Destructive virus that McAfee can't catch... 
Author Message
 Destructive virus that McAfee can't catch...

OK, here's what I have found out after spending 2 days talking to CERT, McAfee
and Microsoft.  This isn't a virus to the best of anyone's estimation.  This was
an INCOMPATIBILITY between McAfee VirusScan and Outlook Express!  No one will
come right out and say it, but Microsoft has seen this behavior before, but is
currently unable to reproduce it.  They said the one commonality between all the
people experiencing this problem was they all had McAfee set up to scan their
e-mail attachments.  Microsoft requested that I burn all my OutlookExpress dbx
files to CD and send them to them along with a detailed description of my
computer configuration and my McAfee VirusScan configuration.

So a warning to the wise, if you are running Win2K SP2 with the cumulative
security patch installed and IE5.5 SP2 and you use OutlookExpress as your mail
client and you run McAfee VirusScan engine 4.1.40 with dat files 4.0.4159 (or
later) and you have it set up to scan your e-mail attachments as they are
downloaded, I would be very careful to backup your dbx files very often.  This
was the basic configuration of my system at the time of the incident.  I am
working to reproduce the problem for Microsoft and will test this theory by
uninstalling VirusScan after I am able to reproduce the problem consistently
again.


Quote:
> There is a similar thing going around that wipes out the address book in
> Outlook and Outlook Express.  That one turned out to be a "ActiveX" script
> embedded in the Email.  My Nav2001 caught it because I had updated it to
> remove harmful "Scripts".   May be another case similar to that.

> I too am concerned about Sircam still being in your recycled folder.  Sircam
> operates just fine out of the Recycle Bin.

> N



> > I received an e-mail last night in Outlook Express.  Earlier this week I
> > updated my Win2K system with SP2 and I also updated to IE 5.5 SP2.  I
> > also am running McAfee and have all my e-mail attachments scanned.  The
> > virus was able to run by merely previewing e-mail.  I received it as

> > Holiday Savings".  I normally click on this kind of stuff and delete it,
> > but when I went back to my inbox, it was empty.  I knew exactly where to
> > look and sure enough with a little testing I can easily eliminate all
> > mails from my inbox by previewing this e-mail.  Once infected it will
> > remove all e-mail from the current folder when you close Outlook
> > Express.  I immediately took the computer off line and am using a
> > different computer that was turned off at the time of the attack as well
> > as I am using Netscape 4.7 for the time being.  I was able to reinstall
> > IE 5.5 and Internet components and I believe I have removed the virus
> > from my computer.  My mails remain in my inbox when I close and restart
> > Outlook Express though I am not up to SP2 yet because the computer it
> > still off of any networks until I get this identified.  I am concerned
> > that it may still be lying on my disk and waiting until I hook the
> > computer up to a network to try and propagate itself since no scanning
> > software appears to catch it.  I have provided the virus e-mail to CERT
> > and they are looking into it.  Their initial diagnosis was SirCAM, but I
> > believe that was a red herring.  The reason it that SirCAM has never
> > been reported to delete mail folders as well as McAfee is supposed to
> > protect against SirCAM.  Also I had received a couple of e-mails earlier
> > in the day that did have SirCAM attached and they went in the Deleted
> > File folder.  I was able to look at the virus in a hex editor I can see
> > the 2 e-mails that had SirCAM attached and I also see some other e-mails
> > that I had previously deleted.  I believe the virus is trying to
> > disguise itself by using whatever it finds in the trash, and in my case
> > some of my garbage contained SirCAM.  I believe this is a different and
> > yet unreported virus.  Has anyone heard of anything like this?  I can't
> > find anything about "deleting inbox" on any of the Virus detection
> > sites.  I am concerned about propagating it and will keep my computer
> > off line until I can identify and eliminate it.
> > Thanks for your help!
> > Dave



Sun, 14 Mar 2004 01:30:53 GMT  
 Destructive virus that McAfee can't catch...


Quote:
> So a warning to the wise, if you are running Win2K SP2 with the
> cumulative security patch installed and IE5.5 SP2 and you use
> OutlookExpress as your mail client and you run McAfee VirusScan engine
> 4.1.40 with dat files 4.0.4159 (or later) and you have it set up to
> scan your e-mail attachments as they are downloaded, I would be very
> careful to backup your dbx files very often.  This was the basic
> configuration of my system at the time of the incident.  I am working
> to reproduce the problem for Microsoft and will test this theory by
> uninstalling VirusScan after I am able to reproduce the problem
> consistently again.

Even McAfee themselves now say that such email scanning is unnecessary and
for 'corporate clients' only.

