Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
604 Views 0 Replies Latest reply: Jun 28, 2013 4:17 AM by bitparker RSS
bitparker Newcomer 1 posts since
Jun 28, 2013
Currently Being Moderated

Jun 28, 2013 4:17 AM

Infection, detection and time to release patterns?

I was faced with a suspicious client which was known to have an unknown exe file loaded by registry run commands. I tried to upload this file via the virus_research mail adress which doesn't make sense if you need to upload an exe file and have to rename it to a txt file to bypass mailsystem AV:

--

McAfee Labs - Beaverton

Current Scan Engine Version:5600.1067

Current DAT Version:7119.0000

Thank you for your submission.

 

Analysis ID: 7616XXX

 

File Name Findings Detection Type Extra

--------------------|------------------------------|---------------------------- |------------|-----

exona.exe.txt |no password | | |no

exona.exe_md5.txt |no password | | |no

exona.exe_sha1.txt |no password | | |no

libnspr4.dll |no malware | | |no

libnspr4.dll_md5.txt|no password | | |no

libnspr4.dll_sha1.tx|no password | | |no

 

no password [exona.exe.txt exona.exe_md5.txt exona.exe_sha1.txt libnspr4.dll_md5.txt

libnspr4.dll_sha1.txt]

 

A file you submitted did not arrive in a password-protected ZIP file. Please see

http://www.mcafee.com/us/mcafee-labs/resources/how-to-submit-sample.aspx

for

--

Also the analyze/ upload tool from McAfee doens't indicate the suspect file as suspect and wouldn't upload this.

 

In this special case here we're aware of existence since end of april, dat was updated 28.06.2013 to identify it as:

McAfee RDN/Generic PWS.y!ss 20130628

on virustotal.com. http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=3328162

 

 

One hint/ feedback on placing suspect suspicious files to McAfee:

- sending exe files in an enterprise environment doesn't work

- sending pw protected files in an enterprise environment doesn't work

 

So why not use a web portal like virustotal does it? A whitelisting can be easyly done on a web proxy to let special people submit files from inside a enterprise environment to a web site.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points