1 2 3 4 Previous Next 31 Replies Latest reply on Dec 13, 2012 3:33 AM by Peacekeeper

    Possibe False Positive - Artemis! E088D5F5DA3D

      Hello All

       

      I am a new user here.

       

      Let me first post the log file entry.

      The Artemis alert pops up on two machines.  I have posted it here.

       

      Machine 01

      WinXP PRO XP SP2

      McAfee VirusScan Enterpise Workstation

      Version 8.7.0.570

      DAT Version 6797

      8/10/2012 9:57:00 AM Deleted  SYSTEM System:Remote C:\WINDOWS\system32\bdvsapi.c Artemis!E088D5F5DA3D (Virus)

       

       

      Machine 02

      WinXP PRO XP SP3

      McAfee VirusScan Enterpise Workstation

      Version 8.7.0.570

      DAT Version 6797

      8/10/2012 10:04:51 AM Deleted  TLGKR7104DO009\Linde System:Remote(192.168.1.211 (ASP2_OS_SV1)) C:\WINDOWS\system32\kyllzq.dbc Artemis!E088D5F5DA3D (Virus)

       

       

      They used to have a conficker virus problem but I solved that.

      No only this virus alert remains.  How to get rid of this alert on these machines?

      I apologise if I omitted other necessary information to solve this issue.

      Your prompt help is appreciated. 

        • 1. Re: Possibe False Positive - Artemis! E088D5F5DA3D
          Peacekeeper

          Different names same detection quite possible a new virus. Why do you think it is a false detection? The file names are strange

           

          Send both to mcafee as per

          http://vil.nai.com/vil/submit-sample.aspx

          Went you get a reply should be straight away reply to that saying in the subject possible false detection Artemis!E088D5F5DA3D

           

          Say why you think it is and make sure you only send 1 per submission.

           

          post your analysis Ids  here

          • 2. Re: Possibe False Positive - Artemis! E088D5F5DA3D

            Hi,

             

            The samples mentioned here are detected as W32/Conficker.worm.gen.b with production DATs. However, for the Conficker specific cleaning to occur, please configure another full Scan with Artemis disabled.

             

            Please refer the information available at the following links for understanding the threat vector:

             

            <http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=153710>

            <http://www.mcafee.com/us/threat-center/conficker.aspx>

             

            Machine should have all the Windows and McAfee updates installed especially the following:

             

            <http://technet.microsoft.com/en-us/security/bulletin/ms08-067>

             

            Regards,

            Showvik

            • 3. Re: Possibe False Positive - Artemis! E088D5F5DA3D

              Dear All

               

              Thanks for your prompt replies.

               

              I believe it is a false positive because I have completed the following tasks. 

              If I have missed a task then please let me know and I will try it.

               

              For WinXP SP2 system.

               

              1) Updated DAT to most recent version and ran ON DEMAND scan.  No detections found.

              2) Also ran ON DEMAND scan in safe mode.  No detections found.

              3) Ran stinger removal tool.  No detections found

              4) Ran MS Removal Tool Windows-KB890830-V4.10.exe

              4) Followed instructions in KB962007.  It is a local machine so some instructions for Group Policy did not apply.

              5) Installed MS08-067 security patch & Update 967715

              6) Run Windows Update except upgrading to SP3

              7) No more Conficker virus message but keep getting Artemis message.

               

              Since you have instructed me to make 1 per submission I repost what I did for other machine in thread.

              • 4. Re: Possibe False Positive - Artemis! E088D5F5DA3D

                Hi,

                 

                Thank you for performing the steps mentioned above. However, as stated earlier, we would like you to configure a custom On Demand Scan with Heuristics turned off and perform a full scan with this custom ODS settings. If the value after Artemis! has changed, let us know the full Artemis detection names that are observed now.

                 

                Regards,

                Showvik

                • 5. Re: Possibe False Positive - Artemis! E088D5F5DA3D

                  Thanks for your continued support on this issue.

                  I ran custom demand scan.  I have disabled Heruristics.

