McAfee false report?

[DaveR]

I have a file that Mcafee says has the New Malware.aj, whatever that is. I find it strange that Norton and SpySweeper do not find anything wrong. Any idea what this means? Is McAfee (the free version from Comcast) wrong? It is on one system, and the NAV/SpySweeper is on another. This comes up when I try to unrar the file on the McAffee system. Perhaps McAfee says it is malware if it sees any exe trying to modify another exe?

TIA

 

[MustISO]

There are some online scanners that you can try:

http://www.kaspersky.com/scanforvirus
http://virusscan.jotti.org/

 

[mechBgon]

Upload the file to http://www.virustotal.com and http://virusscan.jotti.org and post the results?

Also, if you want, email a copy to mechbgon originpoint com and I'll run it on a test system, if it's an executable type of file. If it gets blocked, put it in a Zip file with password protection to get it through the email system.

Getting McAfee to fix a false-postive detection is probably just as difficult as getting them to fix a false-negative detection :camera: but if it's an important file, I could try.

Bigger picture: if you're using McAfee, consider something else.

Biggest picture: if it could be a Trojan Horse, then don't run it, no matter what. I've seen Trojans come up "clean" at both VirusTotal and Jotti (that's about 40 different antivirus scanners) but when they're executed, yep, they're definitely malware. Use common sense and avoid stuff like cracks, serials, keygens and warez, as well as codecs, screensavers, utilities, blah blah etc that aren't from absolutely-trustworthy authors.

 

[DaveR]

Thanks all:

I will try these and see what it says. I do own better AntiVirus software on 3 systems, but on my TEST system I am using the free McAfee from Comcast.

Will send file if my further testing goes badly. But not sure how much I can "play" with this today.

 

[DaveR]

<div class="FTQUOTE"><begin quote>Originally posted by: MustISO
There are some online scanners that you can try:

http://www.kaspersky.com/scanforvirus
http://virusscan.jotti.org/</end quote></div>

OK, first test said clean
Second site had most reports of clean...but
AntiVir said HEUR/CRYPTED
AVG said generic5.chz
Virusbuster said packed/nspack.

I just don't get why so many say it is OK.

 

[mechBgon]

Originally posted by: DaveR

Originally posted by: MustISO
There are some online scanners that you can try:

http://www.kaspersky.com/scanforvirus
http://virusscan.jotti.org/

OK, first test said clean
Second site had most reports of clean...but
AntiVir said HEUR/CRYPTED
AVG said generic5.chz
Virusbuster said packed/nspack.

I just don't get why so many say it is OK.

The bad guys have the upper hand in this regard. Even if every antivirus vendor magically had a sample of every piece of malware the instant it was released in the wild, they'd still need time to analyze it, generate signatures and/or heuristics, and get them out to their users. Add the time taken to actually get a sample of malware to analyze, and the bad guys can easily release new versions of the malware faster than it can be analyzed and protected against. How's 62 (known) variants of one piece of malware in one day sound? And your McAfee software updates how often... once per weekday?

Ah so, grasshoppah. Heuristics and behavior analysis may help, but you see the point. A lack of detection from your antivirus, or even 30 antiviruses, doesn't mean the file is clean.

Most of the Trojan Horses I find are detected by only 10%-20% of the antivirus scanners they're using at VirusTotal and Jotti. Some exploits are badly detected too. That's part of the reason I keep harping on applying "best practices" at home, the non-Admin user accounts and avoiding risky stuff and so on. Where antivirus software may fail you, other countermeasures can step in, but you got to use them (and not override them yourself, either).

 

[DaveR]

OK, I will just remove it. It is funny that the patched file scans clean. I guess only the patcher has the "stuff" that the scanners don't like!

 

[mechBgon]

Originally posted by: DaveR
OK, I will just remove it. It is funny that the patched file scans clean. I guess only the patcher has the "stuff" that the scanners don't like!

The attack file might've done its dirty work and then deleted itself, leaving you with brand-spanking-new malware that it installed before it offed itself. That's not an uncommon strategy. Other "payloads" could include simply molesting your system settings. I ran a DNSChanger earlier today which left the test system seemingly fine (according to multiple antivirus scanners) yet it was now routing my DNS traffic through the bad guys' servers for their potential financial gain. The system also was left with a rootkit installed to protect their lil' .EXE file in the Windows directory.

Or maybe your malware is now protected by a rootkit that got installed when you ran the file, making the malware invisible to your antivirus software. You might want to run some rootkit detectors, or just say "forget it, I can live without this file"

 

[DaveR]

Well, I did run a rootkit and it said I was clean. At any rate, I would hope that NAV would catch up eventually. I guess I could even try sending them, or Webroot the file, as they both say the file is fine..

