5 Replies Latest reply on Jul 25, 2010 8:36 PM by rdavis

    Yesterday we were infected with (2) Artemis Trogan's. Why did'nt McAfee's Artemis protection work?

      During a download of our usual emails, still using all our known safety precautions (Firewall, our routers firewall, McAfee, all safe email practices) we received to start with, the Artemis  and then later that next day the Artemis 6E32093050CA known as a file called "qpsssftav.exe". Even before this event (Mcafee full scans) and after this event (McAfee full scans) McAfee did not find any Malware infecting our computer! What was infecting our computer was "ANTIVIRUS SOFT". We did a Google search and found Malwarebytes Anti-Malware Software hoping this to be a solution to our infection. Malwarebytes Anti-Malware once downloaded and up-dated found (10) infections to start with. Everything from SPYWARE to ROGUE to TROGAN's to ADWARE and more! We can't figure why that would be, especially using McAfee for over 4 years? Still yet, 2 days later we are still finding additional Malware threats on our computer and have removed them thanks to Malwarebytes Anti-Malware Software and not McAfee Total Protection. WE even went as far as downloading McAfee's stinger. But that didn't work ether. What happen to "TOTAL PROTECTION" Why is that?

        • 1. Re: Yesterday we were infected with (2) Artemis Trogan's. Why did'nt McAfee's Artemis protection work?
          secured2k

          No AntiVirus will detect 100% of the malware out there. Many times, a generic malware will slip by many antivirus programs and when it gets to computer help forums, the only infection left are the hard to detect ones. Programs like MalwareBytes do not spend any resources or time detecting and analyzing the thousands of other security threats and viruses out there, but rather devote all their time and efforts on a small sample of trouble malware.

           

          In your case, it seems like you had something come in that was later detected and added to Artemis.

           

          Artemis technology is a method of speeding up the response time for a detection. For example, if a new virus appears and no scanner in the world sees it; every security software based on file detection will fail. However, once McAfee captures a sample via submission or honey pots, the sample can be analyzed by advanced automated systems. If it found to be suspicious in any way, it can be added to Artemis and anyone else using Artemis may get a detection alert immediately after it's added to the Artemis database. Only after the file has been accurately analyzed by a researcher will it be added to the DATs. This could take days, but with Artemis, users all over the world are protected within minutes of the submission and automated analysis of a malware sample.

           

          It is not fair to compare AntiVirus detections to an AntiSpyware (like MalwareBytes) because of how they report detections. For example, MalwareBytes will have all sorts of names like Rogues, Trojan, Adware, ect while McAfee may consider them all Trojans. Also, MalwareBytes detects registry entries which may account for many detections while McAfee works to remove just the bad file(s) which actually contain the code instructions to do bad things on your computer. I have even seen MalwareBytes detect bad filenames even if the file was completely empty and harmless. McAfee will not do this.

           

          Remember that McAfee depends on getting samples to help detect new threats out there. Unfortunately, with many people using tools like MalwareBytes, these samples never get submitted to McAfee for analysis. If you are able to capture an Artemis or undetected Malware sample, please submit them to McAfee at the following web site:

           

          https://www.webimmune.net/default.asp

          1 of 1 people found this helpful
          • 2. Re: Yesterday we were infected with (2) Artemis Trojan's. Why didn't McAfee's Artemis protection work?

            Thanks Mark,

            We understand better now! Didn't know there was that much of a difference between Malware Software and McAfee. We only thought "Total Protection" meant total protection. Go figure!

             

            Just so we are clear here. We still continue to use McAfee on our PC's and also McAfee Secure for our website for PCI compliance and testing for threats.

             

            Now that you opened the door for what we tried to do the first time when we got infected by this Malware over 1 month ago, called ANTIVIRUS SOFT and that was to submit this file "qpssftav.exe" otherwise known as Artemis 6E32083050CA to McAfee to test. But after contacting McAfee support by email and allot more trouble then it was worth 1 week later, our reply was, "sorry we don't do that anymore". OBTW here is a survey, how about telling us how we did regarding your case. So we filled out the survey not holding anything back!

