cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
runcmd
Level 10
Report Inappropriate Content
Message 1 of 8

Trojan - New Malware.j / New Malware.ck / Generic Delphi (ED)

A CD provided by a particular vendor currently has files in an "fscommand" folder which are being detected as "New Malware.ck" when scanned by McAfee VirusScan v8.0i. The CD contains material in the form of a Macromedia Flash presentation. When scanned with VirusScan v8.5, no malware is detected.

The files were originally detected as being "new malware.j" by v8.0i and I submitted a sample to WebImmune, which indicated that the file "may contain a potential virus or trojan threat identified heuristically". I then opened a technical support case with McAfee. The case was escalated and I was told that this is a legitimate detection. I was then provided an EXTRA.DAT which caused both v8.0i and v8.5 to identify the files as "Generic Delphi (ED)". I followed up with the CD supplier and obtained a new CD which is encountering the same phenomenon. It is now being detected as "New Malware.ck" on v8.0i and no detections on v8.5. I also scanned both CDs using AVG on another computer and AVG did not flag any of the files as a trojan or malware. All of the files detected as "New Malware.ck" on both CDs have the exact same MD5 checksum, so they appear to have identical content.

This is the result of scanning the CD on v8.0i, as provided by the OnDemandScanLog...

 


7/15/2008 9:23:20 AM Engine version =5200
7/15/2008 9:23:20 AM DAT version =5338
7/15/2008 9:23:20 AM Number of virus signatures in EXTRA.DAT =None
7/15/2008 9:23:20 AM Names of viruses that EXTRA.DAT can detect =None
7/15/2008 9:23:19 AM Scan Started [Workstation]\[User ID] On-Demand Scan
7/15/2008 9:23:21 AM No Action Taken d:\fscommand\figure_1.2.pdf.exe New Malware.ck(Trojan)
7/15/2008 9:23:21 AM No Action Taken d:\fscommand\figure_2.1.pdf.exe New Malware.ck(Trojan)
7/15/2008 9:23:21 AM No Action Taken d:\fscommand\figure_2.3.pdf.exe New Malware.ck(Trojan)
7/15/2008 9:23:22 AM No Action Taken d:\fscommand\figure_3.2.pdf.exe New Malware.ck(Trojan)
7/15/2008 9:23:22 AM No Action Taken d:\fscommand\figure_3.6.pdf.exe New Malware.ck(Trojan)
7/15/2008 9:23:22 AM No Action Taken d:\fscommand\figure_3.7.pdf.exe New Malware.ck(Trojan)
7/15/2008 9:23:22 AM No Action Taken d:\fscommand\figure_3.8.pdf.exe New Malware.ck(Trojan)
7/15/2008 9:23:22 AM No Action Taken d:\fscommand\figure_4.1.pdf.exe New Malware.ck(Trojan)
7/15/2008 9:23:23 AM No Action Taken d:\fscommand\figure_4.10.pdf.exe New Malware.ck(Trojan)
7/15/2008 9:23:23 AM No Action Taken d:\fscommand\figure_4.2.pdf.exe New Malware.ck(Trojan)
7/15/2008 9:23:23 AM No Action Taken d:\fscommand\figure_4.3.pdf.exe New Malware.ck(Trojan)
7/15/2008 9:23:23 AM No Action Taken d:\fscommand\figure_4.4.pdf.exe New Malware.ck(Trojan)
7/15/2008 9:23:23 AM No Action Taken d:\fscommand\figure_4.5.pdf.exe New Malware.ck(Trojan)
7/15/2008 9:23:23 AM No Action Taken d:\fscommand\figure_4.6.pdf.exe New Malware.ck(Trojan)
7/15/2008 9:23:23 AM No Action Taken d:\fscommand\figure_4.7.pdf.exe New Malware.ck(Trojan)
7/15/2008 9:23:23 AM No Action Taken d:\fscommand\figure_4.8.pdf.exe New Malware.ck(Trojan)
7/15/2008 9:23:23 AM No Action Taken d:\fscommand\figure_4.9.pdf.exe New Malware.ck(Trojan)
7/15/2008 9:23:24 AM Scan Summary [Workstation]\[User ID] Scan Summary
7/15/2008 9:23:24 AM Scan Summary [Workstation]\[User ID] Processes scanned : 0
7/15/2008 9:23:24 AM Scan Summary [Workstation]\[User ID] Processes detected : 0
7/15/2008 9:23:24 AM Scan Summary [Workstation]\[User ID] Processes cleaned : 0
7/15/2008 9:23:24 AM Scan Summary [Workstation]\[User ID] Boot sectors scanned : 0
7/15/2008 9:23:24 AM Scan Summary [Workstation]\[User ID] Boot sectors detected: 0
7/15/2008 9:23:24 AM Scan Summary [Workstation]\[User ID] Boot sectors cleaned : 0
7/15/2008 9:23:24 AM Scan Summary [Workstation]\[User ID] Files scanned : 105
7/15/2008 9:23:24 AM Scan Summary [Workstation]\[User ID] Files with detections: 17
7/15/2008 9:23:24 AM Scan Summary [Workstation]\[User ID] File detections : 17
7/15/2008 9:23:24 AM Scan Summary [Workstation]\[User ID] Files cleaned : 0
7/15/2008 9:23:24 AM Scan Summary [Workstation]\[User ID] Files moved : 0
7/15/2008 9:23:24 AM Scan Summary [Workstation]\[User ID] Files deleted : 0
7/15/2008 9:23:24 AM Scan Summary [Workstation]\[User ID] Files not scanned : 0
7/15/2008 9:23:24 AM Scan Summary [Workstation]\[User ID] Run time : 0:00:05
7/15/2008 9:23:24 AM Scan Complete [Workstation]\[User ID] On-Demand Scan




This is the result of scanning the CD on v8.5, as provided by the OnDemandScanLog...

