cancel
Showing results for 
Search instead for 
Did you mean: 
davidbaldwin
Level 7

False Artemis!E3175226C78A

Good Day

I have followed the advice here:  https://community.mcafee.com/thread/2016

1.  Regarding: 

DiamondCS NetCheck

Copyright (C) 2006, DiamondCS

2.  I sent an email to virus_research@mcafee.com using the same subject line.

3.  I'm posting here, the same info

4.  I couldn't encrypt the zipped netcheck.exe with my version of Vista Home Premium so I used McAfee GetSusp to submit the suspicious file, but I also added the comment:

False Artemis!E3175226C78A

DiamondCS\netcheck\netcheck.exe [MD5:e3175226c78a9ea5ede501e84cffd041] is infected with Artemis!E3175226C78A

Here's the full scoop.  I hope McAfee removes this from Artemis and therefore STINGER detection:

------------------------

This file has existed for many years, as a simple utility to verify that an active internet connection exists.  I use it regularly at home to quickly "test" that I have a valid internet connection and am able to resolve DNS addresses.  I've had this utility on my "clean" system for years.  It is not a threat.
Although diamondcs.com.au no longer exists, this was their description for "netcheck.exe"
"DiamondCS NetCheck
Copyright (C) 2006, DiamondCS
http://www.diamondcs.com.au
THIS IS NOT A VIRUS (although some virus programs may think so)

DiamondCS NetCheck allows you to quickly check the status of your Internet connection. It does this by testing one (or more) servers - first by attempting to resolve their IP address to test the status of your DNS server, and secondly by attempting to connect to TCP ports, allowing you to test whether you can connect to sites on the Internet.

It is recommended that you use the address of your Internet Service Provider as the first entry for both DNS and TCP in the netcheck.ini file, as well as a numeric IP address as one of the TCP entries so as to still be able to test for TCP connectivity even if your DNS server is down."
----------------------------------------------------------------
Note: netcheck.ini simply contains 3 user-selectable DNS and 3 user-selectable TCP addresses to check:
[Config]
NumDNS=3
NumTCP=3
DNS1=www.cogeco.ca
DNS2=www.google.com
DNS3=www.microsoft.com
TCP1=24.226.1.243:80 (cogeco.ca)
TCP2=www.google.com:80
TCP3=www.microsoft.com:80
MALWR.com / VIRUSTOTAL.com results:
Currently 12 less-known, less-popular virus engines at VirusTotal flag this file (INCLUDING McAfee).
Specifically, 12 of 50 virus engines flag it
Antiy-AVL Trojan/Win32.VB.gic 20140421
Bkav HW32.CDB.43e8 20140418
ByteHero Virus.Win32.Heur.d 20140421
CAT-QuickHeal (Suspicious) - DNAScan 20140421
Commtouch W32/Alureon.F!Generic 20140421
Comodo Heur.Packed.Unknown 20140421
F-Prot W32/Alureon.F!Generic 20140421
K7AntiVirus Virus ( 5585903c0 ) 20140421
McAfee Artemis!E3175226C78A 20140421
McAfee-GW-Edition Heuristic.LooksLike.Win32.Suspicious.C 20140421
TrendMicro PAK_Generic.001 20140421
TrendMicro-HouseCall TROJ_GEN.F47V0127 20140421
The following engines consider it safe:
AVG 20140421
Ad-Aware 20140421
AegisLab 20140421
Agnitum 20140421
AhnLab-V3 20140421
AntiVir 20140421
Avast 20140421
Baidu-International 20140421
BitDefender 20140421
CMC 20140421
ClamAV 20140421
DrWeb 20140421
ESET-NOD32 20140421
Emsisoft 20140421
F-Secure 20140421
Fortinet 20140420
GData 20140421
Ikarus 20140421
Jiangmin 20140421
K7GW 20140421
Kaspersky 20140421
Kingsoft 20140421
Malwarebytes 20140421
MicroWorld-eScan 20140421
Microsoft 20140421
NANO-Antivirus 20140421
Norman 20140421
Panda 20140421
Qihoo-360 20140411
Rising 20140421
SUPERAntiSpyware 20140421
Sophos 20140421
Symantec 20140421
TheHacker 20140421
TotalDefense 20140421
VBA32 20140421
VIPRE 20140421
ViRobot 20140421
nProtect 20140421
* PLUS WEBROOT SECURE ANYWHERE
( which is not one of the VirusTotal engines, but which runs on my system.)
------------------------------------------------------------------------
Malwr.com reports no immediate threat but shows:

File Details

File Namenetcheck.exe
File Size25135 bytes
File TypePE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5e3175226c78a9ea5ede501e84cffd041
SHA144cdd75d9f1be11ad31c293bfadd2d46da3be767
SHA256667a2a3817cdb588ce46b20484bf27165d7516c4437b0eb243283ff7e3bc0311
SHA512e94fade4779f4aa6d425dded45196c7447f0af204a1ab9317f15384546778a8e31d3f2807ce271b92ec0b566a57fa56fcc08eb9c3f0a85adeac0a4d3b68872bb
CRC32BA9B4E17
Ssdeep384:KDDxfSzMaeb2lJUEX7r2a552jGUapAXKH/z7pLlpGzvlyRT04J+MI1IgaByIZNl:KPEICEC3byi7H/Xp6vlyphJ+MIq3y8l
YaraNone matched
Signatures
File has been identified by at least one AntiVirus on VirusTotal as malicious
The binary likely contains encrypted or compressed data.
------------------------------------------------------
McAfee Labs(r) GetSusp(tm) Version 3.0.0.373 built on Oct 11 2013
Copyright (c) 2013 McAfee, Inc. All Rights Reserved.
GetSusp initiated on Mon Apr 21 14:27:39 2014

c:\data\diamondcs\netcheck\netcheck.exe ... is Suspicious !!!
GetSusp scan identified (1) Suspicious file(s) and (0) Unknown file(s).

