1 2 Previous Next 15 Replies Latest reply on Sep 21, 2008 8:21 PM by troywedy

    Virus Def: 5371 - Trojan (M.exe) not being picked up

      Scan Engine - 5300.2777
      Virus Definitions - 5371.0000
      VirusScan Ent. Workstation - 8.5.0.781

      Hi all,

      Need big help. I have been searching for the last few days for more info but nothing is turning up. Somehow a trojan has made it's way onto the network and Mcaffe is not picking it up. I'm not sure how it was brought in but it seems to attach itself to a USB using a basic autorun file (as below) and installs also on the target machine. I also provided the hash from the program.

      Once the usb is entered it autoruns the program into tasks as hidden. I have found a little program that kills explorer, wipes the task then allows me to remove the files from the usb but I need to stop it from being transferred. Can anyone help as I couldnt find anything on the forums so far and can someone tell me if all my definitions are up to date?

      Big thanks!!

      M.exe # be3dfda91fe675c4ee7e3dcd0a631306:177766:32771

       


      [AutoRun]
      shellexecute=E:\m.exe /s
      Action=Autorun

        • 1. RE: Virus Def: 5371 - Trojan (M.exe) not being picked up
          Found this showing that McAffee does not pick this up but others do. Is there a way to alert them to this, I noticed a note saying they don't patrol these threads. ADMIN??

           


          VirSCAN.org Scanned Report :
          Scanned time : 2008/09/12 12:50:31 (EST)
          Scanner results: 42% Scanner(15/36) found malware!
          File Name : m.exe
          File Size : 177783 byte
          File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
          MD5 : 16c85cafe5ea5e693eb24bc3169182ee
          SHA1 : d8104fa6030449f2cc90123028497e47b40f0b42
          Online report : http://virscan.org/report/26521c2860fd9505c697955e68ceace4.html

          Scanner Engine Ver Sig Ver Sig Date Time Scan result
          a-squared 4.0.0.14 2008.09.10 2008-09-10 1.42 -
          AhnLab V3 2008.09.12.01 2008.09.12 2008-09-12 0.94 -
          AntiVir 7.8.1.28 7.0.6.148 2008-09-11 2.30 TR/Spy.Gen
          Arcavir 1.0.5 200809111947 2008-09-11 1.38 -
          AVAST! 3.0.1 080911-0 2008-09-11 0.01 Win32:Spyware-gen [Trj]
          AVG 7.5.52.442 270.6.21/1667 2008-09-11 1.59 SHeur.CDWG
          BitDefender 7.60825.1752851 7.20900 2008-09-12 3.02 -
          CA (VET) 9.0.0.143 31.6.6085 2008-09-11 2.79 -
          ClamAV 0.94 8220 2008-09-12 0.10 -
          Comodo 2.11 2.0.0.643 2008-09-11 0.46 -
          CP Secure 1.1.0.715 2008.09.12 2008-09-12 7.18 -
          Dr.Web 4.44.0.9170 2008.09.11 2008-09-11 3.17 Trojan.DownLoad.3854
          ewido 4.0.0.2 2008.09.11 2008-09-11 2.86 -
          F-Prot 4.4.4.56 20080911 2008-09-11 1.07 -
          F-Secure 5.51.6100 2008.09.11.13 2008-09-11 1.96 Trojan.Win32.Qhost.kka [AVP]
          Fortinet 2.81-3.113 9.538 2008-09-11 0.23 Suspicious
          ViRobot 20080911 2008.09.11 2008-09-11 0.40 Trojan.Win32.Qhost.177693
          Ikarus T3.1.01.34 2008.09.11.71439 2008-09-11 3.44 AdWare.Win32.BHO.atu
          JiangMin 11.0.706 2008.09.11 2008-09-11 1.33 Trojan/Qhost.aoa
          Kaspersky 5.5.10 2008.09.12 2008-09-12 0.13 Trojan.Win32.Qhost.kka
          KingSoft 2008.1.14.15 2008.9.12.10 2008-09-12 0.88 -
          McAfee 5.3.00 5382 2008-09-11 1.98 -
          Microsoft 1.3903 2008.09.12 2008-09-12 3.97 Trojan:Win32/Boolwark.A
          mks_vir 2.01 2008.09.12 2008-09-12 2.73 -
          Norman 5.93.01 5.93.00 2008-09-11 5.23 W32/Qhost.EHT
          Panda 9.05.01 2008.09.11 2008-09-11 3.00 -
          Trend Micro 8.700-1004 5.536.09 2008-09-11 0.07 -
          Quick Heal 9.50 2008.09.11 2008-09-11 2.05 Trojan.Qhost.kka
          Rising 20.0 20.61.32.00 2008-09-11 1.45 -
          Sophos 2.78.0 4.33 2008-09-12 1.89 -
          Sunbelt 3.1.1628.1 2227 2008-09-11 0.65 -
          Symantec 1.3.0.24 20080911.003 2008-09-11 0.18 -
          nProtect 2008-09-11.00 2101015 2008-09-11 4.24 -
          The Hacker 6.3.0.9 v00077 2008-09-09 0.43 Trojan/Qhost.kkb
          VBA32 3.12.8.5 20080910.0550 2008-09-10 1.12 Trojan.Win32.Qhost.kkb
          VirusBuster 4.5.11.10 10.87.9/624027 2008-09-11 1.29 -

          • 2. RE: Virus Def: 5371 - Trojan (M.exe) not being picked up
            D-Fens
            i have exactly the same problem with a trojan in dan.exe.
            i had to remove it with an eval copy auf another anti-virus.

            they responded within 7 hours, mcafee webimmune did nothing til now.
            i send them the file 4 days ago.
            i very disappointed about that...
            • 4. RE: Virus Def: 5371 - Trojan (M.exe) not being picked up
              Thanks Tonyb99, I had not come across that in the FAQ's. Must of not looked hard enough. Well I took your advise and uploaded the file noting the other AV's that have picked it up, Webimmune came back as inconclusive.

