2 Replies Latest reply on Jun 2, 2009 10:34 AM by secured2k

    New virus - Disables McAfee?

      We are occasionally seeing compromised machines in our non-EPO managed domains.

      First McAfee becomes disabled. (and it grays out enable) on ALL services.
      Secondly, adds "guest" to Administrators
      Third, Enables guest account if disabled
      Fourth, Disables the "shutdown" option on the server.
      Fifth, disables/enables System restore - wiping all previous save points
      sixth, takes the current username its on, if administrator, out of administrator group.

      We have seen it happen 3 times now. Out of ~270 machines...

      1.) Does NOT appear like it spreads through its subnet, as then all computers in that domain would be infected
      2.) External firewalls ONLY allowed port 80 (HTTP) to the newest infected.

      If i had to guess, it is spoofing an EPO server to disable McAfee.. hence why machines that already have a peer key are not getting infected (maybe rejecting virus?)

      All machines running 8.7.0i

      1 machine was a webserver with ONLY port 80 through the firewall
      1 was a laptop sitting on DMZ (no web services, but had intermediate IDP/IPS Firewalls)
      1 was a Desktop sitting on DMZ (no web services or IDP/IPS)
        • 1. RE: New virus - Disables McAfee?
          Nothing new about malware disabling an antivirus but you may be seeing a new type of malware..

          In such situations, we try using the free tools below to see if it's one of the new trojans or rootkits:

          On a separate, CLEAN computer, download the Malwarebytes installer and update files from the links below, copy them to a CD or flash drive, then transfer the files to the problem machine and use them. If you can't start the computer into "normal" windows, try installing, updating, and running the scans AFTER the computer is started into Safe Mode.. I use the sites below to download the installer file and the manual updater:

          Once downloaded and before transferring them to the problem machine, rename the program installer "mbam-setup.exe" file to something else like "Gogetum.exe", then copy the installer file and the update file to a CD or flash drive. (Many of the new malware will block the standard removal tool from installing itself.) Transfer the file to the problem machine, then install the "Gogetum.exe" file, then run the update to get the program current.. After that, run a full system scan in both "Normal" Windows and Safe Mode and delete anything it finds.

          Malwarebytes Installer Download Link (Clicking on the links below will immediately start the download dialogue window.)
          http://www.besttechie.net/tools/mbam-setup.exe

          Malwarebytes Manual Updater link
          http://www.malwarebytes.org/mbam/database/mbam-rules.exe

          Next, download the SuperAntispyware program and the manual updater from the links below. After running the Malwarebytes tool above, if you still can't download and install it directly from the problem machine, download it on a separate, clean computer as well. After installing and updating SuperAntispyware, run another full system scan and delete everything it finds as well. As before, you may need to rename the installer file to get the program to install.:

          SuperAntispyware
          http://www.superantispyware.com/

          SuperAntispyware Manual Updater
          http://www.superantispyware.com/definitions.html
          ____________

          In a few situations, in order for the program to run, it was also necessary to rename the main "mbam.exe" file also after installing it.. It resides in the C:\Programs Files\Malwarebytes Antimalware folder.
          ____________________


          Hope this helps.

          Grif
          • 2. RE: New virus - Disables McAfee?
            secured2k
            If you have not wiped out the infected systems, I would like to talk with you about what virus you might have actually found... Also, is it detected by McAfee, MalwareBytes or other scanners?

            Feel free to email me.