So 'K flags this file on the server

[Duh_OZ]

Have Kaspersky on a few non big brother computers at work and today I
get a warning about an infected file on a server that is dated June 1,
2010. Skipped the file as I sure wasn't going to delete it as I
wasn't sure if it was a false positive. Send it to VirusTotal and
27/43 have it flagged as a trojan. McAfee has it listed, so I go to
a big brother computer, ensure McAfee def's are up to date, scan the
file and it shows it as clean. Go figure. I'll send an e-mail to IT
and tell them I believe it is an infected file and hope they do
something LOL.

BTW, my home laptop (Avira AntiVi r- free version) also caught it.

Here is the VT scan results: http://tinyurl.com/6hoswub

 

[David H. Lipman]

From: "Duh_OZ" <[email protected]>

| Have Kaspersky on a few non big brother computers at work and today I
| get a warning about an infected file on a server that is dated June 1,
| 2010. Skipped the file as I sure wasn't going to delete it as I
| wasn't sure if it was a false positive. Send it to VirusTotal and
| 27/43 have it flagged as a trojan. McAfee has it listed, so I go to
| a big brother computer, ensure McAfee def's are up to date, scan the
| file and it shows it as clean. Go figure. I'll send an e-mail to IT
| and tell them I believe it is an infected file and hope they do
| something LOL.

| BTW, my home laptop (Avira AntiVi r- free version) also caught it.

| Here is the VT scan results: http://tinyurl.com/6hoswub

Ozzy, could you please upload a copy to http://www.uploadmalware.com/

Let me know when you have uploaded it.

 

[Duh_OZ]

On Mar 8, 7:49 pm, "David H. Lipman" <[email protected]>
wrote:
| Here is the VT scan results:http://tinyurl.com/6hoswub

Ozzy, could you please upload a copy tohttp://www.uploadmalware.com/

Let me know when you have uploaded it.

===============
It has been uploaded...

 

[David H. Lipman]

From: "Duh_OZ" <[email protected]>

| On Mar 8, 7:49 pm, "David H. Lipman" <[email protected]>
| wrote:
|| Here is the VT scan results:http://tinyurl.com/6hoswub

| It has been uploaded...

Got it.
Thanx !

 

[Duh_OZ]

From: "Duh_OZ" <[email protected]>

| It has been uploaded...

It could have network capabilities as is created a named pipe;  pipe\zhtGvbkgla

and created....

C:\RECYCLER\S-1-5-21-5663603721-5924204633-458313251-5821\nvapbar.exe

It modifies Winlogon to load the above executable.

HKLM\?SOFTWARE\?Microsoft\?Windows NT\?CurrentVersion\?Winlogon
Taskman = C:\RECYCLER\S-1-5-21-5663603721-5924204633-458313251-5821\nvapbar.exe

Wants to communicate with;  ChatAddiction.ServeUsers.com   but didn't..

Creates a Mutex of;  xxx_fejh__frg65fx

=================
Thanks for the info!

 

[Virus Guy]

It could have network capabilities (...)

Why did McAfee on VT flag the file as viral, but McAfee on his own
machines don't?

I've seen this same behavior with Symantec AV.

Why does VT seem to run different versions of "civillian" AV apps -
either that, or use different definition files?

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>


| Why did McAfee on VT flag the file as viral, but McAfee on his own
| machines don't?

| I've seen this same behavior with Symantec AV.

| Why does VT seem to run different versions of "civillian" AV apps -
| either that, or use different definition files?

Sorry, I don't have an answer but it didn't flag it as viral. It was flagged as
"Artemis!8B6B0DC2CB60" which is really a non-McAfee heuristic detection based upon
McAfee's acqusition of another company.

BTW: McAfee is now (or about to be) a division of Intel Corporation.

 

[Duh_OZ]

Just an update that file was removed today. Sent an e-mail out
yesterday explaining how the file was possibly infected and the reply
was a trojan won't run on the Linux server. Wow, really. Thanks
Sherlock but how about removing it. Anyway McAfee finally flagged
it today as generic.dx!wmc and as I was checking properties I saw just
one user had access to execute it. Then *poof* it was deleted.
Used to work with the user name I saw under properties so I'll have to
give them a buzz to see if their computer was infected.