                   

                  No change in values.  I still see a message popup on the screen

                   

                  8/28/2012          10:16:47 AM          Deleted           SYSTEM          System:Remote          C:\WINDOWS\system32\bdvsapi.c          Artemis!E088D5F5DA3D (Virus)

                  8/28/2012          10:43:53 AM          Deleted           SYSTEM          System:Remote          C:\WINDOWS\system32\bdvsapi.c          Artemis!E088D5F5DA3D (Virus)

                  8/28/2012          10:48:46 AM          Deleted           SYSTEM          System:Remote          C:\WINDOWS\system32\bdvsapi.c          Artemis!E088D5F5DA3D (Virus)

                  8/28/2012          10:59:40 AM          Deleted           SYSTEM          System:Remote          C:\WINDOWS\system32\bdvsapi.c          Artemis!E088D5F5DA3D (Virus)

                  8/28/2012          11:25:15 AM          Deleted           SYSTEM          System:Remote          C:\WINDOWS\system32\bdvsapi.c          Artemis!E088D5F5DA3D (Virus)

                  8/28/2012          11:30:08 AM          Deleted           SYSTEM          System:Remote          C:\WINDOWS\system32\bdvsapi.c          Artemis!E088D5F5DA3D (Virus)

                  8/28/2012          11:42:20 AM          Deleted           SYSTEM          System:Remote          C:\WINDOWS\system32\bdvsapi.c          Artemis!E088D5F5DA3D (Virus)

                  8/28/2012          12:06:37 PM          Deleted           SYSTEM          System:Remote          C:\WINDOWS\system32\bdvsapi.c          Artemis!E088D5F5DA3D (Virus)

                   

                   

                  Please see attached results of scan I peformed today.

                   

                  8/28/2012          10:09:12 AM                    Engine version                          =          5400.1158

                  8/28/2012          10:09:12 AM                    AntiVirus   DAT version                 =          6816.0

                  8/28/2012          10:09:12 AM                    Number of detection signatures in EXTRA.DAT =          None

                  8/28/2012          10:09:12 AM                    Names of detection signatures in EXTRA.DAT  =          None

                  8/28/2012          10:08:59 AM          Scan Started          ASP2_OS_CL2\LINDE          On-Demand Scan

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Scan Summary

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Processes scanned    : 98

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Processes detected   : 0

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Processes cleaned    : 0

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Boot sectors scanned : 3

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Boot sectors detected: 0

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Boot sectors cleaned : 0

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Files scanned        : 65171

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Files with detections: 0

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          File detections      : 0

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Files cleaned        : 0

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Files deleted        : 0

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Files not scanned    : 49

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Scan Summary (Registry Scanning)

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Keys scanned         : 34738

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Keys detected        : 0

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Keys cleaned         : 0

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Keys deleted         : 0

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Scan Summary (Cookie Scanning)

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Cookies scanned      : 1

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Cookies detected     : 0

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Cookies cleaned      : 0

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Cookies deleted      : 0

                  8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Run time             : 0:35:53

                  8/28/2012          10:44:52 AM          Scan Complete          ASP2_OS_CL2\LINDE          On-Demand Scan

                   

                   

                  I will try with the other machine later today or tomorrow.

                  Thanks again.

                  • 6. Re: Possibe False Positive - Artemis! E088D5F5DA3D

                    Hello All

                     

                    Has there been any follow up on this matter?

                    Cheers

                    • 7. Re: Possibe False Positive - Artemis! E088D5F5DA3D
                      Peacekeeper

                      Showvik needs to reply to this if he doesn't I will ask him nicely as he is busy

                      • 8. Re: Possibe False Positive - Artemis! E088D5F5DA3D

                        Hi,

                         

                        That is strange as in my test machine I see the Cnficker detection. Please refer the logs below from my test:

                         

                        9/20/2012    11:51:47 PM        Engine version                          =    5400.1158

                        9/20/2012    11:51:47 PM        AntiVirus   DAT version                 =    6841.0

                        9/20/2012    11:51:47 PM        Number of detection signatures in EXTRA.DAT =    1

                        9/20/2012    11:51:47 PM        Names of detection signatures in EXTRA.DAT  =    None

                        9/20/2012    11:51:33 PM    Scan Started    BANRVARMAVM1\rvarma    On-Demand Scan

                        9/20/2012    11:51:50 PM    No Action Taken     rvarma    ODS    D:\xxx\20th Sep\e088d5f5da3da1f48bcf30a63d7530e1\107180052\107180052    W32/Conficker.worm.gen.b

                         

                        Best here would be to submit the sample to McAfee Labs as suggessted by Tony earlier and post back the submission ID here. We will respond to that submission with a fix.

                         

                        Regards,

                        Showvik

                        • 9. Re: Possibe False Positive - Artemis! E088D5F5DA3D

                          Thank you for your continued help in solving this issue.

                          There are a lot of files that are in the Quarantine folder.

                          Can I zip the most recent file and send to McAfee Labs as a sample?

                          Your prompt response will be appreciated.

                          Cheers

                          1 2 3 4 Previous Next