0 Replies Latest reply: Jun 28, 2013 4:17 AM by bitparker RSS

    Infection, detection and time to release patterns?


      I was faced with a suspicious client which was known to have an unknown exe file loaded by registry run commands. I tried to upload this file via the virus_research mail adress which doesn't make sense if you need to upload an exe file and have to rename it to a txt file to bypass mailsystem AV:


      McAfee Labs - Beaverton

      Current Scan Engine Version:5600.1067

      Current DAT Version:7119.0000

      Thank you for your submission.


      Analysis ID: 7616XXX


      File Name Findings Detection Type Extra

      --------------------|------------------------------|---------------------------- |------------|-----

      exona.exe.txt |no password | | |no

      exona.exe_md5.txt |no password | | |no

      exona.exe_sha1.txt |no password | | |no

      libnspr4.dll |no malware | | |no

      libnspr4.dll_md5.txt|no password | | |no

      libnspr4.dll_sha1.tx|no password | | |no


      no password [exona.exe.txt exona.exe_md5.txt exona.exe_sha1.txt libnspr4.dll_md5.txt



      A file you submitted did not arrive in a password-protected ZIP file. Please see




      Also the analyze/ upload tool from McAfee doens't indicate the suspect file as suspect and wouldn't upload this.


      In this special case here we're aware of existence since end of april, dat was updated 28.06.2013 to identify it as:

      McAfee RDN/Generic PWS.y!ss 20130628

      on virustotal.com. http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=3328162



      One hint/ feedback on placing suspect suspicious files to McAfee:

      - sending exe files in an enterprise environment doesn't work

      - sending pw protected files in an enterprise environment doesn't work


      So why not use a web portal like virustotal does it? A whitelisting can be easyly done on a web proxy to let special people submit files from inside a enterprise environment to a web site.