2 Replies Latest reply on Nov 16, 2011 3:01 PM by bosturdivant

    Unusual Mcafee Trojan Alert

    bosturdivant

      I got this unusual McAfee Trojan alert.  We received over 1,000 alerts on a single system.  The alert is a little confusing.

       

      Sample alert from OAS log.

       

      11/16/2011    9:00:06 AM    Deleted     NT AUTHORITY\SYSTEM    C:\WINDOWS\system32\msiexec.exe    C:\Program Files\McAfee\Common Framework\FrmInst.exe    PWS-Zbot.gen.ep (Trojan)

      11/16/2011    9:00:07 AM    Deleted     NT AUTHORITY\SYSTEM    C:\WINDOWS\system32\msiexec.exe    C:\Program Files\McAfee\Common Framework\McTray.exe    PWS-Zbot.gen.ep (Trojan)

      11/16/2011    9:00:07 AM    Deleted     NT AUTHORITY\SYSTEM    C:\WINDOWS\system32\msiexec.exe    C:\Program Files\McAfee\Common Framework\naPrdMgr.exe    PWS-Zbot.gen.ep (Trojan)

      11/16/2011    9:00:07 AM    Deleted     NT AUTHORITY\SYSTEM    C:\WINDOWS\system32\msiexec.exe    C:\Program Files\McAfee\Common Framework\UdaterUI.exe    PWS-Zbot.gen.ep (Trojan)

      11/16/2011    9:00:07 AM    Deleted     NT AUTHORITY\SYSTEM    C:\WINDOWS\system32\msiexec.exe    C:\Program Files\McAfee\Common Framework\FrameworkService.exe    PWS-Zbot.gen.ep (Trojan)

       

      These are the 5 detections that keep repeating.

      Is this alert telling me that these Mcafee prosesses are infected?

       

      Has anyone else seen this?

       

      Thank you,

       

      Bo

        • 1. Re: Unusual Mcafee Trojan Alert
          tmckinney

          That looks like a generic detection for Zeus.

           

          My reaction would be to rebuild the system, particularly when it's a PC (regardless of whether it's Zeus).

           

          Msiexec.exe is the source process, it will usually use a .msi file to install an application.  Any installation that you're aware of?  If yes, your installer (msiexec.exe or the .msi file) may be infected...if no, then it's a rogue process that's still probably infected.

           

          Do you have access protection enabled for at least blocking for "Common Standard Protection"?

          Prevent modification of McAfee files and settings

          Prevent modification of McAfee Common Management Agent files and settings

          Prevent modification of McAfee Scan Engine files and settings

          Prevent termination of McAfee processes

          Prevent hooking of McAfee processes (only for VSE8.7 patch 5 or 8.8 patch 1)

          • 2. Re: Unusual Mcafee Trojan Alert
            bosturdivant

            Yes we have the access protection enabled for the McAfee processes.  So the Trojan is trying to use the msiexec.exe process to delete or shutdown the McAfee processes.  And this is the dection I'm seeing in the logs?

             

            Thanks