Jump to content

VEFO - Malwarebytes does not find this


Recommended Posts

What is Malwarebytes doing about W32/Agent.VEFO!tr trojan virus?

Luckily my firewall caught the outgoing from this but the current set of Malwarebytes definitions do not locate the infected file on my computer.

The only info I could find is here:

http://www.fortiguard.com/search.php?action=detail?_by_virus_id&data=4378692

A search of the Malwarebytes site for VEFO returns no results.

Link to post
Share on other sites

  • Root Admin

Well based on the description by Fortinet it would seem prudent to have someone assist you in further scanning your system for a possible infection.

It's possible that nothing is there or that Forinet already stopped it but better safe than sorry.

W32/Agent.VEFO!tr - Released Dec 08, 2012

Detailed Analysis

W32/Agent.VEFO!tr is classified as a Trojan.

Trojan has the capabilities to remote access connection handling, perform Denial of Service (DoS) or Distributed DoS (DDoS), capture keyboard inputs, delete file or object, or terminate process.

The Fortinet Anti-Virus Analyst Team is currently in the process of creating a detailed description for this virus.

Recommended Action

FortiGate Systems

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option. FortiClient Systems

Quarantine/delete files that are detected and replace infected files with clean backup copies

If you think you are infected, here are the steps needed to get your computer cleaned....

Please read the following so that you can begin the cleaning process:

Don't use any temporary file cleaners unless requested - this can cause data loss and make recovery difficult

You have 3 Options that you can choose from as listed below:

  • Option 1 —— Free Expert advice in the Malware Removal Forum
  • Option 2 —— Paying customer -- Contact Support via email
  • Option 3 —— Premium, Fee-Based Support

OPTION 1

As we don't deal with malware removal in the
General Malwarebytes' Anti-Malware Forum
, you need to start a topic in the

Malware Removal forum

so a qualified helper can help you fix any malware related problems or infections you may have.
  • Please read and follow the directions here, skipping any steps you are unable to complete.
  • After posting your new post, make sure under options, you select Follow this topic and choose Instantly,
    so that you're alerted when someone has replied to your post.

NOTE: Please do not post back to (bump) your topic within the first 48 hours.

Replying to your own posts changes the post count and helpers are looking for topics with zero replies.

If you reply to your own post helpers may think that you're already being helped and thus overlook your post.


    • If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.
      Or
    • You may send a Private Message to a Moderator asking for assistance.

OPTION 2

Alternatively, as a paying customer, you can contact the help desk
here

OPTION 3

If you would like to use our
Malwarebytes Premium Consumer Services
partner, Comprehensive solutions to all your computer support needs—from installation and set-up to troubleshooting and tune-ups go to our
Malwarebytes Premium Services
support site.

Please be patient, someone will assist you as soon as possible.

Link to post
Share on other sites

Thanks. I just downloaded the latest database and am now doing a full scan on my worstation.

I'll let you know what it finds.

In what file name did you find this trojan?

Just a note that the same infection could use dozens of name variations so it likely won't be the same on your computer.

Link to post
Share on other sites

  • Staff

C:\Documents and Settings\%username%\Local Settings\Temp\WindowsLiveUpdate.exe

is what i had. Darksnakekobra is right though it could be a different name on your system.

You might look in this path though and see if anything stands out that is about 100kb and send it to me if you can.

That was the only file with that vendor name i could find from my sources.

Link to post
Share on other sites

Thanks. Here's the info I have collected from other sources:

"I was able to track down one sample that has triggered the W32/Agent.VEFO!tr signature by Fortinet with md5 8585a81af791b2780cbd67efe6d52120. I am still investigating this sample, but it appears to be a .NET executable that drops WinLiveUpdate.exe into the temporary directory (varies depending on which version of Windows you are running, but it'll either be under Documents and Settings\user\Local Settings\Temp or C:\Users\username\AppData\LocalTemp on Vista or newer.)

A lot of the filesystem changes it makes are similar to what's shown on the following cached Threat Expert report.

http://webcache.googleusercontent.com/search?q=cache:S-JjYdw8XFsJ:www.threatexpert.com/report.aspx%3Fmd5%3Dc37f1a51e48336dc16d8d01b217f2d87+&cd=1&hl=en&ct=clnk&gl=us

From what I've been able to gather, it injects a javascript extension into Firefox (Mozilla\Firefox\Extensions\MozillaHotfix\chrome\content\update.js) and a Browser Helper Object into Internet Explorer (WinLive.dll). The BHO for IE replaces links with new links specified in a configuration file, but the only one that is currently being rewritten is for livejasmin.com, an adult site.

It appears as though it self updates on regular intervals either through the Firefox extension or IE BHO in the format http://<ip>/MUpdate/VersionRequest.ashx?codename=<codename>&version=<version>&uid=<uid>&country=<country>&browser=<browser>

Doing some further open source research on this URL structure does show it has been seen going out to ytimg.biz and 93.190.44.14, which appears to match what you had seen initially. This leads me to believe that this sample is related to what you had on your machine, possibly being a different variant.

So far, while investigating the malware, I have not seen any code that attempts to steal credentials or anything outside of what is mentioned above with replacing links."

I did find a WindowsLiveUpdate.exe file on my machine. Apparently it self destructs after invocation because it was only 2kb in size and did not trigger MalwarebytesPro with the new defns. So I deleted it and the directory that contained it. I also blocked the source IP for the original html delivered exe payload (incoming and outgoing). I'm in the process of killing the BHOs and the js file it left behind.

It's almost worth flying to the Ukraine and tracking down and executing the SOB that developed and distributed the trojan virus.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.