See here (scroll down to the McAfee box).
http://members.iinet.net.au/~sandi/MVP/Darnit.htm

--

Please do not send an email unless asked to do so.
________________________________________
Sandi ...
Microsoft MVP (Internet Explorer and Outlook Express)
http://members.iinet.net.au/~sandi/MVP/index.htm



Sun, 14 Mar 2004 14:32:50 GMT  
 Destructive virus that McAfee can't catch...
I am afraid, using McAfee VSC and MS Outlook Express together is enough to
lose e-mails; no more configuration is needed to be faced with this issue


Quote:
> OK, here's what I have found out after spending 2 days talking to CERT,
McAfee
> and Microsoft.  This isn't a virus to the best of anyone's estimation.
This was
> an INCOMPATIBILITY between McAfee VirusScan and Outlook Express!  No one
will
> come right out and say it, but Microsoft has seen this behavior before,
but is
> currently unable to reproduce it.  They said the one commonality between
all the
> people experiencing this problem was they all had McAfee set up to scan
their
> e-mail attachments.  Microsoft requested that I burn all my OutlookExpress
dbx
> files to CD and send them to them along with a detailed description of my
> computer configuration and my McAfee VirusScan configuration.

> So a warning to the wise, if you are running Win2K SP2 with the cumulative
> security patch installed and IE5.5 SP2 and you use OutlookExpress as your
mail
> client and you run McAfee VirusScan engine 4.1.40 with dat files 4.0.4159
(or
> later) and you have it set up to scan your e-mail attachments as they are
> downloaded, I would be very careful to backup your dbx files very often.
This
> was the basic configuration of my system at the time of the incident.  I
am
> working to reproduce the problem for Microsoft and will test this theory
by
> uninstalling VirusScan after I am able to reproduce the problem
consistently
> again.


> > There is a similar thing going around that wipes out the address book in
> > Outlook and Outlook Express.  That one turned out to be a "ActiveX"
script
> > embedded in the Email.  My Nav2001 caught it because I had updated it to
> > remove harmful "Scripts".   May be another case similar to that.

> > I too am concerned about Sircam still being in your recycled folder.
Sircam
> > operates just fine out of the Recycle Bin.

> > N



> > > I received an e-mail last night in Outlook Express.  Earlier this week
I
> > > updated my Win2K system with SP2 and I also updated to IE 5.5 SP2.  I
> > > also am running McAfee and have all my e-mail attachments scanned.
The
> > > virus was able to run by merely previewing e-mail.  I received it as

> > > Holiday Savings".  I normally click on this kind of stuff and delete
it,
> > > but when I went back to my inbox, it was empty.  I knew exactly where
to
> > > look and sure enough with a little testing I can easily eliminate all
> > > mails from my inbox by previewing this e-mail.  Once infected it will
> > > remove all e-mail from the current folder when you close Outlook
> > > Express.  I immediately took the computer off line and am using a
> > > different computer that was turned off at the time of the attack as
well
> > > as I am using Netscape 4.7 for the time being.  I was able to
reinstall
> > > IE 5.5 and Internet components and I believe I have removed the virus
> > > from my computer.  My mails remain in my inbox when I close and
restart
> > > Outlook Express though I am not up to SP2 yet because the computer it
> > > still off of any networks until I get this identified.  I am concerned
> > > that it may still be lying on my disk and waiting until I hook the
> > > computer up to a network to try and propagate itself since no scanning
> > > software appears to catch it.  I have provided the virus e-mail to
CERT
> > > and they are looking into it.  Their initial diagnosis was SirCAM, but
I
> > > believe that was a red herring.  The reason it that SirCAM has never
> > > been reported to delete mail folders as well as McAfee is supposed to
> > > protect against SirCAM.  Also I had received a couple of e-mails
earlier
> > > in the day that did have SirCAM attached and they went in the Deleted
> > > File folder.  I was able to look at the virus in a hex editor I can
see
> > > the 2 e-mails that had SirCAM attached and I also see some other
e-mails
> > > that I had previously deleted.  I believe the virus is trying to
> > > disguise itself by using whatever it finds in the trash, and in my
case
> > > some of my garbage contained SirCAM.  I believe this is a different
and
> > > yet unreported virus.  Has anyone heard of anything like this?  I
can't
> > > find anything about "deleting inbox" on any of the Virus detection
> > > sites.  I am concerned about propagating it and will keep my computer
> > > off line until I can identify and eliminate it.
> > > Thanks for your help!
> > > Dave



Sun, 14 Mar 2004 20:40:25 GMT  
 Destructive virus that McAfee can't catch...
I have the same problem in my computer, McAfee and OE and my e-mail thats in
my inbox is deleted when i start OE.
But if I am in the inbox when I receve the mail it seems like I keep it
until I restart OE...
Like yours it's a w2k with sp2 and hot fixes... IE5.5 sp2 and McAfee 4.5.1
with 4.1.40 engine and 4.0.4162 dat...

