cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Hamze
Level 7
Report Inappropriate Content
Message 1 of 1

Trojan-Downloader.Win32.Agent.mee NOT detected By McAfee

We Have a site with 300 pcs Where MacAfee Virus Scan 8.7 (with epo4), Installed with Last DAT File,
a new Virus spreads in the network which freeze the PCs after logon to windows) , after 2 months of searching I found this article which was the Solution:
-------------------------------------------------------------------------------------------------------------------------------
This malicious program is a Trojan. It is a Windows PE EXE file. The size of infected files can range from 70KB to 260KB. It is not packed in any way. It is written in Delphi.

Installation
Once launched, the Trojan copies its body to the “intetsrv” subdirectory of the Windows directory as "lsass.exe":

%System%\inetsrv\lsass.exe
"Hidden" and "read only" attributes are ascribed to this file.

In order to ensure that the Trojan is launched automatically each time the system is rebooted, the Trojan registers its executable file in the system registry:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "%System%\inetsrv\lsass.exe"
This ensures that the Trojan is launched before the user accesses Windows.

The Trojan also creates a unique identifier, “izokraSizokraS” to flag its presence in the system.

It creates the following registry key:

[HKLM\Software\Microsoft\Internet Explorer\inet.]
"Day" = "<date Trojan launched>"
Payload

The Trojan copies its body to all write-accessible network, logical and removable disks as shown below:

<X>:\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\lsass.exe
<x> indicates the disk.

In addition to its executable file, the Trojan also places the file shown below in the root directory of every disk:

<X>:\autorun.inf
This file will launch the Trojan executable file each time the user opens an infected disk using Explorer.

"Hidden" and "read only" attributes are ascribed to all files created by the Trojan.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Use Task Manager to terminate the Trojan process.
Delete the following system registry key:
[HKLM\Software\Microsoft\Internet Explorer\inet.]
"Day" = "<date Trojan launched>"
Delete the following registry key parameter value:
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "%System%\inetsrv\lsass.exe"
Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
Delete the following files:
%System%\inetsrv\lsass.exe
<X>:\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\lsass.exe
<X>:\autorun.inf
------------------------------------------------------------------------------------
and till now Mcafee cant detect this file"%System%\inetsrv\lsass.exe" as trojon , hope so ASAP.
we dont want to replace it by another AntiVirus

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community