VIRUS CONTAINED WITHIN ITS' EXECUTABLE?

[simonk]

Ran a full system Mcafee Anti Virus software scan (which
is on perpetually via On-Access option). Nothing untoward
detected. Then downloaded/ran MS AntiSpyware for first
time with all options bar "Deep Folder Scan". This picked
up a couple of items which were deleted. I then fully
tested all other functionality and was pleased it all
worked OK. So much so I emailed a friend recommending
they try it! I then ran it again but with "Deep Folder
Scan" option selected. Towards end of this McAfee
detected/deleted 3 W32 viruses all located in an
application named "GIANTAntiSpyware". On investigation I
note that the product, although a MS beta product,
originates actually from GIANTantiSpyware. I therefore
conclude that either this beta version contains viruses
or else, somehow, McAfee Anti Virus is incorrectly
detecting/reporting (I don't think so). Has anyone else
had same experience and woinder what MS have to say on
this?

 

[Larry]

Hi Simonk, I have XP sp2 & McAfee, build 9.0.10. I've run the Deep Folder
Scan (once), and McAfee did not detect the 3 W32 viruses that you mention. I
know you were asking for other people that had this problem, but I just
wanted you to know that not everybody has had this problem.

 

[Bill Sanderson]

Can you give us some more info on this?

1) which McAfee product--as clearly identified in terms of numbers as you
can?
2) which antivirus definition version for that product?

3) as much precise information about exactly what was detected and in what
files as possible?

From your description, I would lean towards a false positive from McAfee,
myself. One way of determining this would be to find the three files in
question and submit them to McAfee for analysis. If you have these in
Quarantine, there may be a function to submit them--I haven't used a McAfee
antivirus for some time, so I'm not familiar with their current products.

I do know that they respond very quickly to submissions and reports of
problems, so I'd encourage you to see whether they can help resolve this
issue.

 

[Bill Sanderson]

Larry - can you confirm which version of Antispyware definitions you are on
(via help, about, within Microsoft Antispyware?)

And can you also say what definitions your McAfee antivirus was on when you
ran this scan?

 

[simonk]

UPDATE - although deleted I have recovered the
information from the Windows RESTORE file (which I have
had to disable to ultimately remove all traces of the
Viruses). The viruses detected in the
Application "GIANTAntiSpywar" and deleted by McAfee were:

W32/Bropia.worm.d (two instances)
W32/Sdbot.worm.gen.y (one instance)

So come on Microsoft does your product contain/transport
the above or how else can you explain them getting
downloaded/materialising with/in your Anti Spyware
Application which (other than this interesting but
unwanted "feature") appears really good/useful? And
before you say my system security is weak be aware that
it is not. Apart from all the usual recommended systems
defences I also use Microsoft Baseline Analyser to
confirm everything is A1 other than I am using FAT32 and
not NTFS.

Simon

 

[Bill Sanderson]

Simon - are you able to see replies to your messages?

Some folks using Mozilla-based browsers need to use the Expand All link in
order to see the replies--expanding individual threads via clicking on the
PLUS symbol adjacent to the subject headers apparently doesn't work for
these browers.

 

[simonk]

Thanks Bill. Yep I can read replies OK. Sorry about delay
in responding. I will now reply to your/other emails in
the thread. Thanks.

Simon

 

[simonk]

Thanks for reply. McAfee Anti Virus details:
Virus ScanEnterprise 7.0.0
Virus Definitions 4426 Created on 3 Feb 2005.
Scan Engine 4.0.00

 

[Larry]

Yes, I had MSAS detectable definition v. 5685, and my McAfee was probably
the last one prior to my current DAT, which is 4.0.4026. That was probably
4025, but I don't know for sure, since I have McAfee set to automatically
update the DAT's and my current one is dated 2/3/05, and I think I ran the
deep scan on the first or second of Feb.

 

[simonk]

Bill,

My McAfee Anti Virus details as used during system scan
prior to downloading MS Anti Spyware:

Virus ScanEnterprise 7.0.0
Virus Definitions 4426 Created on 3 Feb 2005.
Scan Engine 4.0.00

Although above deleted the Viruses automatically, I have
recovered the information from the Windows RESTORE file
(which I have had to disable to ultimately remove all
traces of the Viruses).

