VEFO - Malwarebytes does not find this

[jimkress]

What is Malwarebytes doing about W32/Agent.VEFO!tr trojan virus?

Luckily my firewall caught the outgoing from this but the current set of Malwarebytes definitions do not locate the infected file on my computer.

The only info I could find is here:

http://www.fortiguard.com/search.php?action=detail?_by_virus_id&data=4378692

A search of the Malwarebytes site for VEFO returns no results.

[AdvancedSetup]

We'd need more information about it.

What is Norton 360/ Symantec doing about W32/Agent.VEFO!tr trojan virus?

What program says you have this infection?

[jimkress]

My HARDWARE Fortigate 60C firewall caught the outgoing from this but the current set of Malwarebytes definitions do not locate the infected file on my computer.

The only info I could find is here:

http://www.fortiguar...id&data=4378692

Norton 360 finds NOTHING.

[AdvancedSetup]

Well based on the description by Fortinet it would seem prudent to have someone assist you in further scanning your system for a possible infection.

It's possible that nothing is there or that Forinet already stopped it but better safe than sorry.

W32/Agent.VEFO!tr - Released Dec 08, 2012

Detailed Analysis

W32/Agent.VEFO!tr is classified as a Trojan.

Trojan has the capabilities to remote access connection handling, perform Denial of Service (DoS) or Distributed DoS (DDoS), capture keyboard inputs, delete file or object, or terminate process.

The Fortinet Anti-Virus Analyst Team is currently in the process of creating a detailed description for this virus.

Recommended Action

FortiGate Systems

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option. FortiClient Systems

Quarantine/delete files that are detected and replace infected files with clean backup copies

If you think you are infected, here are the steps needed to get your computer cleaned....

Please read the following so that you can begin the cleaning process:

Don't use any temporary file cleaners unless requested - this can cause data loss and make recovery difficult

You have 3 Options that you can choose from as listed below:

• Option 1 —— Free Expert advice in the Malware Removal Forum
  
• Option 2 —— Paying customer -- Contact Support via email
  
• Option 3 —— Premium, Fee-Based Support
  

OPTION 1

As we don't deal with malware removal in the

General Malwarebytes' Anti-Malware Forum

, you need to start a topic in the

Malware Removal forum

so a qualified helper can help you fix any malware related problems or infections you may have.

• Please read and follow the directions here, skipping any steps you are unable to complete.
  
• After posting your new post, make sure under options, you select Follow this topic and choose Instantly,
  so that you're alerted when someone has replied to your post.
  

NOTE: Please do not post back to (bump) your topic within the first 48 hours.

Replying to your own posts changes the post count and helpers are looking for topics with zero replies.

If you reply to your own post helpers may think that you're already being helped and thus overlook your post.

• 
  
  • If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.
    Or
    
  • You may send a Private Message to a Moderator asking for assistance.
    

OPTION 2

Alternatively, as a paying customer, you can contact the help desk

here

OPTION 3

If you would like to use our

Malwarebytes Premium Consumer Services

partner, Comprehensive solutions to all your computer support needs—from installation and set-up to troubleshooting and tune-ups go to our

Malwarebytes Premium Services

support site.

Please be patient, someone will assist you as soon as possible.

[jimkress]

Since I purchased a license for Malwayrebytes Pro, does this mean I should use Option 2?

[exile360]

Since I purchased a license for Malwayrebytes Pro, does this mean I should use Option 2?

Yes, you'll get the fastest response time that way .

[shadowwar]

I found one copy of this and will add it shortly. Can u please let me know if it hits? should be in a about an hour.

[shadowwar]

This is in the current database now. 12/11/07

Thanks.

[jimkress]

Thanks. I just downloaded the latest database and am now doing a full scan on my worstation.

I'll let you know what it finds.

In what file name did you find this trojan?

[jimkress]

I ran the scan with the new signature file. Nothing was detected.

[DarkSnakeKobra]

Thanks. I just downloaded the latest database and am now doing a full scan on my worstation.

I'll let you know what it finds.

In what file name did you find this trojan?

Just a note that the same infection could use dozens of name variations so it likely won't be the same on your computer.

[shadowwar]

C:\Documents and Settings\%username%\Local Settings\Temp\WindowsLiveUpdate.exe

is what i had. Darksnakekobra is right though it could be a different name on your system.

You might look in this path though and see if anything stands out that is about 100kb and send it to me if you can.

That was the only file with that vendor name i could find from my sources.

[jimkress]

Thanks. Here's the info I have collected from other sources:

"I was able to track down one sample that has triggered the W32/Agent.VEFO!tr signature by Fortinet with md5 8585a81af791b2780cbd67efe6d52120. I am still investigating this sample, but it appears to be a .NET executable that drops WinLiveUpdate.exe into the temporary directory (varies depending on which version of Windows you are running, but it'll either be under Documents and Settings\user\Local Settings\Temp or C:\Users\username\AppData\LocalTemp on Vista or newer.)

A lot of the filesystem changes it makes are similar to what's shown on the following cached Threat Expert report.

http://webcache.googleusercontent.com/search?q=cache:S-JjYdw8XFsJ:www.threatexpert.com/report.aspx%3Fmd5%3Dc37f1a51e48336dc16d8d01b217f2d87+&cd=1&hl=en&ct=clnk&gl=us

From what I've been able to gather, it injects a javascript extension into Firefox (Mozilla\Firefox\Extensions\MozillaHotfix\chrome\content\update.js) and a Browser Helper Object into Internet Explorer (WinLive.dll). The BHO for IE replaces links with new links specified in a configuration file, but the only one that is currently being rewritten is for livejasmin.com, an adult site.

It appears as though it self updates on regular intervals either through the Firefox extension or IE BHO in the format http://<ip>/MUpdate/VersionRequest.ashx?codename=<codename>&version=<version>&uid=<uid>&country=<country>&browser=<browser>

Doing some further open source research on this URL structure does show it has been seen going out to ytimg.biz and 93.190.44.14, which appears to match what you had seen initially. This leads me to believe that this sample is related to what you had on your machine, possibly being a different variant.

So far, while investigating the malware, I have not seen any code that attempts to steal credentials or anything outside of what is mentioned above with replacing links."

I did find a WindowsLiveUpdate.exe file on my machine. Apparently it self destructs after invocation because it was only 2kb in size and did not trigger MalwarebytesPro with the new defns. So I deleted it and the directory that contained it. I also blocked the source IP for the original html delivered exe payload (incoming and outgoing). I'm in the process of killing the BHOs and the js file it left behind.

It's almost worth flying to the Ukraine and tracking down and executing the SOB that developed and distributed the trojan virus.