 

[Medea]

mech -

The file you uploaded is part of the kd***.exe family for wareout. Usually, your O17's in HJT will point to Inhoster sites like 85.255.xxx.xxx

It's also in the Registry here:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=C:\Windows\system32\kdmkz.exe

FixWareout will delete the file and clean up the reg entry. When it first came out, we had to use rootkit removers because of the rootkit characteristics. Was glad when FixWareout was updated.

 

[mechBgon]

I'm afraid I reimaged the "punching-bag" system a couple times already since then, or I'd confirm that you are (undoubtedly) correct. On the original topic, what's your advice to DaveR? Throw the suspicious file out, or let it loose on his network?

 

[DaveR]

So, which site were you checking that I uploaded to or were you sending this to mech??

TIA

<div class="FTQUOTE"><begin quote>Originally posted by: Medea
mech -

The file you uploaded is part of the kd***.exe family for wareout. Usually, your O17's in HJT will point to Inhoster sites like 85.255.xxx.xxx

It's also in the Registry here:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=C:\Windows\system32\kdmkz.exe

FixWareout will delete the file and clean up the reg entry. When it first came out, we had to use rootkit removers because of the rootkit characteristics. Was glad when FixWareout was updated.
</end quote></div>

 

[Medea]

@ DaveR -

I was responding to mech who had posted a link for a file he had uploaded to Castlecops.

Regarding the suspicious file, given that McAfee and the other online scanners picked up something - if it were my computer, I'd delete it. You mentioned that you were trying to "unrar" it, so there may be something malevolent present. Sounds too risky to try opening it.

 

[DaveR]

OK, but the patch.exe was run. Any way to tell what it did? I mean reg keys, etc? I just noticed castlecops...perhaps I should follow the malware removal item!

<div class="FTQUOTE"><begin quote>Originally posted by: Medea
@ DaveR -

I was responding to mech who had posted a link for a file he had uploaded to Castlecops.

Regarding the suspicious file, given that McAfee and the other online scanners picked up something - if it were my computer, I'd delete it. You mentioned that you were trying to "unrar" it, so there may be something malevolent present. Sounds too risky to try opening it.</end quote></div>

 

[Medea]

The problem with "patch.exe" is that it's a name given to a bunch of files which are updates or patches to whatever. Because of this, some are legit, and some are malware. It depends on how thorough a scanning process is used by whatever AV and AS apps you're using.

You can try downloading and running Superantispyware. As far as anti-spyware apps go, it's the one I recommend. I'm not that fond of Spysweeper. It used to be very good but, IMO, it's not the same anymore.

 

[DaveR]

Originally posted by: Medea
The problem with "patch.exe" is that it's a name given to a bunch of files which are updates or patches to whatever. Because of this, some are legit, and some are malware. It depends on how thorough a scanning process is used by whatever AV and AS apps you're using.

You can try downloading and running Superantispyware. As far as anti-spyware apps go, it's the one I recommend. I'm not that fond of Spysweeper. It used to be very good but, IMO, it's not the same anymore.

OK, I will see what that says. I own SpySweeper and figure it was better than The freebees.

 

[DaveR]

Originally posted by: Medea
The problem with "patch.exe" is that it's a name given to a bunch of files which are updates or patches to whatever. Because of this, some are legit, and some are malware. It depends on how thorough a scanning process is used by whatever AV and AS apps you're using.

You can try downloading and running Superantispyware. As far as anti-spyware apps go, it's the one I recommend. I'm not that fond of Spysweeper. It used to be very good but, IMO, it's not the same anymore.

I just noticed that they are even in Oregon...so am I.

 

[mechBgon]

If the file is downloadable, you can PM me a URL to it (as long as it's not warez) and I'll try to find out what registry keys and stuff it messes with (not that I'm expert at it). I'm a bit in the dark as to what the file is all about... a no-CD patch or something of that nature?

 

[DaveR]

Originally posted by: Medea
The problem with "patch.exe" is that it's a name given to a bunch of files which are updates or patches to whatever. Because of this, some are legit, and some are malware. It depends on how thorough a scanning process is used by whatever AV and AS apps you're using.

You can try downloading and running Superantispyware. As far as anti-spyware apps go, it's the one I recommend. I'm not that fond of Spysweeper. It used to be very good but, IMO, it's not the same anymore.

Superantispyware came up clean.

 

[Medea]

Well, that's good news because SAS is pretty thorough.

However, mech made a great offer and, if I were you, I'd take him up on it.

 

[DaveR]

Originally posted by: Medea
Well, that's good news because SAS is pretty thorough.

However, mech made a great offer and, if I were you, I'd take him up on it.

I PM'ed him.