 


7/15/2008 12:38:22 PM Engine version =5200.2160
7/15/2008 12:38:22 PM AntiVirus DAT version =5339.0000
7/15/2008 12:38:22 PM Number of detection signatures in EXTRA.DAT =None
7/15/2008 12:38:22 PM Names of detection signatures in EXTRA.DAT =None
7/15/2008 12:38:15 PM Scan Started [Workstation]\[User ID] On-Demand Scan
7/15/2008 12:38:31 PM Scan Summary [Workstation]\[User ID] Scan Summary
7/15/2008 12:38:31 PM Scan Summary [Workstation]\[User ID] Processes scanned : 0
7/15/2008 12:38:31 PM Scan Summary [Workstation]\[User ID] Processes detected : 0
7/15/2008 12:38:31 PM Scan Summary [Workstation]\[User ID] Processes cleaned : 0
7/15/2008 12:38:31 PM Scan Summary [Workstation]\[User ID] Boot sectors scanned : 1
7/15/2008 12:38:31 PM Scan Summary [Workstation]\[User ID] Boot sectors detected: 0
7/15/2008 12:38:31 PM Scan Summary [Workstation]\[User ID] Boot sectors cleaned : 0
7/15/2008 12:38:31 PM Scan Summary [Workstation]\[User ID] Files scanned : 105
7/15/2008 12:38:31 PM Scan Summary [Workstation]\[User ID] Files with detections: 0
7/15/2008 12:38:31 PM Scan Summary [Workstation]\[User ID] File detections : 0
7/15/2008 12:38:31 PM Scan Summary [Workstation]\[User ID] Files cleaned : 0
7/15/2008 12:38:31 PM Scan Summary [Workstation]\[User ID] Files deleted : 0
7/15/2008 12:38:31 PM Scan Summary [Workstation]\[User ID] Files not scanned : 0
7/15/2008 12:38:31 PM Scan Summary [Workstation]\[User ID] Run time : 0:00:16
7/15/2008 12:38:31 PM Scan Complete [Workstation]\[User ID] On-Demand Scan



I currently have my second case open with McAfee technical support on this issue. Has anyone else encountered this same issue?
7 Replies

RE: Trojan - New Malware.j / New Malware.ck / Generic Delphi (ED)

You need to tell this to McAfee technical support and the lab, there is nothing we can do from this end, its up to the lab.
runcmd
Level 10
Report Inappropriate Content
Message 3 of 8

RE: Trojan - New Malware.j / New Malware.ck / Generic Delphi (ED)

I did provide support with this information... Please understand that I'm not necessarily looking for a "solution" from the forums, what I want to know is if anyone else has encountered this phenomenon or if I'm an isolated incident. If other people are encountering this issue with Macromedia Flash creations/components/whatever (if this detection is even related to something Macromedia Flash is doing or uses), then there's probably more hope for me in being provided a relatively quick solution. If the problem is isolated to the supplier of the CD, then I may need to pursue applying pressure to their technical support as well. Right now, even though McAfee support previously classified this as a legitimate threat, based upon the current evidence I'm not sold on the fact that whatever is being detected is a legitimate threat and not a false positive. And so I'll take my chances and respectfully ask again... Has anyone else encountered this same issue? Thanks.

Regardless, when I get my answer, I'll be sure to share.

RE: Trojan - New Malware.j / New Malware.ck / Generic Delphi (ED)

If you can upload some of the files to Here see what other vendors make of the files.
runcmd
Level 10
Report Inappropriate Content
Message 5 of 8

RE: Trojan - New Malware.j / New Malware.ck / Generic Delphi (ED)

Nice! Thank you!!!
runcmd
Level 10
Report Inappropriate Content
Message 6 of 8

RE: Trojan - New Malware.j / New Malware.ck / Generic Delphi (ED)

That "VirusTotal" website is really nice. I like how they give you the ability to submit a hash and determine if the file has been encountered before--without actually submitting the file. Based upon my submission, "eSafe" has encountered this before as a file named "jstart.exe" and has labeled it as suspicious.

MD5: d7aa80a5ef4fb2b7ad6efc3cdad677f3
SHA1: 10dd53d4e3839f513801833d173d8ed0c8a92857
runcmd
Level 10
Report Inappropriate Content
Message 7 of 8

RE: Trojan - New Malware.j / New Malware.ck / Generic Delphi (ED)

Follow up: My support case was finally escalated and the sample was determined to be a false positive. The next day's DAT no longer detected any malware with the files in question. Issue resolved.

Thanks!
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 8 of 8

RE: Trojan - New Malware.j / New Malware.ck / Generic Delphi (ED)

Glad you are OK now.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community