8 Replies Latest reply on Sep 4, 2015 8:29 PM by catdaddy

    False Artemis!E3175226C78A

    davidbaldwin

      Good Day

       

      I have followed the advice here:  https://community.mcafee.com/thread/2016

       

      1.  Regarding: 

      DiamondCS NetCheck

      Copyright (C) 2006, DiamondCS

       

      2.  I sent an email to virus_research@mcafee.com using the same subject line.

       

      3.  I'm posting here, the same info

       

      4.  I couldn't encrypt the zipped netcheck.exe with my version of Vista Home Premium so I used McAfee GetSusp to submit the suspicious file, but I also added the comment:

      False Artemis!E3175226C78A

      DiamondCS\netcheck\netcheck.exe [MD5:e3175226c78a9ea5ede501e84cffd041] is infected with Artemis!E3175226C78A

      Here's the full scoop.  I hope McAfee removes this from Artemis and therefore STINGER detection:

      ------------------------

      This file has existed for many years, as a simple utility to verify that an active internet connection exists.  I use it regularly at home to quickly "test" that I have a valid internet connection and am able to resolve DNS addresses.  I've had this utility on my "clean" system for years.  It is not a threat.
      Although diamondcs.com.au no longer exists, this was their description for "netcheck.exe"
      "DiamondCS NetCheck
      Copyright (C) 2006, DiamondCS
      http://www.diamondcs.com.au
      THIS IS NOT A VIRUS (although some virus programs may think so)

      DiamondCS NetCheck allows you to quickly check the status of your Internet connection. It does this by testing one (or more) servers - first by attempting to resolve their IP address to test the status of your DNS server, and secondly by attempting to connect to TCP ports, allowing you to test whether you can connect to sites on the Internet.

      It is recommended that you use the address of your Internet Service Provider as the first entry for both DNS and TCP in the netcheck.ini file, as well as a numeric IP address as one of the TCP entries so as to still be able to test for TCP connectivity even if your DNS server is down."
      ----------------------------------------------------------------
      Note: netcheck.ini simply contains 3 user-selectable DNS and 3 user-selectable TCP addresses to check:
      [Config]
      NumDNS=3
      NumTCP=3
      DNS1=www.cogeco.ca
      DNS2=www.google.com
      DNS3=www.microsoft.com
      TCP1=24.226.1.243:80 (cogeco.ca)
      TCP2=www.google.com:80
      TCP3=www.microsoft.com:80
      MALWR.com / VIRUSTOTAL.com results:
      Currently 12 less-known, less-popular virus engines at VirusTotal flag this file (INCLUDING McAfee).
      Specifically, 12 of 50 virus engines flag it
      Antiy-AVL Trojan/Win32.VB.gic 20140421
      Bkav HW32.CDB.43e8 20140418
      ByteHero Virus.Win32.Heur.d 20140421
      CAT-QuickHeal (Suspicious) - DNAScan 20140421
      Commtouch W32/Alureon.F!Generic 20140421
      Comodo Heur.Packed.Unknown 20140421
      F-Prot W32/Alureon.F!Generic 20140421
      K7AntiVirus Virus ( 5585903c0 ) 20140421
      McAfee Artemis!E3175226C78A 20140421
      McAfee-GW-Edition Heuristic.LooksLike.Win32.Suspicious.C 20140421
      TrendMicro PAK_Generic.001 20140421
      TrendMicro-HouseCall TROJ_GEN.F47V0127 20140421
      The following engines consider it safe:
      AVG 20140421
      Ad-Aware 20140421
      AegisLab 20140421
      Agnitum 20140421
      AhnLab-V3 20140421
      AntiVir 20140421
      Avast 20140421
      Baidu-International 20140421
      BitDefender 20140421
      CMC 20140421
      ClamAV 20140421
      DrWeb 20140421
      ESET-NOD32 20140421
      Emsisoft 20140421
      F-Secure 20140421
      Fortinet 20140420
      GData 20140421
      Ikarus 20140421
      Jiangmin 20140421
      K7GW 20140421
      Kaspersky 20140421
      Kingsoft 20140421
      Malwarebytes 20140421
      MicroWorld-eScan 20140421
      Microsoft 20140421
      NANO-Antivirus 20140421
      Norman 20140421
      Panda 20140421
      Qihoo-360 20140411
      Rising 20140421
      SUPERAntiSpyware 20140421
      Sophos 20140421
      Symantec 20140421
      TheHacker 20140421
      TotalDefense 20140421
      VBA32 20140421
      VIPRE 20140421
      ViRobot 20140421
      nProtect 20140421
      * PLUS WEBROOT SECURE ANYWHERE
      ( which is not one of the VirusTotal engines, but which runs on my system.)
      ------------------------------------------------------------------------
      Malwr.com reports no immediate threat but shows:

      File Details

      File Namenetcheck.exe
      File Size25135 bytes
      File TypePE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
      MD5e3175226c78a9ea5ede501e84cffd041
      SHA144cdd75d9f1be11ad31c293bfadd2d46da3be767
      SHA256667a2a3817cdb588ce46b20484bf27165d7516c4437b0eb243283ff7e3bc0311
      SHA512e94fade4779f4aa6d425dded45196c7447f0af204a1ab9317f15384546778a8e31d3f2807ce271b9 2ec0b566a57fa56fcc08eb9c3f0a85adeac0a4d3b68872bb
      CRC32BA9B4E17
      Ssdeep384:KDDxfSzMaeb2lJUEX7r2a552jGUapAXKH/z7pLlpGzvlyRT04J+MI1IgaByIZNl:KPEICEC3byi7 H/Xp6vlyphJ+MIq3y8l
      YaraNone matched
      Signatures
      File has been identified by at least one AntiVirus on VirusTotal as malicious
      The binary likely contains encrypted or compressed data.
      ------------------------------------------------------
      McAfee Labs(r) GetSusp(tm) Version 3.0.0.373 built on Oct 11 2013
      Copyright (c) 2013 McAfee, Inc. All Rights Reserved.
      GetSusp initiated on Mon Apr 21 14:27:39 2014

      c:\data\diamondcs\netcheck\netcheck.exe ... is Suspicious !!!
      GetSusp scan identified (1) Suspicious file(s) and (0) Unknown file(s).