The viruses were detected in the
Application "GIANTAntiSpywar" and were identified as:

W32/Bropia.worm.d (two instances)
W32/Sdbot.worm.gen.y (one instance)

According to McAfee Library W32/Bropia.worm.d method of
infection = "This worm attempts to spread via MSN
Messenger" although I was not using/did not use MSN
during incident?

As for W32/Sdbot.worm.gen.y , the method of infection
= "The exact method of propagation will vary between
variants. However, the following characteristics are
typical:
Share Propagation
The worm propagates via accessible or poorly-secured
network shares, and some variants are intended to take
advantage of high profile exploits:
.. DCOM RPC vulnerability -
http://www.microsoft.com/technet/security/bulletin/MS03-
026.mspx
.. WEBDAV vulnerability -
http://www.microsoft.com/technet/security/bulletin/MS03-
007.mspx
.. LSASS vulnerability -
http://www.microsoft.com/technet/security/bulletin/MS04-
011.mspx
When it attempts to spread through default administrative
shares, for example:
.. PRINT$
.. E$
.. D$
.. C$
.. ADMIN$
.. IPC$
Some variants also carry a list of poor username/password
combinations to gain access to these shares."

Suffice to say all my MS security patches/Windows XP Pro
Service Pack/patch levels are up to date (according to MS
Baseline Security Analyser and Remote Windows Update).

On the basis of above, and given the viruses were NOT
detected/present immediately before downloading MS Anti
Spyware, I can only conclude either the viruses were
inherent in the product or somehow "piggy-backed" on the
download and got passed my On Line Scanner and other
defences. In either case they were only detected by
McAfee as appearing within/associated with the
GIANTAntiSpyware application and NOT in any other
folders/applications during my second scan using, this
time, AntiSpyware's "Deep Folder Scan" option.

I hope this gives you enough to go on.

Simon

 

[Bill Sanderson]

Thanks!

 

[Bill Sanderson]

It'd be nice to have specific information about the location of the
infection--either a precise directory on the disk, or the name of a file
associated with Microsoft Antispyware.

I do know that the worm you mention, Bropia, is rather hot at the moment. I
don't know what actions are required to be infected by it, but you need to
think back carefully on that one.

The second critter uses a number of vulnerabilities which you appear to have
patched, but also spreads via shared drives. Are you on a local network
with other machines, and sharing files with them? Have you done full
antivirus scans on those other machines?

Reading Symantec's description of Bropia, I believe that the second
infection is a product of the first one--i.e. that they are associated with
each other.

http://securityresponse.symantec.com/avcenter/venc/data/w32.bropia.html

http://msmvps.com/harrywaldron/archive/2005/02/03/34794.aspx

The Microsoft download system is protected by a variety of mechanisms from
such infection. I think it is highly unlikely that you received an infected
download--among other things, given the rate of downloads, we would have
multiple reports of this.

While I was previously thinking this might be a false positive, I'm now more
inclined to think that the detection was accurate and perhaps the location
chosen by this virus to deposit it's payload is one associated with
Microsoft Antispyware--since we don't have either a precise location or the
name of an executable involved, I don't know how to weigh the information
that this infection is "associated with Giant Antispyware."

Does MSN Messenger log file transfers or acceptances of files from other
users? I keep it running much of the time but almost never really use it,
so I'll admit to a large area of ignorance.

Offhand, I don't think running MSN Messenger during the install of Microsoft
Antispyware would have been required--perhaps if the infection ocurred
during your last MSN Messenger session, and Microsft Antispyware download
and installation was the next operation done, that might have led to this
association--seems a bit shakey I'll admit......

Your mention of Fat32 also worries me a bit. Since item # 2 infects via
file shares, and Fat32, unlike NTFS, doesn't have security as a part of the
file system, I think the question of whether there are other systems on the
LAN and whether they have been checked for infection is urgent--this critter
could have spread from your system to the others, or vice-versa.

