Thanks. Apparently they think it's this - http://vil.nai.com/vil/content/v_138472.htm - which of course makes little sense since they're saying they don't spread. The only way it would get "deployed", therefore, would be WSUS or our attempts at SCCM deployment.
They can detect it but can't prevent it. To clean it requires a manual scan. Sheesh. >>> "Angus Scott-Fleming" <[email protected]> 8/5/2009 6:38 AM >>> On 4 Aug 2009 at 14:39, RAY ZORZ wrote: > Our McAfee is picking up a buffer overflow error on IE. The actual .exe > changes, but the path is the same each time: > > C:\Documents and Settings\username\Application Data\upnpsvc.exe > (Trojan.Agent) > > McAfee doesn't seem to clean it, just report it. > > Does this look familiar to anyone? Looks like malware according to a quick scan of results from this search: http://www.google.com/search?q=upnpsvc.exe You can submit it to McAfee for examination here: McAfee Avert(r) Labs WebImmune https://www.webimmune.net/default.asp You can bring up your problems WRT what McAfee is seeing/doing (or not doing) in the McAfee Community forums here: CORPORATE PROTECTION IN BUSINESS ENVIRONMENT - McAfee Support Forums http://community.mcafee.com/forumdisplay.php?f=122 I searched the forums for "upnpsvc.exe" and found nothing. However, it is listed once in the McAfee VIL: BackDoor-AWQ.b!28a72340cbb6 http://vil.nai.com/vil/content/v_164324.htm ...Other detections that have been observed. FileName %USERPROFILE%\application data\upnpsvc.exe Name: Generic BackDoor.u HTH Angus ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