      ------------------------------------------------------
      McAfee Stinger Scan Results
      McAfee® Labs Stinger™ Version 12.1.0.869 built on Apr 16 2014 at 12:33:18
      Copyright© 2014, McAfee, Inc. All Rights Reserved.
      AV Engine version v5610.1040 for Windows.
      Virus data file v1000.0 created on Apr 16, 2014
      Ready to scan for 6349 viruses, trojans and variants.
      Custom scan initiated on Monday, April 21, 2014 00:36:28

      Rootkit scan result : Not Scanned.

      C:\DATA\DiamondCS\netcheck\netcheck.exe [MD5:e3175226c78a9ea5ede501e84cffd041] is infected with Artemis!E3175226C78A
      C:\DATA\DiamondCS\netcheck\netcheck.exe has been Deleted
      C:\Users\Public\Downloads\netcheck.exe [MD5:e3175226c78a9ea5ede501e84cffd041] is infected with Artemis!E3175226C78A
      C:\Users\Public\Downloads\netcheck.exe has been Deleted
      Summary Report on C:
      File(s)
      TotalFiles:............ 2008426
      Clean:................. 321429
      Not Scanned:........... 1686995
      Possibly Infected:..... 2
      Time: 03:38:26
      Scan completed on Monday, April 21, 2014 04:14:54
      ------------------------------------------------------------------------------
      Thanks,
      davidbaldwin

        • 1. Re: False Artemis!E3175226C78A
          catdaddy

          Hi davidbaldwin,

                         Welcome to the McAfee Communities. Normally (4) or more Detections immediately throws up some "Red Flags", especially from Virus Total. Four of those Vendors that detected this instance, are Highly reputable, to include McAfee.

           

                           Since you ran the the Latest Getsusp, did you receive a email confirming the detection is being analyzed? Someone whom patrols this Community, may pick up this thread (No promises) and with the information provided may expedite your request. Meaning someone from McAfee Labs.

           

                             Normally you are asked to provide a Analysis ID #, to proceed further.

           

                          I am limited with the amount of time I can afford to this at the moment. I do know that our Moderators patrol this community,and possibly could be of more assistance.

           

                Regards,

           

           

           

          Message was edited by: catdaddy on 4/21/14 3:26:00 PM CDT
          1 of 1 people found this helpful
          • 2. Re: False Artemis!E3175226C78A
            Peacekeeper

            If you included your email address in getsusp's preferences you should have got back an email that mentions an analysis ID did you? If you did post it here and if no movement in 4 days to address this post back and I will get it chased up.

            1 of 1 people found this helpful
            • 3. Re: False Artemis!E3175226C78A
              davidbaldwin

              Hi catdaddy and Peacekeeper,

               

              Thanks.  The email I got back from my GetSusp submission reads:

               

              SR Number               Creation Date                WorkItem ID        Machine Name           

              ========               ==============               ===========        ===========            

              None specified          4/21/2014 6:44:28 PM         1321642            DRB-WLM                

              +--------------+----------------------------------+--------------+-----------+-- --------------+

              | File Name    | MD5                              | Findings     | Detection | Type           |

              +--------------+----------------------------------+--------------+-----------+-- --------------+

              | netcheck.ex_ | e3175226c78a9ea5ede501e84cffd041 | not_detected |           | assumed_dirty4 |

              +--------------+----------------------------------+--------------+-----------+-- --------------+

               

              So although everyone is using the term "Analysis ID #" it appears that terminology is absent from the McAfee auto-reply.

               

              The term WorkItem ID is used in the Subject line and the body text, i.e. "Submission through GetSusp (Reference WorkItemID: 1321642)".

               

              Hope that's what everyone is referring to.

              Thanks again.

               

              p.s. Re: "Four of those Vendors that detected this instance, are Highly reputable, to include McAfee."  Yes, I agree and acknowledge that McAfee is highly reputable, I didn't mean it to come across like that.  Besides McAfee, I'm just less familiar with the popularity of the other vendors who detected this.

               

              davidbaldwin

              • 4. Re: False Artemis!E3175226C78A
                catdaddy

                You are perfectly welcome. As Tony stated, allow the appropiate time for McAfee Labs to analyze. Especially given all of the malware created every second,minute, hour of each day. Then hopefully you may have a resolution to your issue.

                 

                PeaceKeeper is dilligent in following up on such things.

                 

                All the very best,

                • 5. Re: False Artemis!E3175226C78A
                  Peacekeeper

                  Not so diligent I rely on posters posting back if no fix in a set (4day) period. Sorry have too many threads active to check back individually.

                  • 6. Re: False Artemis!E3175226C78A
                    davidbaldwin

                    Well,

                    I'll just say that it's been over 4 days ... nothing heard except for the initial confirmation emails  

                    virus_research@avertlabs.com  (Submission through GetSusp (Reference WorkItemID: 1321647)

                     

                     

                    So no fix yet, and no explanation.

                     

                    Thanks

                     

                     

                    Dave B

                    • 7. Re: False Artemis!E3175226C78A
                      Peacekeeper

                      Passed onto a lab tech

                      • 8. Re: False Artemis!E3175226C78A
                        catdaddy

                        Marking this thread as 'Assumed Answered' and locking it.

                         

                        Cliff

                        Moderator