files is a quick indicator that a machine that can see the shares is still out there in the network, which underscores the need for a thorough network audit.
If the Tempedreve fixtool is not recognizing or repairing Tempedreve(variant)!inf samples, please submit infected samples through https://submit.symantec.com/retail, follow the instructions for your Support level, and contact technical support to open a case. Those symptoms indicate we may need to update the repair tool.
AV Signatures
IPS Signatures
System Infected: W32.Tempedreve Activity
Tools