Wednesday, October 10, 2007

You would think they would have learned

How many years have viruses and trojans been around? Ten at least, right? Maybe fifteen. Haven't most users at the executive level been computing about that long? You would think so. Then why is it that the users at that level are the most gullible when it comes to opening email that is questionable? Maybe it's because they get so much email that they just don't have time to think before opening - just open and look. Hmmm...nothing happened. I know, I'll forward it to the HR manager since it has the word resume in it. Great, another manager too busy to think. Why open an attachment from someone who said they saw our ad on Craigslist. Hey, we're not even advertising on Craigslist right now. And it's a zip file! Doh!

My whole day was shot today tracking down and eradicating this nasty trojan called Proxy-Agent.aj or Spam-Mailbot. The offending file is wmupdate.exe found in System32 but figuring that out took eight hours and a half dozen scans from every available anti-virus publisher. We run Symantec AV Corporate edition which includes protection at the SMTP gateway, on the Exchange server and at the desktop. But believe it or not, Symantec doesn't recognize this one. We pay big bucks for their protection. This one has been out since Dec 2005. You would think they would have it in their database by now, but no. The symptoms are continual pop-ups from Symantec Email Proxy saying, "Your email message to ... with the subject of ... was unable to be sent. Your email server rejected the message." Hundreds of the little buggers as long as you're connected to the internet.

I ran a full SAV scan on the workstation. It reports no malware. I download, install and run a full system scan of AVGFree. It finds nothing. A fresh update and scan of Spybot - also nothing. The same thing for Adaware - nothing. I know I'm not crazy. The pop-ups continue when I reconnect the workstation to the internet. Somebody has got to know about this. I know. I'll try TrendMicro House call. That has always worked in the past - nothing. The pop-ups continue. TrendMicro Sysclean, Sophos Anti-rootkit, CA eTrust - nothing. Ah, I forgot McAfee. Let's try that. They have a free online scan. Wow! It detected something, but won't remove it unless I fork over $39.95. Tough. They identified it so I just deleted it. It worked but I've wasted eight hours. I'm not happy with Symantec. Why didn't their products detect it?

Here is a link to more info on Experts Exchange. I found it after the fact by Googling resume.zip craigslist. I wish I had thought to Google that at the beginning of the day. Live and learn.

Update: Symantec has a web page where you can advise them of new variants of viruses. That's apparently what we got. I guess someone has to be the first to get it, eradicate it and then advise them. These viruses mutate so rapidly that not even big companies like Symantec with all their resources can stay on top of it. Our Symantec reseller recommends we implement an Intrusion Prevention System (IPS). The better IPS products not only protect against well known attacks via signatures but can also detect and block previously unknown attacks such as protocol anomalies (non-RFC compliant protocol traffic).

6 comments:

Michael Beck said...

Have you contacted Symantec? I'd be curious as to what their response is...

Tim Malone, MCSE said...

Contacting Symantec is on the agenda for today. Thamnks for the encouragement. I'll post the results. When I emailed the reseller for help, the response was, "Congratulations on having gone so long without a virus."

Anonymous said...

t wondering if you know of any other names that are used instead of wmupdate.exe as Ive checked for that in my system32 but still nothing. thanks?

Tim Malone, MCSE said...

To anonymous: Have you verified that you have the Spam Mailbot? I only discovered it by running McAfee's free online scan at http://us.mcafee.com/root/mfs/default.asp Of course if you get the pop-ups every time you go online then that is pretty hard to do. Try logging on as another user to avoid the pop-ups and then run the scan above. Good luck.

Anonymous said...

this thing is still not being detected by any of the anti virus software you mentioned! will try the mcafee online scan.

Anonymous said...

for anonymous, it is also located in c:\windows; and "c:\documents & settings\xxx\local settings\temp"