1 2 Previous Next 19 Replies Latest reply on Aug 21, 2013 11:15 AM by unomedical

    infected computers


      recently we got our computers infected by trojan photo.exe - this if run, copies itself to all visible drives.

      We use McAfee but it is not able to recognize a virus. Please help, I dont know what to do. We got some extra.dat file from McAfee but it was not able to recognize virus.

      It is quite annoying because we discovered a virus a week ago and nothing happened until now - no solution...except we can use some other online antivirus, which is able to cure. But we need to protect our computers continuously!!

      See configuration from my laptop:



      McAfee Agent 

      Version number:


      Last security update check: 15.08.2013 9:01:42

      Last agent-to-server communication: 15.08.2013 13:28:36

      Agent to Server Communication Interval (every): 1 hour

      Policy Enforcement Interval (every): 30 minutes

      Agent ID: {FAC5770C-3EC2-44CA-8B84-043BA9CAEC2D}

      ePO Server/Agent Handler 

      DNS Name: OSTEPO01.unomedical.root.net

      IP Address:

      Port Number: 443



      McAfee VirusScan Enterprise + AntiSpyware Enterprise 

      Version number: 8.8.0 (

      Build date: 14.08.2012


      Anti-virus License Type: licensed


      Scan engine version (32-bit): 5600.1067



      DAT version: 7167.0000

      DAT Created on: 8/14/2013


      Number of Signatures in extra.dat: 1

      Name of threats that extra.dat can detect:  

      Generic.Tra!968ab3e7f9e3 (ED)

      Buffer Overflow and Access Protection DAT version: 647


      Installed Patches: 2


      Installed Modules: 



      Copyright © 1995-2011 McAfee, Inc. 

      All Rights Reserved. 


        • 1. Re: infected computers

          This isn't my area so I'll keep the contribution short and leave it to the Business moderators to offer specific advice, but I see that McAfee detects 92 variants of malware that create a file named "photo.exe".




          Perhaps this is just a new variant, in which case the Labs would like to have any suspect files for analysis. Support might ask you to run GetSusp to isolate and submit anything suspicious.


          One of the Business moderators will see this and should be able to advise you.

          1 of 1 people found this helpful
          • 2. Re: infected computers

            Thanks Hayton,

            if it can help, the virus is recognized by Eset as:



            I dont know how to find it between those 92...

            We have a sample, I can send it if you tell me where.

            • 3. Re: infected computers

              How to submit a sample to the Labs for analysis : see




              The ESET name helped to establish a connection. There are 4 VirusTotal reports for that name and in each case McAfee provides an Artemis detection number as below.


              The McAfee-GW Edition more helpfully knows it as "Heuristic.BehavesLike.Win32.Suspicious-BAY.K".


              Artemis detections :






              I believe you're in the UK, so this alert from Webroot may be relevant :

              http://blog.webroot.com/2013/08/07/cybercriminals-spamvertise-fake-o2-u-k-mms-th emed-emails-serve-malware/


              British users, watch what you execute on your PCs!


              An ongoing malicious spam campaign is impersonating U.K’s O2 mobile carrier, in an attempt to trick its customers into executing a fake ‘MMS message” attachment found in the emails.


              Detection rate for the malicious attachment – detected by 9 out of 46 antivirus scanners as Heuristic.BehavesLike.Win32.Suspicious-BAY.K; Win32/TrojanDownloader.Zurgop.AW.


              This may not be the actual infection vector but the alert gives you some addresses for outgoing network traffic that you may want to look for in the logs.

              1 of 1 people found this helpful
              • 4. Re: infected computers


                Thank you for useful information,

                I uploaded a sample by using Getsusp:


                McAfee Labs(r) GetSusp(tm) Version built on Dec 31 2012

                Copyright (c) 2012 McAfee, Inc. All Rights Reserved.


                GetSusp initiated on Thu Aug 15 16:54:36 2013



                X:\Photo.exe ... is Suspicious !!!


                GetSusp scan identified (1) Suspicious file(s) and (0) Unknown file(s).

                Scan results are saved at ....................(deleted - you dont need to see my folders structure).

                Scan results have been successfully delivered to McAfee Labs.


                BTW I am in Slovakia but our proxy is in UK - I will inform colleagues there



                • 5. Re: infected computers

                  unomedical wrote:

                  BTW I am in Slovakia but our proxy is in UK - I will inform colleagues there


                  I saw the proxy IP address and thought the alert might apply to you. The fake-O2 email campaign was (I think) only directed at UK users, but the technique is commonly used.


                  The results of the file submission should be available after a day or two, but turnaround depends on the Labs' workload so I can't be definite. It might be sooner.

                  • 6. Re: infected computers

                    When you ran getsusp did you add your email address to the preferences so Mcafee can keep you informed?

                    • 7. Re: infected computers



                      I think it added email itself, I just checked now and it is there. I also got confirmation email form avertlabs.com


                      • 8. Re: infected computers

                        OK thanks the older versions did not do that. Good luck

                        • 9. Re: infected computers

                          Hello all,

                          I still didnt get any answer regarding samples I sent to McAfee.

                          I also found more viruses in our environment - what is the reason that McAfee cannot detect them??

                          1 2 Previous Next