If you want to know somting about my config feel free to mail me.. just
remove the nospam in the mail address, you can also forward my mail address
to MS if you want to..

I will not scan my mail anymore thats for sure, at least until the fixt this
little problem..
And I want to say sorry for my bad spelling :) no spell check yet...

--
Fredrik Lind


Quote:
> OK, here's what I have found out after spending 2 days talking to CERT,
McAfee
> and Microsoft.  This isn't a virus to the best of anyone's estimation.
This was
> an INCOMPATIBILITY between McAfee VirusScan and Outlook Express!  No one
will
> come right out and say it, but Microsoft has seen this behavior before,
but is
> currently unable to reproduce it.  They said the one commonality between
all the
> people experiencing this problem was they all had McAfee set up to scan
their
> e-mail attachments.  Microsoft requested that I burn all my OutlookExpress
dbx
> files to CD and send them to them along with a detailed description of my
> computer configuration and my McAfee VirusScan configuration.

> So a warning to the wise, if you are running Win2K SP2 with the cumulative
> security patch installed and IE5.5 SP2 and you use OutlookExpress as your
mail
> client and you run McAfee VirusScan engine 4.1.40 with dat files 4.0.4159
(or
> later) and you have it set up to scan your e-mail attachments as they are
> downloaded, I would be very careful to backup your dbx files very often.
This
> was the basic configuration of my system at the time of the incident.  I
am
> working to reproduce the problem for Microsoft and will test this theory
by
> uninstalling VirusScan after I am able to reproduce the problem
consistently
> again.


> > There is a similar thing going around that wipes out the address book in
> > Outlook and Outlook Express.  That one turned out to be a "ActiveX"
script
> > embedded in the Email.  My Nav2001 caught it because I had updated it to
> > remove harmful "Scripts".   May be another case similar to that.

> > I too am concerned about Sircam still being in your recycled folder.
Sircam
> > operates just fine out of the Recycle Bin.

> > N



> > > I received an e-mail last night in Outlook Express.  Earlier this week
I
> > > updated my Win2K system with SP2 and I also updated to IE 5.5 SP2.  I
> > > also am running McAfee and have all my e-mail attachments scanned.
The
> > > virus was able to run by merely previewing e-mail.  I received it as

> > > Holiday Savings".  I normally click on this kind of stuff and delete
it,
> > > but when I went back to my inbox, it was empty.  I knew exactly where
to
> > > look and sure enough with a little testing I can easily eliminate all
> > > mails from my inbox by previewing this e-mail.  Once infected it will
> > > remove all e-mail from the current folder when you close Outlook
> > > Express.  I immediately took the computer off line and am using a
> > > different computer that was turned off at the time of the attack as
well
> > > as I am using Netscape 4.7 for the time being.  I was able to
reinstall
> > > IE 5.5 and Internet components and I believe I have removed the virus
> > > from my computer.  My mails remain in my inbox when I close and
restart
> > > Outlook Express though I am not up to SP2 yet because the computer it
> > > still off of any networks until I get this identified.  I am concerned
> > > that it may still be lying on my disk and waiting until I hook the
> > > computer up to a network to try and propagate itself since no scanning
> > > software appears to catch it.  I have provided the virus e-mail to
CERT
> > > and they are looking into it.  Their initial diagnosis was SirCAM, but
I
> > > believe that was a red herring.  The reason it that SirCAM has never
> > > been reported to delete mail folders as well as McAfee is supposed to
> > > protect against SirCAM.  Also I had received a couple of e-mails
earlier
> > > in the day that did have SirCAM attached and they went in the Deleted
> > > File folder.  I was able to look at the virus in a hex editor I can
see
> > > the 2 e-mails that had SirCAM attached and I also see some other
e-mails
> > > that I had previously deleted.  I believe the virus is trying to
> > > disguise itself by using whatever it finds in the trash, and in my
case
> > > some of my garbage contained SirCAM.  I believe this is a different
and
> > > yet unreported virus.  Has anyone heard of anything like this?  I
can't
> > > find anything about "deleting inbox" on any of the Virus detection
> > > sites.  I am concerned about propagating it and will keep my computer
> > > off line until I can identify and eliminate it.
> > > Thanks for your help!
> > > Dave



Mon, 15 Mar 2004 03:43:31 GMT  
 Destructive virus that McAfee can't catch...
Get rid of Mcafee, it's slow, it corrupts, they just are not the same
company as they used to be years back. Use Trend  www.antivirus.com.


