1 2 Previous Next 10 Replies Latest reply on May 11, 2010 6:51 AM by SamSwift

    VSE 8.7i ineffective against XP Antispyware 2010 malware

    csteels

      We have just had an issue with a case of the XP Antispyware 2010 fakealert trojan being brought into our network from a laptop user. The laptop in question is running McAfee Agent 4.5, VirusScan 8.7i (Patch 2) + Antispyware Module running the latest DAT file.

       

      Looking in the forums and googling the problem it seems other people have has this completely slip by an up to date McAfee setup including several weeks ago. Why is it that after several weeks this can still happen and potentially compromise our systems when we are paying a huge amount of money annually to protect us from this happening???

       

      Reading about the Fakealert Stinger that some McAfee staff have had other people use it seems to do as much damage if not more to peoples systems as having the virus.

       

      Im assuming that my best bet is to get the users laptop wiped and rebuild it rather spend hours of my time trying to clean it out of the system?

       

      Out of interest (and because it seems incapable of picking them up let alone removing them), are there any entries I can put into the Unwanted Programs Policy for VSE 8.7 that can help to prevent this malware from getting installed and running?

       

       

      Message was edited by: csteels on 22/02/10 06:22:38 CST
        • 1. Re: VSE 8.7i ineffective against XP Antispyware 2010 malware

          Sorry to hear about your issues. Sometimes new variants can come out quickly before AV vendors have a chance to respond.

           

          The following document may assist: http://service.mcafee.com/FAQDocument.aspx?id=TS100767

           

          You mentioned that you have tried the Fakealert Stinger program. I would also recommend trying Malwarebytes Anti-Malware scanner which could help in the removal

          • 2. Re: VSE 8.7i ineffective against XP Antispyware 2010 malware

            Hi Csteels,

             

             

            I am a little surprised to know that the McAfee AV missed out on the Fakealert malware. It is my hobby and passion to keep testing the AVs with the new bunch of malware out there. the last time I tested McAfee ( With Artemis set to very High), All the nasties were detected and outright cleaned/deleted.

             

            With all due respect to you and your findings, There may be a case that this is a new variant and hence McAfee may have missed it. I also know for a fact that that you as a Network Admin would not be able to set the Artemis to a very high level. However, I can suggest you something :-

             

            When you know for  a fact that the machine is infected, it might be helpful for you to set the Artemis to VERY HIGH and set the default and secondary action of the AV to just report the findings and not take any action. That way,you can see if a false alarm has been raised and take the actions accordingly.

             

            All the best with that buddy !

             

            Keep the forum posted ...

             

             

            Sameer

            • 3. Re: VSE 8.7i ineffective against XP Antispyware 2010 malware
              Attila Polinger

              Allow me to mention one more tip in this respect: it may be useful to enable some access protection rules as well as artemis. In my experience - having infected twice with Antispyware 2008 and 2009 respectively, these like to download and install in places that Access Protection can -although blindly - deny access to, such as the "autorun" locations (includes the Winlogon\Notify reg area fakealert trojans fav. place)) and Internet Explorer browser helper objects as well as CLSID installations (driver/downloader .DLL)

               

              Ever since I enabled these rules, I did not get infected with such malware.

              • 4. Re: VSE 8.7i ineffective against XP Antispyware 2010 malware
                csteels

                Out of curiousity I have isolated the machine in question and am running a full scan again with the Artemis heuristic setting on Very High, it has reported back that it has found and cleaned Threat Name: Artemis!FD90DA927CD3

                 

                It looks to have cleaned the virus off but now when we try to open any programs it asks what we want to open them with, as if it has disassociated the link from the exe file to open up the corresponding application.

                 

                Has anybody else has had a similar issue with this happening?

                • 5. Re: VSE 8.7i ineffective against XP Antispyware 2010 malware

                  Csteels,

                   

                  Thats a positive to look at.

                   

                  Now that you have received the report that McAfee has cleaned/deleted the threat, The other pop up that you get is nothing but the remnants of the malware. Sometimes, The non malicious registry entries are left behind by the AVs.

