On 25 Mar 2010 at 22:57, Burian, Matthew J. (mjb) wrote:
> That one file you saw in the recycle bin sounds very similar in name
> to the Microsoft Antimalware process of "MsMpEng.exe" used in OneCare
> and now used in Security Essentials. (Also may be used with Windows
> Defender??)
>
> Just an interesting, though probably unrelated similarity in file naming.
Probably an intentional mis-naming by the malware. Actually it turned out to
be a true nasty trojan, not an FP (although I had those today also*). Info
pages here:
W32/IRCbot.gen.aj
http://vil.nai.com/vil/content/v_252087.htm
W32/Rimecud
http://vil.nai.com/vil/content/v_237984.htm
My infections had the filename of the first of those but the exact file-
location and registry-keys of the second. VIPRE identified them as
"Worm.Win32.Rimecud" [where DO they get these names???] and the VIPRE info page
(doesn't say anything useful, unfortunately) is here:
http://www.sunbeltsecurity.com/ThreatDisplay.aspx?name=Worm.Win32.Rimecud&tid=4268277&cs=50289929C7DB40A0D03710195D3B1B1C
or here if the above wraps unusably: http://preview.tinyurl.com/ydtnjw6
I had three machines where the VIPRE "Deep Scan" found this. I need to make
sure I get Deep Scans on the rest of the network RSN as this spreads via
network shares among other methods.
Angus
* FPs on half a dozen files in hidden directory C:\hp\recovery\wizard\fsadmin\
on one XP Home machine that still sits on my network. Submitted them to
Sunbelt after dealing with Rimecud. No answer yet, but it was after 9 PM
Florida time when I submitted them.
--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