              To D-Fens, who were you saying replied to you in 7 hours? I had submitted my problem also via the web help last week and my response came this morning which was to take screenshots of; add/remove programs, program files folders, task list, task bar programs, McAfee about screen & system tray.... Will see how WebImmune responds. Thanks guys.
              • 5. RE: Virus Def: 5371 - Trojan (M.exe) not being picked up
                D-Fens
                troywedy,
                avira (www.avira.com) responded so fast. i was informed of every step til they included the definitions into the DATs.
                it scored very good at http://www.av-comparatives.org/ , thats why i tried it.
                in comparison to mcafee, its also quite fast...

                i wish mcafee could update their DATs a few times a day, like almost every other AV company does.
                i already asked mcafee about that, they responded that they will release an emergency DAT as needed, but thats not what i wanted to know wink i remember that with engine 5200 it's possible to have inter-day updates...?
                especially no updates of DATs on the weekend are a pain, my company is opened on weekends ;)
                they should at least update the DATs in the morning on mondays or something like that.

                about webimmune: i have no response from mcafee about my trojan, and right now there's no update on that.
                my spam-filter is disabled, just to make that sure ;)
                four days after i sent the file via the webimmune webinterface to mcafee,
                i wrote an e-mail to virus_research@avertlabs.com with my analysis ID to get a status report on that or maybe even an extra.dat, but nothing happend.

                i need a fast responding AV-company, so that there is no impact on the daily business.
                right now, mcafee is not what i expect from a major AV-company.

                not to mention the performance with patch 6 and VSE 8.5i.
                hopefully patch 7 fixes that in october :)

                _-_-_-_-_-_-_-_-_
                AVERT Labs - Beaverton
                Current Scan Engine Version:5300.2777
                Current DAT Version:5379.0000
                Thank you for your submission.

                Name Findings Detection Type Extra
                dan.exe inconclusive no

                inconclusive [ dan.exe ]
                Upon analysis the file submitted does not appear to contain one of the 200,000 known threats in the AutoImmune database. The file may contain a new threat, or no code capable of being infected. Your submission is being forwarded to an Avert Labs Researcher for further analysis. You will be contacted by AVERT through e-mail with the results of that analysis.
                -_-_-_-_-_-_-_-_-_-_
                • 6. RE: Virus Def: 5371 - Trojan (M.exe) not being picked up
                  Ahh Avira.. Just yesterday I made a linux boot usb AV scanner using their engine and definitions from the recovery iso available on the net for free. Picked up my trojan no worries.
                  Rescue ISO

                  I actually agree with your points on McAfee, at times the service feels a little below par when comparing against other major AV companies on the market. Also my webimmune analysis, like yours, is without reply so far but I might also try my luck with the research address. I am sitting without an update an resorting to re-imaging and manually removing the trojan from usb's although they are getting infected quicker than I can remove.
                  • 7. RE: Virus Def: 5371 - Trojan (M.exe) not being picked up
                    D-Fens
                    hi troywedy, look at the new comparison on http://www.av-comparatives.org published yesterday.
                    AVIRA scored very good! i bought a antivir license yesterday, to get rid of 1 trojan and 1 keylogger which AVERT didn't update yet. (i sent them the trojan 7 day ago and the keylogger 5 days) you can use the with the command line scanner available here: http://www.avira.com/en/support/support_downloads.html
                    maybe you could use the command line scanner via netlogon to make the removal more comfortable?
                    • 8. RE: Virus Def: 5371 - Trojan (M.exe) not being picked up
                      tonyb99
                      They do a nice bootable CD there on antivira (see prev link aswell)

                      Avira AntiVir Rescue System
                      The Avira AntiVir Rescue System a linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to repair a damaged system, to rescue data or to scan the system for virus infections. Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer. The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.
                      • 9. RE: Virus Def: 5371 - Trojan (M.exe) not being picked up
                        Hey D-Fens i did check that out after you said, I'm quite happy with what I have used of it. Also McAfee finally updated to DAT 5384 as of 1030 yesterday to include my trojan although I am still weary as it will not pick it up on a direct manual scan, only when the trojan is trying to execute or bind itself. Eiter way it is stopping it from auto running and I have re-imaged all pc's. Thing is my webimmune has still not been updated and no response from the emails I have sent! Pis Poor.

                        Thats the one I used tonyb99, but from this link it has the files to extract and create the bootable usb drive. It scanned my trojan no worries and was quick.

                        USB bootable scanner
                        1 2 Previous Next