6 Replies Latest reply on May 12, 2010 10:57 PM by cyberpro

    W32/Conficker.worm!inf

      Hello All,

       

      I did a scan on one of the drives and got the following results (please see attached snapshot). I am assuming that these are some remnants left and not the actual Conficker Worm, correct? So, I should not be worried about this existing as well, right? Kindly advise,

       

      Thanks,

       

      Cyberpro

        • 1. Re: W32/Conficker.worm!inf

          So, can somebody tell if this is a real infection here or false positive (Artemis side)?

          Thanks,

           

          Cyberpro

          • 2. Re: W32/Conficker.worm!inf

            Hello CyberPro,

             

            I received your message and reviewed the attached screenshot.

             

            You should attempt to submit the Artemis detection as it follows the characteristics (location and filename) of the associated Conficker worm.

            McAfee Submit a Sample -> http://vil.nai.com/vil/submit-sample.aspx

             

            It is possible that the virus is inactive as a Microsoft patch would prevent the host computer from automatically running the commands in the .inf file. However, older unpatched systems accessing the drive or network location or a accidental wrong click could easily activate this virus again. This virus has many ways to spread and update itself to new versions so I would suggest you disconnect from the network and attempt to clean the machine in safe mode if a repair in normal mode fails.

             

            Enabling VirusScan Enterprise's Access Protection rules for Outbreak control can also help if the virus is active.

            1 of 1 people found this helpful
            • 3. Re: W32/Conficker.worm!inf

              Thanks Mark for the valuable feedback! So, I did scan the system with other products (Malwarebytes and Symantec), and nothing was reported back. That's why I was kind of trying to analyze if this is a real threat at present or not. It's a bit confusing here seeing different results from different vendors. How long will it take to get a final answer after submitting the sample to McAfee (from experience)? I just need to put a final report and highlight the future actions as a result of this analysis. Appreciate the help here!

               

              Regards,

              Cyberpro

              • 4. Re: W32/Conficker.worm!inf

                CyberPro:

                 

                You should expect an automated response within 24 hours of the submission and if the detection needs to be escalated, a follow up and resolution within 72 hours.

                 

                Some of the viruses out there are designed specifically to evade detection by antivirus products. MalwareBytes is also not designed to detect these kinds of viruses, but rather what most AntiViruses will miss. Conficker has plenty of attention from the AntiVirus companies so I don't think it would be as useful in detecting and removing Conficker variants.

                 

                If you need a quick ~5 minute second opinion to see if a file is detected by name as something bad by MANY different AntiVirus vendors, I suggest submitting the file to VirusTotal. Submissions to VirusTotal eventually make their way to all the antivirus companies as well.

                 

                http://www.VirusTotal.com/

                 

                Finally, there are 3 other antivirus engines I would suggest to try for a second opinion in the case you have already scanned with McAfee but think there might be an error or still an unknown infection. These other scanners use different engines and databases that may detect some malware better (usually less than 5% difference in detection).

                 

                These solutions are free and can be used as a stand alone scanner along with your existing security solution when a clean up is needed.

                Kaspersky should be uninstalled when done.

                 

                A Squared - Ikarus AntiVirus engine and A-Squared AntiSpyware checks - http://www.emsisoft.com/en/software/free/

                ESET Online Scanner - NOD32 AntiMalware engine - http://download.eset.com/special/eos/esetsmartinstaller_enu.exe

                Kaspersky Virus Removal Tool - Kaspersky AntiMalware engine - http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/

                 

                 

                Message was edited by: Mark (secured2k) on 5/12/10 2:21:15 PM EDT
                • 5. Re: W32/Conficker.worm!inf

                  Hi Cyberpro,

                   

                  The file received is infected and can be detected and removed with our current DAT files and engine. It is recommended that you update your DAT and engine files and scan your computer again.                                                                

                   

                  File Name: jwgkvsq.vmx           

                  Detection: w32/conficker.worm.gen.a                            

                   

                  To find detailed information about viruses and other malware, please review McAfee Labs' Virus Information Library:                                                     

                  http://vil.mcafeesecurity.com                                                        

                   

                  You may wish to submit future malware samples to:                                    

                  https://www.webimmune.net/default.asp

                   

                  Use the following links to reach online technical support for McAfee products -      

                  Corporate Customers:                                                                 

                  http://www.mcafeesecurity.com/us/support/                                            

                  Single User/Retail Customers:                                                        

                  http://www.mcafeehelp.com                                                            

                   

                  Regards

                  Neha C

                  1 of 1 people found this helpful
                  • 6. Re: W32/Conficker.worm!inf

                    Hi Mark and Neha,

                     

                    Thanks very much for your support and for the given valuable information ! I have some directions at least now, and will be following these instructions in order to have the infections removed from the system.

                     

                    Best Regards,

                     

                    Cyberpro