Threat identification & removal? [Virus/Win32.slugin.iyz(2385375)]

Showing results for 
Search instead for 
Did you mean: 

Threat identification & removal? [Virus/Win32.slugin.iyz(2385375)]

Not applicable

I'm hoping someone can help me with a threat detected by my PA500 (details below).

I recently found entries in my Threat logs suggesting an SSL-VPN user was malware compromised. Upon closer inspection, I cannot determine exactly the nature of the threat, nor how to detect/remove the threat from the client machine. I'm hoping this is not a false positive identifying a normal function as malware.(GoogleToolbarInstaller_updater_signed.exe)

I'm not finding answers in Palo Alto's Threat database, nor in the Knowledgebase. But maybe someone here has some experience or insight regarding this threat? I'd appreciate some help, thanks!

How real is this "virus"? (I can't find detailed descriptions on PaloAlto, let alone other sources)

How do I remove the infection?

Is this expected behavior from GoogleToolbarInstaller updater?

Why is this "bad"?

DomainReceive TimeSerial #TypeThreat/Content   TypeConfig VersionGenerate TimeSource addressDestination   addressNAT Source IPNAT Destination   IPRuleSource UserDestination UserApplicationVirtual SystemSource ZoneDestination ZoneInbound InterfaceOutbound   InterfaceLog ActionTime LoggedSession IDRepeat CountSource PortDestination PortNAT Source PortNAT Destination   PortFlagsIP ProtocolActionURLThreat/Content   NameCategorySeverityDirection
108-07-11   06:300006C1xxxxxxTHREATvirus108-07-11   06:30505092804979780556500x400000tcpdenyGoogleToolbarInstaller_updater_signed.exeVirus/Win32.slugin.iyz(2385375)anymediumserver-to-client

Palo Alto Threat Database 3.1 yields the following description:

Virus/Win32.slugin.iyz (2385375)

Attack Name Worm/W32.generic.fklrm Description Threat ID 2385375

The log detail is as follows:

Log Details

Generate Time: 2011/07/08 06:30:32
Receive Time: 2011/07/08 06:30:37

Session ID: 50509
Threat/Content Name: Virus/Win32.slugin.iyz
Threat/Content Type: virus
Action: deny
Severity: medium
Application: web-browsing
IP Protocol: tcp
Rule: rule1
Log Action:
Category: any
Repeat Count 2
Virtual System: vsysl
Misc:  GoogleToolbarInstaller_updater_signed.exe
Device: 0006C1xxxxxx (myPa500Serial)

Captive Portal:
Proxy Transaction:
Packet Capture:
Direction: server-to-client

Source User:               
Source address:
Source Port: 80
Source Zone: L3-untrust
Inbound Interface: tunnel.1
NAT Source IP
NAT Source Port: 80

Destination User: rmanik
Destination address:
Destination Port: 49797
Destination Zone: SSL-VPN
Outbound Interface: ethernetl/5
NAT Destination IP: (myExternalPublicIp)
NAT Destination Port: 55650

Receive Time   log     Type  Application  Action Rule   Bytes  Pkts Severity Category URL
07/08 06:30:37 threat  virus web-browsing deny   rulel              medium   any      GoogleToolbarInstaller_updater_signed.exe
07/08 06:32:02 traffic end   web-browsing allow  rule I 12,354 15

My PA500:

Software version4.0.2
SSL-VPN Client1.3.0
GlobalProtect Client0.0.0
Application version255-1051
Threat version254-1048
Antivirus version515-673
URL Filtering version3637
GlobalProtect datafile version0

L1 Bithead

Terina - We've had several downloads of the GoogleToolbarInstaller_updater_signed.exe blocked by the same Threat ID 2385375.  Suspecting that it might be a false positive, I opened a case on July 5th.  It is still being researched.  -Craig

L0 Member

Curious if there has been any movement on this issue.  I am seeing this alot now on our PA500 classified as Trojan/Win32.patched.ocmj(2569370).  It seems to be associated with the Google-Update application.

Hi mwaters31

I would open up a case with Support that includes the following:

1) Pcap of the threat

2) Output from the command >show system info

3) A snapshot of the threat via the threat log

We'll investigate promptly and provide a bug fix if it's deemed as a false positive.

+1.  I'd like to see the Threat Details include a MD5 Checksum so we may look at virustotal ourselves. Perhaps this will be possible with Wildfire?

Hello. I was wondering if there has been any updates to whether this is a legit threat or false positive?

According to the Tech Support working on the case I opened, a bug was found and was subsequently fixed in virus definition version 605.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!