3 Replies Latest reply on Feb 1, 2010 7:15 AM by MoxieMomma

    FP? Trojan w/Citrix GTA?

      Hi:

       

      MSC just picked up/blocked/automatically removed a Trojan (4 times) when I tried to install Citrix GTA from Dell.com/directconnect during a routine screenshare session.

      This download was attempted by clicking on a radio button in a dialog box at the start of the screen share session.

      I think it is a FP, but MSC removed it automatically and wouldn't even let me restore it from Quarantine.

      Tried

       

      I've done Citrix GTA with Dell many times on this box.

      And I just downloaded/installed/ran GTA successfully on my laptop running a different security suite - there were NO problems with detections of any of the files as Trojans.

       

      When I looked in the MSC logs, here is what I found:

      The file was recognized as Trojan Generic.dx!.gut

      The file path was: C:\users\Ronna\downloads\GoToAssistStarter(2).exe

      Process: C:\Windows\System32\SearchProtocolHost.exe

       

      The technician advised restoring the files from Quarantine, and I tried to do so, but the GTA application still would not run, so I aborted the session.

      I have never had a problem with GTA on this machine with MSC before.

       

      I have since run clean scans with Counterspy, MSC, MBAM and SAS.

       

      Your advice?

      False Positive?

       

      TIA,

       

      MM

       

       

      Message was edited by: MoxieMomma on 1/31/10 11:51:28 AM CST
        • 1. Re: FP? Trojan w/Citrix GTA?

          Hi, all:

           

          Would still appreciate assistance w/ this presumptive FP.

          Tried submitting to WebImmune (ID 5775275), but as MSC had automatically quarantined and removed the files in question, all I could send were screenshots with the file paths.

          I'm really no good when this stuff becomes overly technical.

           

          To recoup:

           

          During routine DL/install of Citrix GTA for an unrelated live phone/remote assist tech support session with Dell today, when I clicked the button to DL the GTA client for remote assistance, MSC *immediately* popped up w/alerts that it had detected, blocked, quarantined and removed 2 files it detected as Trojan Generic.dx!.gut.  A second attempt resulted in same (2 more files) detected/removed (total of 4 files).

           

          Given my very limited understanding, I am sure this must be a FP based on the following:

          1) I have used Citrix GTA many times with both Dell (and McAfee) in the past on this machine (it is the same client software used by both companies for remote assist);

          2) When I did a live chat/GTA session later today with McAfee T1 and T2, there were no detections/quarantines (even though it requirted DL/install/use of the same exact GTA software);

          3) I successfully DL/installed and ran the same Citrix GTA client on my OTHER computer ~1 hour later; it is also Dell, but runs another security suite (not McAfee) - no detections;

          4) 2 of the 4 "detections" by MSC today on this system were the actual GTAStarter.exe file;

          5) Scans immediately following this incident with MSC, Counterspy, MBAM and SAS were all clean (no Trojans, no nothing).

          6) I was on the phone and online directly with Dell North American fee-based tech support when this happened (I have a support contract for this), not browsing or downloading from a suspicious site, and there were no browser hijacks or other suspicious behaviors.

           

          Since MSC automatically removed the files (so I don't think they are still on the machine), I don't know how to proceed w/submitting them to AVERT.

           

          All I have are screenshots from the MSC logs, if that will help.

           

          Aside from the annoyance and "fear factor", it looks like I cannot do a remote assist with Dell Tech Support until this is fixed.

          If it really is something "real", then that's VERY spooky, b/c it happened during a live tech support session with Dell.

           

          Would sure appreciate your help.

           

          Thanks!

           

          MM

          • 2. Re: FP? Trojan w/Citrix GTA?

            Hello MoxieMomma,

             

            Thanks for your report. We apologize for any inconvenience this has caused.

             

            Unfortunately, without a sample for analysis, we are unable to investigate the issue further.  If you still have the application in an installation media, please try to send us for analysis, in a password-protected ZIP file (password - infected) to virus_research@avertlabs.com with the word "False" in the subject line. Or, you can send it to us via WebImmune as you have submitted the screenshot.

