Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Artemis Trojan infecting EXE files


  • Please log in to reply
11 replies to this topic

#1 AzJazz

AzJazz

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 06 January 2011 - 02:12 AM

Hi!

I was helping remove a virus from a neighbor's computer, and I may have accidentally infected mine in the process. (BTW, I was successful in removing HER viruses due to this great site).

I'm running Win7x64, and I am getting a random alert from McAfee about a Artemis Trojan that appears to attach to mostly-random .EXE files on my system. It's not entirely random though: ComboFix.EXE seems to get attacked very frequently.

I believe that the Trojan may have made it onto my PC through a USB drive that I was using to move various AV programs from my main PC to the neighbors infected computer. I had a McAfee Artemis pop-up occur when I inserted the USB drive on my main PC, and when I enabled viewing hidden files in Windows Explorer, I saw a hidden "autorun.inf" file on the USB drive. The autorun.inf file was trying to start a program called "winlog.exe" from the USB drive that got deleted by McAfee.

I'm not sure if this was how I got infected, though, since I normally have "Auto Run" turned off on my main PC.

Anyways, I have seen McAfee pop up an Artemis infection about once or twice a day now.

McAfee doesn't seem to detect anything wrong on my PC, so I suspect some new rootkit.

Please help!

Thanks,

AzJazz

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 51,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:34 AM

Posted 06 January 2011 - 07:11 AM

Luckily this is no new rootkit, but McAfee detecting Combofix as malware. Unfortunately this is happening for some time, but this is just a false-positive detection.

In other words, nothing to worry about. :)
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 AzJazz

AzJazz
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 06 January 2011 - 10:48 AM

But, what about the dozen or so other files that I have had hit (and deleted) on my PC by McAfee as being infected by the Artemis Trojan? It's not just ComboFix that has been infected. In addition, I am seeing "winlog.exe" and "winlogon.exe" files infected by Artemis, too - which was the name of the hidden Auto-Run file on my USB device.

I'm pretty sure that I still have an infection of some sort.

#4 Hert

Hert

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 06 January 2011 - 06:05 PM

but McAfee detecting Combofix as malware.

And not only McAfee.
At the time of use Combofix need to disable your antivirus! But after using Combofix need to uninstall, to avoid problems drivers. This is a helper tool and use it only under the supervision of a specialist!

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 51,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:34 AM

Posted 07 January 2011 - 03:26 AM

Besides combofix.exe, other files like nircmd.exe, pev.exe, sed.exe, swreg.exe, mbr.exe may be detected as Artemis. Those files are extracted when combofix is executed.

At the time of use Combofix need to disable your antivirus! But after using Combofix need to uninstall, to avoid problems drivers. This is a helper tool and use it only under the supervision of a specialist!

@ Hert, and giving combofix-advice is subject to the same rules at this board, see also this topic: How do I get help? Who is helping me?.
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 AzJazz

AzJazz
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 07 January 2011 - 03:46 AM

I didn't run ComboFix on my PC. It was only downloaded on there while I was fixing my neighbor's computer.

I certainly shouldn't have mentioned ComboFix at all, since it took things WAY off-course on this discussion.

I am seeing other files getting bonked by Artemis on my PC (at least, according to McAfee). I have modified McAfee so that it doesn't automatically delete the infections anymore, since I was losing executables for installed programs that I didn't want to lose.

"CDisplay.exe" is one of the files McAfee identified as infected by Artemis - which McAfee promptly deleted. "CDisplay.exe" is a comic book reader program that I have used for quite a few years now without any problems, and McAfee never griped about it before. I originally downloaded CDisplay v1.8 from the developer's website, and re-installed it after McAfee deleted it. When I try to read a comic book with CDisplay.exe, everything is fine. But, when I go into the "Program Files (x86)\CDisplay" directory, McAfee gripes again as soon as I touch the CDisplay.exe file.

I have seen McAfee call out other files as being infected by Artemis. I have lost about a dozen files now, though some appeared to have been in my browser cache, so nothing major was lost on those.

I have submitted a re-installed, supposedly bad CDisplay.exe to McAfee for analysis.

AzJazz

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 51,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:34 AM

Posted 07 January 2011 - 03:59 AM

You can also try to submit the file to www.virustotal.com and see what comes back.
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 Hert

Hert

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 07 January 2011 - 05:51 AM

elise025,utility OTCleanIt good idea to remove Combofix B)

Edited by Hert, 07 January 2011 - 05:52 AM.


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 51,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:34 AM

Posted 07 January 2011 - 05:53 AM

No that is not a good idea and as already pointed out, please read the topic I linked you to in my previous post. :whistle:
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 30,812 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:34 AM

Posted 08 January 2011 - 05:40 PM

According to McAfee, Artemis technology is a method of detecting unknown viruses of various types using heuristics algorithms similar to Symantec's Bloodhound Technology. This detection method uses a specialized system to analyze the cataloged behaviors and assess the likelihood of possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Artemis is not the name of a virus, but an alert displayed by McAfee when it thinks it may have found a new virus. These detected files may or may not be malicious. The vendor asks that you submit a sample directly to McAfee Labs so they can investigate further. To do this, please refer to Submit a Sample To McAfee.

Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others scan the file more intensively, searching line by line inspecting the code in a file to see if it contains virus-like characteristics. If the number of these characteristics/instructions exceeds a pre-defined threshold, the file is flagged as a possible virus.

The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as malicious. With heuristics, there is always a potential risk for a "False Positive" when the heuristic analysis flags a file as suspicious or infected that contains no malware.

Certain embedded files that are part of legitimate programs, may at times be detected by some anti-virus and anti-malware scanners as a "Risk Tool", "Hacking Tool", "Potentially Unwanted Program", or even "Malware" (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, whether files are compressed or packed, what behavior it performs, any registry strings it may contain and the type of security engine that was used during the scan. Packed files use a specially compressed (protected) file that may have been obfuscated or encrypted in order to conceal itself and often trigger alerts by anti-virus software using heuristic detection because they are resistant to scanning (difficult to read).

Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or it can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. For this reason it is important that samples be submitted to the vendor's lab for further analysis so they can investigate further.

As elise025 advised, you can also submit samples to VirusTotal or Jotti's virusscan.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#11 AzJazz

AzJazz
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 09 January 2011 - 11:57 AM

I have disabled McAfee "On Access" detection. Then, I re-analyzed Cdisplay.exe with McAfee "On Demand" on my PC, and then submitted the file up to McAfee, VirusTotal, and Jotti.

No detections were found on any of the 4 scans.

McAfee replied back to me that they are sending the file to their analysis team for further analysis.

I am also seeing Artemis hits on other (different) files on my laptop PC, which also uses the same version of McAfee.

It looks like McAfee has bonked something up in their recent versions of their Artemis heuristic detection engine.

AzJazz

Edited by AzJazz, 09 January 2011 - 11:57 AM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 30,812 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:34 AM

Posted 09 January 2011 - 03:42 PM

Please keep us informed as to what they say...others may experience the same issue.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users