                   

                  You might want to select a default path for the programs to execute so that the next time you do not get the Open with option. Also, Please delete the corresponding files from your disk pertaining to the malware. In the program files, Under Drive C, You may have some folders with an unusual name or simply as XP Antivirus etc. Delete the files. Also, Take a look at the msconfig and see if anything unusual is set to autorun. Disable the same and also, Just take a look  at the Registry keys using regedit.exe and delete the entries relating to XP Antivirus but be very cautious.

                   

                  I hope this should take care of the for good !

                   

                   

                   

                  Sameer

                  • 6. Re: VSE 8.7i ineffective against XP Antispyware 2010 malware

                    There is a registry file you can import (by double-clicking) to repaire the file association for .exe files. I'll attach the Windows XP version. You should examine the file to see that you are comfortable with it before using, but I was satisfied and it does work. I found it necessary to do this under my own login as well as the customer's login, which didn't exactly make sense to me since the changes in the reg file are to HKEY_CLASSES_ROOT, but there you go.

                     

                    Gary Knigge

                    Division of Technology Services

                    UW-River Falls

                    • 7. Re: VSE 8.7i ineffective against XP Antispyware 2010 malware
                      SamSwift

                      It's an unfortunate fact that the guys behind this stuff release new versions on a very regular basis, so there are times when they will be newer than even our Artemis detections. Adding AP rules is a very sensible idea - there is a lot you can prevent with Access Protection, especially if you have users with power user or admin privileges on their machines.

                       

                      If you do get hit with something new please do submit a sample to us via http://www.webimmune.net or if you are a corporate user you will soon be able to submit via a new feature on the service portal which is due to be formally launched any day now. If you need the sample to be urgently escalated, or you are facing a widespread outbreak it's always best to give support a call - the phone numbers for which can be found in the Gold Support Handbook

                       

                      Kind regards,

                       

                      Sam

                      • 8. Re: VSE 8.7i ineffective against XP Antispyware 2010 malware

                        What I find unfortunate in this sordid drama is that one of my user support folks here told me this morning that he's using Microsoft's Security Essentials on his PC at home, and that when the occasional "OMG!!, YOUR COMPUTER IS INFECTED, AND IT'S GOING TO EXPLODE AND MELT DOWN YOUR HARD DRIVE AND CAUSE SMOKE AND GENERAL DESTRUCTION IF YOU DON'T CLICK ON 'SCAN ME NOW,'" popup pops up, MSSE pops up right behind it and REMOVES IT! without any drama.

                         

                        If (that was a bit harsh) THEY can get this right, even with all the iterations and variations that are created, why can't you?

                         

                        I realize that this comment is a bit snarky, but a hell of a lot of man hours are being spent dealing with this issue; rather unnecessarily, I believe.

                         

                        Thanks for listening!

                         

                        Jim

                         

                         

                        Message was edited by: JimAvery for grammar on 3/11/10 1:34:41 PM CST

                         

                         

                        Message was edited by: JimAvery for crassness on 3/12/10 6:36:36 AM CST
                        • 9. Re: VSE 8.7i ineffective against XP Antispyware 2010 malware
                          MrL0gistiX

                          Although our organization is seeing some impact related to users having local admin rights, it is apparent much of this 'scareware' is being written to leverage what few permissions exist for members of the Local Users group (non-admins). What I don't see in this thread is any discussion of what sort of VSE configurations were in effect at the time. Default settings are usually (thanks again to M$) pretty lax, in order to allow easy rollouts, but don't think for a minute that will afford you w/ sufficient long-term security, especially these days.

                           

                          Anyone tasked w/ the ensuring the security of their own computer, much less an entire organization, would be well-advised to become familiar with some of the more restrictive settings in VSE, specifically Autorun in Access Protection. Using a free tool such as CCleaner may help familiarize you w/ the  various 'Run' keys in the Windows Registry (all users have Change permissions to the Current Users hive).

                           

                          It's no accident Antivirus XP. 2009, etc, take advantage of basic user permissions that allow customization of the Windows 'Experience', to replace Windows nag screens w/ their own. MalwareBytes will also find & correct registry mods made by Antivirus XP; McAfee VSE, however, 'merely' removes the hostile code. You may need to repair settings damaged/altered by the malware, which in many cases is restricted to the Run keys in one or more hives.

                           

                          And remember, kids, ALWAYS backup your Registry BEFORE making any changes!

                          1 2 Previous Next