1 2 3 Previous Next 46 Replies Latest reply on Oct 27, 2010 5:49 AM by andydu

    Patched-SYSFile.d infections.

      We have since 25.05.2010 couple Computers infected. Virsus Sample Upload (Submit a Sample -Technical Support Portal) is not working (Error) - webimmune, upload (like always without reaction) - and everyday there are more an more infected Computer.

       

      Almost every other scanner can remove it, but non of our McAfee protected (XP & Win7 VSE 8.7).

       

      http://www.virustotal.com/de/analisis/e11b9e22ead832cc1abee589ca1b64945dd745253f e96bb144d13f1aae53ad77-1274959133

       

      Every time one of windows\system32\drivers is infected and Computer can't get DHCP IP. Do you have any Idea how to  stop this infection?

       

      Produktversion 8.7.0.570.Wrk
      Sprache 0000
      Hotfix/Patch-Version 3
      Service Pack
      DAT-Version 5995.0000
      Modulversion 5400.1158
      Modulversion (x64) 5400.1158

      McAfee Agent 4.0.0.1494, Product Coverage Reports 4.0.0.1494, VirusScan  Enterprise 8.7.0.570.Wrk, AntiSpyware 8.7.0.129

       

       

      Update: commandline scanner found and removed this Virus: 

       

      C:\xxx\Virus\pci.sys ... Found the Patched-SYSFile.d trojan !!! 

       

      but not the "On-Access-Scanner" and "On-Demand-Scanner"   

       

      Also Webimmune says:   

      Current Scan Engine Version:5400.1158 

      Current DAT Version:5994.0000 

      Analysis ID: 6014336 

      Name     Findings     Detection     Type     Extra 

      pci.sys     inconclusive               no    inconclusive [ pci.sys ]    

      Upon analysis the file submitted does not appear to contain one of the 200,000 known threats in the AutoImmune database. on 28.05.10 13:55:12 GMT+01:00

       

      Nachricht geändert durch andydu on 28.05.10 13:55:41 GMT+01:00

       

       

      Nachricht geändert durch andydu on 28.05.10 13:56:51 GMT+01:00
        • 1. Re: Patched-SYSFile.d infections.

          It sounds like there is rootkit type behaviour happening which is causing the OAS/ODS scans to miss the file.

           

          I'd try and create a BART-PE cd, use it to boot up and scan:

          https://kc.mcafee.com/corporate/index?page=content&id=KB67088

          • 2. Re: Patched-SYSFile.d infections.
            jmcleish

            Alureon/TDSS rootkit- search for a utility called TDSSKiller and run that on the machine.

             

            I've just cleared off a similar infection.

             

            Then run Malwarebytes and superantispyware until nothing else is found.

             

            Remove  all your restore points and create a new one once clean.

            • 3. Re: Patched-SYSFile.d infections.
              SamSwift

              Moving this to security awareness...

               

              The submission portal is not showing any issues today - please could you submit a sample of the file and let us know the SR number.

               

              Thanks,

               

              Sam

              • 4. Re: Patched-SYSFile.d infections.

                1. " please could you submit a sample of the file and let us know the SR  number" - as I wrote:

                 

                Also Webimmune says:   

                Current Scan Engine Version:5400.1158 

                Current DAT Version:5994.0000 

                Analysis ID: 6014336 

                Name     Findings     Detection      Type      Extra 

                pci.sys      inconclusive               no    inconclusive [ pci.sys ]    

                Upon analysis the file submitted does  not appear  to contain one of the 200,000 known threats in the AutoImmune database.  on 28.05.10 13:55:12 GMT+01:00

                 

                2. as I wrote:

                Virsus Sample Upload (Submit a Sample -Technical Support Portal) is not working (Error) - webimmune, upload (like always without reaction)

                3. I just changed Artemis configuration (all Computer) "Very high":  pci.sys    Artemis!13C9E54AE543 (Trojan) - but still not like command scanner, Patched-SYSFile.d

                 

                4.  security awareness - hmm, I would say, VSE Problem...- all other scanner can find this virus only VSE 8.5 & 8.7 not - Win 7 and XP different locations and files.(for sure not an exclusion problem) - command line scanner can find it too.

                 

                5. Should I try to send you a sample via E-Mail?- do you think it will help?

                 

                Greetings

                Andy

                 

                 

                I tryied to submit and again: Error Message An error occurred. Please retry. the same trying to chat ... :( on 28.05.10 21:33:14 GMT+01:00
                • 5. Re: Patched-SYSFile.d infections.

                  Tnx Mal09,

                   

                  I know how to remove, we have PXE Windows PE, using 4 different scanner - my worry is, that VSE on-access and demand can't recognize this "well known" virus.

                   

                  Mal09 schrieb:

                   

                  It sounds like there is rootkit type behaviour happening which is causing the OAS/ODS scans to miss the file.

                   

                  I'd try and create a BART-PE cd, use it to boot up and scan:

                  https://kc.mcafee.com/corporate/index?page=content&id=KB67088

                   

                   

                  Nachricht geändert durch andydu on 28.05.10 21:22:27 GMT+01:00
                  • 6. Re: Patched-SYSFile.d infections.

                    (BTW, posting samples directly to the forum is very bad!)

                     

                    Hmm. That detection is really weird. Sounds to me like McAfee labs have a dodgy driver for detection. I can replicate your issue - even on a completely clean machine.

                     

                    VirusTotal goes crazy on your file - http://www.virustotal.com/analisis/e11b9e22ead832cc1abee589ca1b64945dd745253fe96 bb144d13f1aae53ad77-1275078519

                     

                    McAfee Command Line detects it as Patched-SYSFile.d trojan , but as commented, VSE 8.7x doesn't detect it via an ODS.

                     

                    Hopefully McAfee Labs can investigate and resolve.

                    1 of 1 people found this helpful
                    • 7. Re: Patched-SYSFile.d infections.

                      Mal09 Thank you!

                       

                      can you submit this file?

                       

                      I get errors(Technical Support Service Portal) and last time when I tryied webimmune.net - I waited 1 week. Artemis detect it (at very high level), but this ist not the best soution.

                       

                      but thank you for trying!

                       

                      Greetings Andy

                       

                      PS: VirusTotal;) I was wondering too ..

                       

                       

                      Nachricht geändert durch andydu on 28.05.10 21:55:10 GMT+01:00
                      • 8. Re: Patched-SYSFile.d infections.

                        andydu wrote:

                        can you submit this file?

                         

                        I get errors(Technical Support Service Portal) and last time when I tryied webimmune.net - I waited 1 week. Artemis detect it (at very high level), but this ist not the best soution

                         

                        Didn't try through the portal, but submitted it through webimmune. (6016495)

                         

                        No detection.

                         

                        As I posted in my last post, I think the drivers McAfee use for the threat aren't properly detecting the threat - hopefully this will be rectified soon.

                         

                        Oh, and I can't replicate your Artemis detection. Not sure why, but sometimes there can be latency in the DNS lookups etc causing Artemis detections to not inform properly.

                         

                         

                        Message was edited by: Mal09 on 28/05/10 21:11:20 GMT
                        • 9. Re: Patched-SYSFile.d infections.

                          Here more and more infections - we just pushed TDSSKiller (Kaspersky) to all computer, but still no reaction from McAfee Labs .


                          Thank you McAfee for helping me to decide if we should change AV-Software or not ... 

                           

                           

                          on 01.06.10 10:20:22 GMT+01:00
                          1 2 3 Previous Next