1 2 Previous Next 11 Replies Latest reply on Dec 14, 2010 3:30 AM by boolman

    Possible Worm - McAfee Blocks but doesn't find it.

      Having an issue - with McAfee 8.5.0i - where the system does a port blocking rule on a domain controller - where the C:\Windows\System32\services.exe is attempting to connect to a remote IP via port 25.


      Scanning the system with McAfee (with updated dat) does not find a worm -


      Trend Micro's House call came up with nothing as well.


      Malwarebytes - did find a rootkit.agent by the name of wonjia.sys - however it is unable to remove the file.  The file is unremoveable after rkill in safe mode as well.


      Looking for ideas to find this worm.


      File attached from Mcafee log


      Thanks in advance -

        • 1. Re: Possible Worm - McAfee Blocks but doesn't find it.

          Try running a online scan with Nod 32 , see what it finds.

          • 2. Re: Possible Worm - McAfee Blocks but doesn't find it.

            If you suspect you're infected and have trouble finding what is causing the infection, I'd suggest giving this handy tool a try.


            "McAfee GetSusp is intended for users who suspect undetected malware on their system. By using a combination of clever heuristics and querying McAfee's online database of known clean files to gather suspicious files, GetSusp eliminates the user's need for deep technical knowledge of computer systems to isolate undetected malware. McAfee GetSusp is recommended as a tool of first choice when analyzing a suspect machine."


            Get it from here:



            Once GetSusp identifies and collects the suspect files, post the logs here and we community members can help.



            Vinoo Thomas

            Technical Product Manager, McAfee Labs

            • 3. Re: Possible Worm - McAfee Blocks but doesn't find it.



              As requested ran GetSusp - logs attached.  App stated no suspicious items found.

              • 4. Re: Possible Worm - McAfee Blocks but doesn't find it.

                Thanks for posting the logs. The network log shows hundreds of dns connections; a sign that the malware is attempting to resolve numerous domain names - typical of mass mailers.


                GetSusp is unable to scan for rootkits currently. You could try rootkit detective: http://vil.nai.com/vil/stinger/rkstinger.aspx If it finds the rootkit, it will provide an option to delete the file on reboot.

                • 5. Re: Possible Worm - McAfee Blocks but doesn't find it.

                  Vinoo -


                  Rootkit detective found 1 hidden registry value - for inprocserver32 - data=bot.


                  The log shows that this file has a value mismatch.


                  Before I delete this value - can you confirm that this value should be removed?


                  Thank you for the assistance

                  • 6. Re: Possible Worm - McAfee Blocks but doesn't find it.

                    The Registry value-data mismatch does not appear to be malware related.


                    You may want to consider opening a ticket with McAfee support to have a technician locate the malicious file on this system.

                    • 7. Re: Possible Worm - McAfee Blocks but doesn't find it.

                      Just an update - ended up identifying the source of the infection and cleaning it as of yesterday.



                      Malwarebytes - identified wonjia.sys as a rootkit.agent  (Could not remove infection)

                      McAfee 8.5.0i - Access Protection for blocking mass mailing worms was blocking random IP port 25 connections (could not remove infection)

                      MS Malacious Software Removal - identified Trojan WinNT/Bubnix.gen!A (did not list file name & could not remove infection)

                      Hitman Pro 3.5 - connected wonjia.sys to WinNT/Bubnix.gen!A


                      Research on Bubnix.gen!A - provided information on randomly generated filename.sys located in C:\windows\system32\drivers (this is where wonjia.sys was)  - and 3 registry entries at the following locations (Note: a search in registry for Wonjia = 0 results)






                      Both the filename wonjia.sys and registry entries where unreadable.  -   Date of wonjia.sys file was consistent with current system/date time - constantly updating itself.


                      Worm did install its own SMTP Server on a MS Windows Server 2003 - which was also a DNS server.


                      Worm was cleaned by booting into safemode - running rkill then running MS Malacious software removal tool.  Upon cleanup and reboot infection was verified to be removed - system has been stable for 12+ hours and counting.


                      McAfee's Access Protection for mass mailing worms - did not 100% protect the system - 4 spam vendors blocked the IP and domain due to reports from there customers & systems.


                      The following applications did not identify the infection


                      McAfee Antivirus

                      Trend Micro




                      The following applications did successfully identify an issue but failed to clean the infection in normal operating mode


                      Malwarebytes   -   Unsuccessful in removing the infection in combination with RKill

                      MS Malacious Software Removal Tool  - Successfully removed the infection in combination with RKill



                      Hope this helps anyone else in regards to fighting this type of infection.


                      Vinno - thank you for your assistance - it was greatly appreciated.

                      • 8. Re: Possible Worm - McAfee Blocks but doesn't find it.

                        Glad you were able to resolve the issue


                        Hope you had a chance to submit the file "wonjia.sys" to McAfee Labs so that detection could be authored.



                        • 9. Re: Possible Worm - McAfee Blocks but doesn't find it.



                          Sorry to post on a thread that is answered but my problem is somewhat similar to the one described by the origianal poster. I got IRC communication blocked and mass mailing blocked from the access protection log (I am using VSE 8.7i with EPO 4.5). I performed full scan and it detected and deleted some trojans and viruses but I still get the mass mailing blocked message. I have also used the Getsusp tool and I have attached the resulting report. How can I remove the hidden worm?



                          1 2 Previous Next