I really need help with a problem I am having with this XP Security 2011 FakeAlert malware. We are having numerous workstations in our corporate location being infected by this. By the use of Process Explorer, I have identified the file. The filename is random each time it infects a new workstation and is only 3 characters long. It also has the extension of .exe.
We have a pretty strong lockdown of our workstations, for instance, via the EPO server we have the setting enabled “Prevent all programs from running files from the Temp folder.” Normally this blocks most FakeAlert malware, but this XP Security 2011 is circumventing this by executing the payload from C:\documents and settings\*\local settings\Application Data folder.
Now if this malware used the same filename, this would be an easy fix. I would just create a User-defined Rule telling McAfee not to run the executable named xxx.exe. Or even create the rule to not execute by doing C:\document and settings\**\local settings\Application data\filename.exe to ensure I don’t break anything else.
So what I can’t figure out is how to prevent an executable file, that is changing filenames, from running in the C:\document and settings\**\local settings\Application data directory. I have gone as far as created a rule to prevent an executable to run by the following rule:
C:\document and settings\**\local settings\Application data\*.exe
Yes, this prevents the malware from executing from this directory but unfortunately this prevents normal day to day programs from running like Microsoft Office applications for an example, though I don’t understand why this is as the executable for Microsoft Word isn’t located in the C:\document and settings\**\local settings\Application data folder. So there seems to be some side effect in having this rule in place.
My question, is there a way to make this rule just work in the root of the Application data folder? Or is there another way to accomplish this? I am at a lost and I am open to suggestions. I have sent this file to McAfee via their website but have not had any response back from them. And when a workstation is infected by this FakeAlert malware, McAfee has no idea it is infected. After doing ODS scans, nothing is detected.
Thank you for your help and suggestions in advance!