I've tried the stinger from 6/10 with 6737 and it was unable to find a .dll believed to be related to this infection. I do have a open case with McAfee support regarding this infection. Also we were seeing detections on our print server for the .SPL files that were malicious on detection: Generic.Tra!e864689c6897. However in most recent infection we did not see this DAT cover the files.
Good luck everyone.
It may make sense to block and provide reporting on the following addresses:
From Symantec's Site:
1. What is this threat?
Adware.Eorezo and Trojan.Milicenso along with threats that shows traits of each. As well as Packed.Generic.372 and Packed.Generic.371.
The ability to detect these files is based on the traits of the packer being used. But the threat classification or naming of the files is based on the dropper (the file that gets the threat there), and we will need to complete a full analysis of that before we can fully understand all the parts of this threat.
2. What is it doing?
Its downloading two types of files:
Payload - Adware.Eorezo and Trojan.Milicenso
Jpegs - used steganographically to provide commands to the payload
3. Where is it downloading from?
Jpegs are downloaded from
4. Why is it taking so long to create "complete" detection?
Each component of this threat is highly encrypted. The key for that encryption is different for each computer because it is based on
- VolumeSerialNumber of the system volume.
- Creation time of "c:\windows\system32" and "c:\System Volume Information"
This means that each individual machine will have a series of files that are unique at the byte level.
5.What is the latest detection available in certified definitions for this?
Certified definitions: 6/10/2012 rev. 17 seq 135100 (these have updated, but not the most up to date detection)
6. How do I get the most up to date definitions?
Detections are being added to Rapid release defs every 5 or 6 hours as we fine tune are coverage.
7. Suggested actions
More info to come as we continue to work this issue
Do we know how the virus communicates withthe printers? We had an incident with the same virus where a user becameinfected and sent print jobs to every printer in organization. This user isonly connected to one print server in one site but the jobs were sent to everyprinter in multiple sites. I am not sure how a user was able to send a printjob to a printer in another site unless he is connected to that printer server.It is as the virus scanned our network to look for print servers or printers.
McAfee Service Portal customers please use your existing username and password to log into the community.