 

[Steve Wechsler [MVP]]

Was any malware Quarantined by MSAS ? If so, that may be one reason
infected files are being detected. There would not be any files
associated with MSAS included in the System Restore archive UNLESS MSAS
was itself infected by W32.Bropia. Symantec's article on one variant of
it states that it can infect the executable for AdAware. So it*may* be
possible that it has infected MSAS's executable.

W32.Bropia is a memory resident worm that spreads through MSN Messenger.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BROPIA.D&VSect=P

So, it's highly doubtful that MSAS is installing viruses or worms on the
system. Since you state that the system has been disinfected, why not
flush the Restore hierarchy.

Steve Wechsler (akaMowGreen)
MVP Windows Server - Software Distribution
Windows - Security

 

[simonk]

Thanks for that. I am not on a network, just a single PC
(with two printers attached) connected to the Broadband
modem via cable. We use "XP Switch User" as 3 of us use
the PC. This said I was the only one on line or who used
PC during the incidents. I don't use MSN (daughter does
though) so I guess it is possible that something was sat
dormamt although it doesn't explain why my initial deep
scan of hard drive, memory and procesess using McAfee
didn't detect anything. It was only immediately after
this and downloading your MS AntiSpyware that during its
deep folder scan that something then triggered McAfee to
detect and then delete the infections. What is
particularly interesting is AFTER the reported incident
and our exchange of emails, and my removing all traces
and having rerun AntiSpyware Deep Folder Scan (nothing
untoward this time) I downloaded the new MSN Desktop
Search beta from MS. When I ran AntiSpyware Deep Folder
Scan again guess what - McAfee detected a virus and
AntiSpyware reported "Possible Browser Hijack Browser
Hijacker more information...
Details: Possible Browser Hijack redirects Internet
Explorer. Status: Removed High threat - High risk threats
typically are remotely exploitable vulnerabilities, which
can lead to system compromise. Successful exploitation
does not normally require any interaction. May open up
communication ports, use polymorphic tactics, stealth
installations, and/or anti-spy counter measures. May us a
security flaw in the operating system to gain access to
your computer." ALSO during indexing of my PC with the
MSN tool 2 Joke programs (attachments to emails held in
Outlook Express) was identified and Quarantined by
McAfee. It is if somehow during MSN Tool indexing and
AntiSpyware Deep Scans that McAffee is somehow stimulated
into identifying things it seems to have missed when
running solo. Perhaps your MS products access things
which McAffe during its scan does not open or see?

I have again swept my PC and believe it is now totally
clean so guess we will probably never get to bottom of
what actually happened. I have only a few other remaining
problems: the XP Pop Up Blocker is now 'fighting' with
the MSN Pop Up Blocker that came with the new beta MSN
Desktop Search tool. Which should I adopt? Also the two
products seem to be fighting over what IE settings MSN
Desktop Search/Toolbar should be allowed to change. I am
somewhat confused now which should be given
control/precedence? Left hand and right hand etc.
Regards. Simon

 

[John]

Two questions:

1. Do you have a firewall between you and your broadband connection? You
really should if you don't.

2. Where did you download MSAS from?

 

[simonk]

John - My Firewall is the Microsoft XP default, Security
is checked/verified as OK by Microsoft Baseline Security
Adviser and I also use SpyBot/Spyware Blaster/Hijack
this/Adaware/Spider etc. I got both MS AntiSpyware Beta
off the Microsoft Security Web site and MSN Toolbar Suite
2.0 Beta from MS Web site. The latter is fighting with XP
IE Pop Up Stopper over which should have control over
stopping Pop Ups! Until downloading/using these beta
products McAffee detected no infections other than the
occasionally ones trapped/deleted or quarantined when my
daughter has been internet browsing games/jokes sites etc.

Simon

 

[John]

Weird - how high do you have heuristic detection set on McAfee?

I personally don't tust any software firewall running on the machine I'm
trying to protect. I would rather have a hardware firewall and natting to
any machine I use on a broadband connection.

John