             

            Now as I have been researching this Trojan for over 3 days I find out otherwise. Too little, too late really! We have already destroyed the offending file. The first time we just re-formatted our harddisk and re-uploaded all the files again. This time we took 3 days to hunt the Trogan down and remove it compleatly.... we hope!

             

            I included the log file on the cleanup.

             

            Regards,

            Robert

            • 3. Re: Yesterday we were infected with (2) Artemis Trojan's. Why didn't McAfee's Artemis protection work?
              secured2k

              Robert,

               

              McAfee has created a special version of its Stinger tool to help detect and remove these FakeAlert trojans. You can read more information and download it at the following links.

              ---

              Fake Alert Stinger - More Information

              Fake Alert Stinger - Direct Download

              ---

               

              After looking at your logs, it shows 1-2 bad files and a few registry entries and logged system data. The main threat you had was in the C:\Windows\System32\sdra64.exe file. Hopefully McAfee will have other samples submitted that will help prevent this infection in the future. I have personally been pushing McAfee to offer stronger protection of the weaker areas of security in Windows including protecting the Winlogon section (the location where this virus loads). I know this option is available in the Enterprise software and the feature is available in Total Protection, but is not enabled by default. This is probably because it could also break legitimate programs.

               

              I'm sorry you had trouble with McAfee support. You are right to express your experience in the survey in hopes that the issue doesn't happen again. The file submission should have been sent to http://www.webimmune.net/ or emailed in a passworded ZIP file (password: infected) to virus_research@avertlabs.com.

               

              The second log only showed left over settings that had already been removed or protected against by using McAfee. There was no real threat here but these left over entries were probably added by the "sdra64.exe" trojan in attempts to download and install other fake alert security software.

               

              I hope that with the samples being picked up by Artemis, they will soon be automatically updated into your main DATs and protection against this threat will be properly handled and blocked.

               

               

              Message was edited by: Mark (secured2k) - Minor Formatting on 2/25/10 1:36:32 AM EST
              • 4. Re: Yesterday we were infected with (2) Artemis Trogan's. Why did'nt McAfee's Artemis protection work?
                SamSwift

                Marking as 'assumed answered' due to age of thread. If you need any further assistance please don't hesitate to let us know.

                • 5. Re: Yesterday we were infected with (2) Artemis Trojan's. Why didn't McAfee's Artemis protection work?

                  5 months later ( after McAfee missed a keystroke virus for months) we're just getting done re-building our companies life...

                   

                  So thanks to McAfee's inability to catch this Keystroke Virus that infected our network all 4 computers and that all 4 computers had to be completely erased and started completely over by installing all our programs because the 6 months of backup's could not be trusted due to the possible length of our infection that McAfee's Total Protection program never found for almost 8 months of scanning, checking, updating and hoping our data in information was secure... or at least mostly secure.

                   

                  Due to the severe nature of this failure we had to close and re-open 3 merchant bank accounts, 5 reg. bank accounts, 6 company credit cards, close and re-open 68 vendor accounts and passwords not to mention re-associating our credit card payments with 23 of our vendors, re-input 6 months of client accounting data and filing our 2009 taxes late because of the virus infection just before our tax time!

                   

                  Lets not forget the loss of business emails, client information started but not completed and the loss of revenue because if this delay to start over and any projects not started that were lost in this process. And lets not forget all the email accounts that all passwords had to be changed and re-installed on our servers and our network computers. I could go on, but I think you'll get the point by now!

                   

                  Although we never lost more than $100 at any one time during this hell, we certainly lost over $10,000.00 in man hours and lost revenue cleaning us this holocaust up.

                   

                  If I sound a litter bitter, YA, go figure why!

                   

                  Thanks McAfee for a job in the toilet.

                   

                  Robert