------------------------------------------------------
McAfee Stinger Scan Results
McAfee® Labs Stinger™ Version 12.1.0.869 built on Apr 16 2014 at 12:33:18
Copyright© 2014, McAfee, Inc. All Rights Reserved.
AV Engine version v5610.1040 for Windows.
Virus data file v1000.0 created on Apr 16, 2014
Ready to scan for 6349 viruses, trojans and variants.
Custom scan initiated on Monday, April 21, 2014 00:36:28

Rootkit scan result : Not Scanned.

C:\DATA\DiamondCS\netcheck\netcheck.exe [MD5:e3175226c78a9ea5ede501e84cffd041] is infected with Artemis!E3175226C78A
C:\DATA\DiamondCS\netcheck\netcheck.exe has been Deleted
C:\Users\Public\Downloads\netcheck.exe [MD5:e3175226c78a9ea5ede501e84cffd041] is infected with Artemis!E3175226C78A
C:\Users\Public\Downloads\netcheck.exe has been Deleted
Summary Report on C:
File(s)
TotalFiles:............ 2008426
Clean:................. 321429
Not Scanned:........... 1686995
Possibly Infected:..... 2
Time: 03:38:26
Scan completed on Monday, April 21, 2014 04:14:54
------------------------------------------------------------------------------
Thanks,
davidbaldwin

0 Kudos
8 Replies
catdaddy
Level 20

Re: False Artemis!E3175226C78A

Hi davidbaldwin,

               Welcome to the McAfee Communities. Normally (4) or more Detections immediately throws up some "Red Flags", especially from Virus Total. Four of those Vendors that detected this instance, are Highly reputable, to include McAfee.

                 Since you ran the the Latest Getsusp, did you receive a email confirming the detection is being analyzed? Someone whom patrols this Community, may pick up this thread (No promises) and with the information provided may expedite your request. Meaning someone from McAfee Labs.

                   Normally you are asked to provide a Analysis ID #, to proceed further.

                I am limited with the amount of time I can afford to this at the moment. I do know that our Moderators patrol this community,and possibly could be of more assistance.

      Regards,

Message was edited by: catdaddy on 4/21/14 3:26:00 PM CDT
Cliff
McAfee Volunteer
0 Kudos
Peacekeeper
Level 20

Re: False Artemis!E3175226C78A

If you included your email address in getsusp's preferences you should have got back an email that mentions an analysis ID did you? If you did post it here and if no movement in 4 days to address this post back and I will get it chased up.

0 Kudos
davidbaldwin
Level 7

Re: False Artemis!E3175226C78A

Hi catdaddy and Peacekeeper,

Thanks.  The email I got back from my GetSusp submission reads:

SR Number               Creation Date                WorkItem ID        Machine Name           

========               ==============               ===========        ===========            

None specified          4/21/2014 6:44:28 PM         1321642            DRB-WLM                

+--------------+----------------------------------+--------------+-----------+----------------+

| File Name    | MD5                              | Findings     | Detection | Type           |

+--------------+----------------------------------+--------------+-----------+----------------+

| netcheck.ex_ | e3175226c78a9ea5ede501e84cffd041 | not_detected |           | assumed_dirty4 |

+--------------+----------------------------------+--------------+-----------+----------------+

So although everyone is using the term "Analysis ID #" it appears that terminology is absent from the McAfee auto-reply.

The term WorkItem ID is used in the Subject line and the body text, i.e. "Submission through GetSusp (Reference WorkItemID: 1321642)".

Hope that's what everyone is referring to.

Thanks again.

p.s. Re: "Four of those Vendors that detected this instance, are Highly reputable, to include McAfee."  Yes, I agree and acknowledge that McAfee is highly reputable, I didn't mean it to come across like that.  Besides McAfee, I'm just less familiar with the popularity of the other vendors who detected this.

davidbaldwin

0 Kudos
catdaddy
Level 20

Re: False Artemis!E3175226C78A

You are perfectly welcome. As Tony stated, allow the appropiate time for McAfee Labs to analyze. Especially given all of the malware created every second,minute, hour of each day. Then hopefully you may have a resolution to your issue.

PeaceKeeper is dilligent in following up on such things.

All the very best,

Cliff
McAfee Volunteer
0 Kudos
Peacekeeper
Level 20

Re: False Artemis!E3175226C78A

Not so diligent I rely on posters posting back if no fix in a set (4day) period. Sorry have too many threads active to check back individually.

0 Kudos
davidbaldwin
Level 7

Re: False Artemis!E3175226C78A

Well,

I'll just say that it's been over 4 days ... nothing heard except for the initial confirmation emails  

virus_research@avertlabs.com  (Submission through GetSusp (Reference WorkItemID: 1321647)

So no fix yet, and no explanation.

Thanks

Dave B

0 Kudos
Peacekeeper
Level 20

Re: False Artemis!E3175226C78A

Passed onto a lab tech

0 Kudos
catdaddy
Level 20

Re: False Artemis!E3175226C78A

Marking this thread as 'Assumed Answered' and locking it.

Cliff

Moderator

Cliff
McAfee Volunteer
0 Kudos