1 2 Previous Next 19 Replies Latest reply on Aug 21, 2013 11:15 AM by unomedical

    infected computers

    unomedical

      Hello,

      recently we got our computers infected by trojan photo.exe - this if run, copies itself to all visible drives.

      We use McAfee but it is not able to recognize a virus. Please help, I dont know what to do. We got some extra.dat file from McAfee but it was not able to recognize virus.

      It is quite annoying because we discovered a virus a week ago and nothing happened until now - no solution...except we can use some other online antivirus, which is able to cure. But we need to protect our computers continuously!!

      See configuration from my laptop:

       

        

      McAfee Agent 

      Version number: 4.6.0.1694

      Managed 

      Last security update check: 15.08.2013 9:01:42

      Last agent-to-server communication: 15.08.2013 13:28:36

      Agent to Server Communication Interval (every): 1 hour

      Policy Enforcement Interval (every): 30 minutes

      Agent ID: {FAC5770C-3EC2-44CA-8B84-043BA9CAEC2D}

      ePO Server/Agent Handler 

      DNS Name: OSTEPO01.unomedical.root.net

      IP Address: 10.12.6.44

      Port Number: 443

        

        

      McAfee VirusScan Enterprise + AntiSpyware Enterprise 

      Version number: 8.8.0 (8.8.0.975)

      Build date: 14.08.2012

        

      Anti-virus License Type: licensed

        

      Scan engine version (32-bit): 5600.1067

        

        

      DAT version: 7167.0000

      DAT Created on: 8/14/2013

        

      Number of Signatures in extra.dat: 1

      Name of threats that extra.dat can detect:  

      Generic.Tra!968ab3e7f9e3 (ED)

      Buffer Overflow and Access Protection DAT version: 647

        

      Installed Patches: 2

        

      Installed Modules: 

        

       

      Copyright © 1995-2011 McAfee, Inc. 

      All Rights Reserved. 

      www.mcafee.com 

        • 1. Re: infected computers
          Hayton

          This isn't my area so I'll keep the contribution short and leave it to the Business moderators to offer specific advice, but I see that McAfee detects 92 variants of malware that create a file named "photo.exe".

           

          http://www.mcafee.com/apps/search/threat.aspx?q=photo.exe&v=malware

           

          Perhaps this is just a new variant, in which case the Labs would like to have any suspect files for analysis. Support might ask you to run GetSusp to isolate and submit anything suspicious.

           

          One of the Business moderators will see this and should be able to advise you.

          1 of 1 people found this helpful
          • 2. Re: infected computers
            unomedical

            Thanks Hayton,

            if it can help, the virus is recognized by Eset as:

             

            Win32/TrojanDownloader.Delf.RHY

            I dont know how to find it between those 92...

            We have a sample, I can send it if you tell me where.

            • 3. Re: infected computers
              Hayton

              How to submit a sample to the Labs for analysis : see

              http://www.mcafee.com/us/threat-center/resources/how-to-submit-sample.aspx

               

               

              The ESET name helped to establish a connection. There are 4 VirusTotal reports for that name and in each case McAfee provides an Artemis detection number as below.

               

              The McAfee-GW Edition more helpfully knows it as "Heuristic.BehavesLike.Win32.Suspicious-BAY.K".

               

              Artemis detections :

              Artemis!5C01D596F590

              Artemis!E03D2419189A

              Artemis!52E18099B0C4

              Artemis!12E07728951E

               

              I believe you're in the UK, so this alert from Webroot may be relevant :

              http://blog.webroot.com/2013/08/07/cybercriminals-spamvertise-fake-o2-u-k-mms-th emed-emails-serve-malware/

               

              British users, watch what you execute on your PCs!

               

              An ongoing malicious spam campaign is impersonating U.K’s O2 mobile carrier, in an attempt to trick its customers into executing a fake ‘MMS message” attachment found in the emails.

               

              Detection rate for the malicious attachment – detected by 9 out of 46 antivirus scanners as Heuristic.BehavesLike.Win32.Suspicious-BAY.K; Win32/TrojanDownloader.Zurgop.AW.

               

              This may not be the actual infection vector but the alert gives you some addresses for outgoing network traffic that you may want to look for in the logs.

              1 of 1 people found this helpful
              • 4. Re: infected computers
                unomedical

                Hayton,

                Thank you for useful information,

                I uploaded a sample by using Getsusp:

                 

                McAfee Labs(r) GetSusp(tm) Version 3.0.0.323 built on Dec 31 2012

                Copyright (c) 2012 McAfee, Inc. All Rights Reserved.

                 

                GetSusp initiated on Thu Aug 15 16:54:36 2013

                 

                 

                X:\Photo.exe ... is Suspicious !!!

                 

                GetSusp scan identified (1) Suspicious file(s) and (0) Unknown file(s).

                Scan results are saved at ....................(deleted - you dont need to see my folders structure).

                Scan results have been successfully delivered to McAfee Labs.

                 

                BTW I am in Slovakia but our proxy is in UK - I will inform colleagues there

                thanks

                Katarina

                • 5. Re: infected computers
                  Hayton

                  unomedical wrote:


                  BTW I am in Slovakia but our proxy is in UK - I will inform colleagues there

                   

                  I saw the proxy IP address and thought the alert might apply to you. The fake-O2 email campaign was (I think) only directed at UK users, but the technique is commonly used.

                   

                  The results of the file submission should be available after a day or two, but turnaround depends on the Labs' workload so I can't be definite. It might be sooner.

                  • 6. Re: infected computers
                    Peacekeeper

                    When you ran getsusp did you add your email address to the preferences so Mcafee can keep you informed?

                    • 7. Re: infected computers
                      unomedical

                      Moderator,

                       

                      I think it added email itself, I just checked now and it is there. I also got confirmation email form avertlabs.com

                      K.

                      • 8. Re: infected computers
                        Peacekeeper

                        OK thanks the older versions did not do that. Good luck

                        • 9. Re: infected computers
                          unomedical

                          Hello all,

                          I still didnt get any answer regarding samples I sent to McAfee.

                          I also found more viruses in our environment - what is the reason that McAfee cannot detect them??

                          1 2 Previous Next