4 Replies Latest reply on Apr 6, 2011 7:59 AM by redbaron51

    W32/Ramnit.a

    redbaron51

      Hi all,

       

      I am a bit stuck at the moment. Our ePO is detecting thousands of W32/Ramnit.a malware. We are on the latest DAT 6292.

       

      Basically from research it looks as if this malware is spread via removable media, i.e., USB sticks. We are just re-imaging the machines, but would like to find out whether there is any other away to clean the malware.

       

      AFAIK ePO does not have a feature to enable scan on USB stick when plugged in.

       

      Help is appreciated.

        • 1. Re: W32/Ramnit.a

          Do you have your on-access policy set up correctly? If a virus is jumping off of a USB stick McAfee should detect and stop it. Make sure On-Access is at least scanning on write, Also, are you sure it's a real infection and not a false positive? When you go to the list of systems showing up in the EPO server and you click on them, do they all show the same file on each system as infected?

          • 2. Re: W32/Ramnit.a
            redbaron51

            Policy is set to scan all files on READ+WRITE

             

            Files infected are DLLs and EXEs, so I am pretty sure it is not a false-positive.

             

            Any other thoughts???

            • 3. Re: W32/Ramnit.a
              jmcleish

              I've had a couple of machines infected with Ramnit that produced 30,000 infections from one box.

               

              Check out the source machine to see how many boxes there are.

              Ramnit is a file infector and infects lots of files- html, dll and exe if i remember.

               

              better to wipe machine and reimage.

              (or clean with boot disk- remove data and reload image)

               

              Create a query- dulpicate the "all threats detected in 24 hours" but change the label from "threat name" to  "threat target host name" and that will show you what actual machine have detections.

               

              Really mucks up your stats!!

              :-(

              • 4. Re: W32/Ramnit.a
                redbaron51

                In the end it was a new trojan which was reporting as worm Ramnit.a

                 

                After much monitoring I have isolated the file and uploaded to McAfee (wdexplore.exe). Extra.dat came last Friday and was incorporated on dat 6305.

                 

                Situation is under control now.