             

            Here are some brief instructions for creating a password-protected zip file for WinZip.  If you have different software or if you need further instructions, please consult technical support of the archiving software you have.
            WinZip is available for download at www.winzip.com
            1) Create a new zip file
            2) In WinZip, choose Options, then Password, then type the password "infected"
            3) Place your infected files in the Zip file
            4) Close the archive and send it to Virus_Research@avertlabs.com with the description you included in your first email.

            If you're using WinZIP you can tell if the files have been password-protected because there will be a plus-sign at the end of the filename (i.e. "filename.exe+").  You can also try to extract the file from the ZIP file again, at which time it should prompt you for a password before extracting.

             

            If the previous suggestions does not help, please contact Technical Support for further assistance in capturing the file.

             

            Best regards,

             

            Patty Ammirabile
            McAfee Labs

            • 3. Re: FP? Trojan w/Citrix GTA?

              pammirab wrote:

               

              Hello MoxieMomma,

               

              Thanks for your report. We apologize for any inconvenience this has caused.

               

              Unfortunately, without a sample for analysis, we are unable to investigate the issue further.  If you still have the application in an installation media, please try to send us for analysis, in a password-protected ZIP file (password - infected) to virus_research@avertlabs.com with the word "False" in the subject line. Or, you can send it to us via WebImmune as you have submitted the screenshot.

               

              Here are some brief instructions for creating a password-protected zip file for WinZip.  If you have different software or if you need further instructions, please consult technical support of the archiving software you have.
              WinZip is available for download at www.winzip.com
              1) Create a new zip file
              2) In WinZip, choose Options, then Password, then type the password "infected"
              3) Place your infected files in the Zip file
              4) Close the archive and send it to Virus_Research@avertlabs.com with the description you included in your first email.

              If you're using WinZIP you can tell if the files have been password-protected because there will be a plus-sign at the end of the filename (i.e. "filename.exe+").  You can also try to extract the file from the ZIP file again, at which time it should prompt you for a password before extracting.

               

              If the previous suggestions does not help, please contact Technical Support for further assistance in capturing the file.

               

              Best regards,

               

              Patty Ammirabile
              McAfee Labs

              Hi, Patty:

               

              Thanks.

              Sorry for being so ignorant, but I've never had malware issues on any system for years.

               

              I seem to be caught in a Catch-22 situation -- MSC blocked and removed the files before I had a chance to allow or save them.

              So, despite my trying to follow your instructions, I get stalled at the very first step.

              Moreover, even if I had the file in question and even though I run WinZip and know how to create zip files, I wouldn't know how to zip the file in question without RUNNING it. If it is an executable file and I were to do so, that would wreak havoc, right?

              And If the files are no longer on the machine, then how can I send the "samples"?

              All I have is the file paths.

              I'm sorry, but I just don't understand.

               

              So, I am really in a jam.

              I need to be able to conduct remote access sessions with tech support from Dell from time to time (and will DEFINITELY need to be able to do so when I undertake my planned Vista -> 7 upgrade soon).

              I have done so many times in the past, used the very same Citrix GTA software to connect with *McAfee* TS just yesterday (and on another computer with Dell yesterday, as well), and have never had issues either with GTA or with MSC detecting it as a Trojan.

               

              Were you able to look at the file paths/processes in the screenshots?

              Would it be safe to try to restore these files?

               

              I am no power user, but am pretty competent at running home computers, having run XP, Vista and 7 platforms for >15 years, using McAfee and other ISSs.

              The past few weeks have been my first experience with possible infections, significant FPs or other major issues.

               

              I would sure appreciate your advice and assistance.

              At this point, given the issues with MSC for the past month (440297878, 441965056, 448838768), I am ready to give up and take advantage of my OS upgrade to install a different product.

              I hesitate to do b/c of the cost, learning curve and realization that "the grass is always greener".  And, in general, although the offshore phone and live chat TS at McAfee is marginal at best, the forums (esp the McAfee and volunteer moderators) have been quite helpful.

               

              But I need to be able to use my computer efficiently, as safely as possible and without spending countless hours troubleshooting or waiting (as in the case with the update server issues) for the company to resolve significant issues.

               

              Leaving for work now, won't be back to check emails until late afternoon.

               

              Please advise as to how to proceed.

              I'm pretty much at my wit's end.

               

              Thanks,

               

              MM