Hi, after the Update of 5664 and a Reboot of the Server i can confirm two things happening:

1. Backdoor Install of NTRootkit-AB in C:\windows\system32\drivers\khplmn.sys
2. an immidiate infection if all .EXE Files with the W32/Sality Virus.

Unfortunately this thread is serious, as i scanned drives with another Virus Scanner and this one found the same Virus!

This means two things: 1. McAfee rolled out and manipulated DAT upgrade without noticing.
2. McAfee Update servers most have been compromised!

I suggest also to, under NO circumstances reboot any Machine installed with the update 5664 - 5667.

Additionally i highly reccomend to run a full scan of all drives with a 3rd party virus scanner!

If McAfee support does need any files/dumps whatever, please let me know what i can give you to provide a solution asap.

I have been running full scans with 5664/5665/5666 and 5667 DATS since friday and over the weekend and have found nothing of the sort on w2330/xpsp2/3, I think you may just have had a compromised server if the files are showing as infected with a 3rd party tool, I have had no issue with the DATs or Mcafee servers apart from the 5664 false positive with 5100 engine on one old build pc as it upgraded.

What third party scanner did you use and what was the macfee sality variant?

You can check the DAT readmes at http://vil.nai.com/vil/DATReadme.aspx to see when enhanced detection for that variant was updated or released.

I find that usually find that Mcafee have just released an enhanced detection anytime I get lots of hits showing up all of a sudden

sality is b**ch when it gets to server executables my commiserations

Check all app shares are readonly
lock down any shared use executables on the network
Try an trace back any workstation infections to the network source executable and then lock it down and clean it
ban the use of USB drives
limited cpu morning and afternoon scans for all workstations for dl_,dll,exe,scr,tmp
Full overnight workstation scans on all files at high CPU (get them to leave them on)
Evening scans on all servers servers for dl_,dll,exe,scr
Monitor the network for machines which are online but have had their AV disabled by sality, isolate and reimage.


stuff like that worked for us when we got zero day hit by it.

oh yeah and make sure your service desk and engineers are checking and cleaning their data as some of ours spread more than they cleaned