 

[David H. Lipman]

From: "Duh_OZ" <[email protected]>

| Just an update that file was removed today. Sent an e-mail out
| yesterday explaining how the file was possibly infected and the reply
| was a trojan won't run on the Linux server. Wow, really. Thanks
| Sherlock but how about removing it. Anyway McAfee finally flagged
| it today as generic.dx!wmc and as I was checking properties I saw just
| one user had access to execute it. Then *poof* it was deleted.
| Used to work with the user name I saw under properties so I'll have to
| give them a buzz to see if their computer was infected.

Thanx for the update.

BTW: Anytime you have malware, please don't hesitate to uploading it/them to;
http://www.uploadmalware.com/

 

[Duh_OZ]

From: "Duh_OZ" <[email protected]>

| Just an update that file was removed today.    Sent an e-mail out
| yesterday explaining how the file was possibly infected and the reply
| was a trojan won't run on the Linux server.   Wow, really.   Thanks
| Sherlock but how about removing it.    Anyway McAfee finally flagged
| it today as generic.dx!wmc and as I was checking properties I saw just
| one user had access to execute it.    Then *poof* it was deleted.
| Used to work with the user name I saw under properties so I'll have to
| give them a buzz to see if their computer was infected.

Thanx for the update.

BTW:  Anytime you have malware, please don't hesitate to uploading it/them to;http://www.uploadmalware.com/

May just do that if I ever find another suspicious file on a hard
drive. That the second time 'K found a trojan on the server that
the big brother software missed. Last time the big bro had Trend
Micro, almost all computers have been converted to McAfee. I feel
so much safer

 

[Duh_OZ]

The plot thickens. Called the person up and she said back in June
someone had inserted an infected thumb drive. Then it kicks in -
back on June 1st I did indeed report an infection(file name was
jack.exe but cannot remember the trojan name 'K gave it) that Trend
Micro had missed. That explains why the file date I saw on the
latest file was June 1, 2010. No idea why an infected file showed up
9 months later, but they seem to be tied together. I also saw an
autorun.inf on the server, access denied but the same user name and
had full access for her only. That is dated 02/15/2011. Also a
desktop.ini but just has a recycle bin REG value in it.

Told her she should run a complete scan. If it wasn't a big bro
machine I would have suggest Multi-AV, not that I don't trust tech
support to fix it.

 

[David H. Lipman]

From: "Duh_OZ" <[email protected]>

| The plot thickens. Called the person up and she said back in June
| someone had inserted an infected thumb drive. Then it kicks in -
| back on June 1st I did indeed report an infection(file name was
| jack.exe but cannot remember the trojan name 'K gave it) that Trend
| Micro had missed. That explains why the file date I saw on the
| latest file was June 1, 2010. No idea why an infected file showed up
| 9 months later, but they seem to be tied together. I also saw an
| autorun.inf on the server, access denied but the same user name and
| had full access for her only. That is dated 02/15/2011. Also a
| desktop.ini but just has a recycle bin REG value in it.

| Told her she should run a complete scan. If it wasn't a big bro
| machine I would have suggest Multi-AV, not that I don't trust tech
| support to fix it.

You do know that I put out Multi-AV v7.x in Oct '10 and that it has Emsisoft and Avira
Avir to the listan McAfee was removed ?

 

[Duh_OZ]

From: "Duh_OZ" <[email protected]>

| The plot thickens.   Called the person up and she said back in June
| someone had inserted an infected thumb drive.   Then it kicks in -
| back on June 1st I did indeed report an infection(file name was
| jack.exe but cannot remember the trojan name 'K gave it) that Trend
| Micro had missed.     That explains why the file date I saw on the
| latest file was June 1, 2010.   No idea why an infected file showed up
| 9 months later, but they seem to be tied together.   I also saw an
| autorun.inf on the server, access denied but the same user name and
| had full access for her only.   That is dated 02/15/2011.  Also a
| desktop.ini but just has a recycle bin REG value in it.

| Told her she should run a complete scan.   If it wasn't a big bro
| machine I would have suggest Multi-AV, not that I don't trust tech
| support to fix it.

You do know that I put out Multi-AV v7.x in Oct '10 and that it has Emsisoft and Avira
Avir to the listan McAfee was removed ?

==============
Yep, a few weeks back I used Multi-AV(and Emsisoft) as one of the
steps to ensure I rid my neighbor's system of RegistryDefender. It
was all clean by the time I got to that (last) step and no malware
reported.