Quote:
> I have the same problem in my computer, McAfee and OE and my e-mail thats
in
> my inbox is deleted when i start OE.
> But if I am in the inbox when I receve the mail it seems like I keep it
> until I restart OE...
> Like yours it's a w2k with sp2 and hot fixes... IE5.5 sp2 and McAfee 4.5.1
> with 4.1.40 engine and 4.0.4162 dat...

> If you want to know somting about my config feel free to mail me.. just
> remove the nospam in the mail address, you can also forward my mail
address
> to MS if you want to..

> I will not scan my mail anymore thats for sure, at least until the fixt
this
> little problem..
> And I want to say sorry for my bad spelling :) no spell check yet...

> --
> Fredrik Lind



> > OK, here's what I have found out after spending 2 days talking to CERT,
> McAfee
> > and Microsoft.  This isn't a virus to the best of anyone's estimation.
> This was
> > an INCOMPATIBILITY between McAfee VirusScan and Outlook Express!  No one
> will
> > come right out and say it, but Microsoft has seen this behavior before,
> but is
> > currently unable to reproduce it.  They said the one commonality between
> all the
> > people experiencing this problem was they all had McAfee set up to scan
> their
> > e-mail attachments.  Microsoft requested that I burn all my
OutlookExpress
> dbx
> > files to CD and send them to them along with a detailed description of
my
> > computer configuration and my McAfee VirusScan configuration.

> > So a warning to the wise, if you are running Win2K SP2 with the
cumulative
> > security patch installed and IE5.5 SP2 and you use OutlookExpress as
your
> mail
> > client and you run McAfee VirusScan engine 4.1.40 with dat files
4.0.4159
> (or
> > later) and you have it set up to scan your e-mail attachments as they
are
> > downloaded, I would be very careful to backup your dbx files very often.
> This
> > was the basic configuration of my system at the time of the incident.  I
> am
> > working to reproduce the problem for Microsoft and will test this theory
> by
> > uninstalling VirusScan after I am able to reproduce the problem
> consistently
> > again.


> > > There is a similar thing going around that wipes out the address book
in
> > > Outlook and Outlook Express.  That one turned out to be a "ActiveX"
> script
> > > embedded in the Email.  My Nav2001 caught it because I had updated it
to
> > > remove harmful "Scripts".   May be another case similar to that.

> > > I too am concerned about Sircam still being in your recycled folder.
> Sircam
> > > operates just fine out of the Recycle Bin.

> > > N



> > > > I received an e-mail last night in Outlook Express.  Earlier this
week
> I
> > > > updated my Win2K system with SP2 and I also updated to IE 5.5 SP2.
I
> > > > also am running McAfee and have all my e-mail attachments scanned.
> The
> > > > virus was able to run by merely previewing e-mail.  I received it as

> > > > Holiday Savings".  I normally click on this kind of stuff and delete
> it,
> > > > but when I went back to my inbox, it was empty.  I knew exactly
where
> to
> > > > look and sure enough with a little testing I can easily eliminate
all
> > > > mails from my inbox by previewing this e-mail.  Once infected it
will
> > > > remove all e-mail from the current folder when you close Outlook
> > > > Express.  I immediately took the computer off line and am using a
> > > > different computer that was turned off at the time of the attack as
> well
> > > > as I am using Netscape 4.7 for the time being.  I was able to
> reinstall
> > > > IE 5.5 and Internet components and I believe I have removed the
virus
> > > > from my computer.  My mails remain in my inbox when I close and
> restart
> > > > Outlook Express though I am not up to SP2 yet because the computer
it
> > > > still off of any networks until I get this identified.  I am
concerned
> > > > that it may still be lying on my disk and waiting until I hook the
> > > > computer up to a network to try and propagate itself since no
scanning
> > > > software appears to catch it.  I have provided the virus e-mail to
> CERT
> > > > and they are looking into it.  Their initial diagnosis was SirCAM,
but
> I
> > > > believe that was a red herring.  The reason it that SirCAM has never
> > > > been reported to delete mail folders as well as McAfee is supposed
to
> > > > protect against SirCAM.  Also I had received a couple of e-mails
> earlier
> > > > in the day that did have SirCAM attached and they went in the
Deleted
> > > > File folder.  I was able to look at the virus in a hex editor I can
> see
> > > > the 2 e-mails that had SirCAM attached and I also see some other
> e-mails
> > > > that I had previously deleted.  I believe the virus is trying to
> > > > disguise itself by using whatever it finds in the trash, and in my
> case
> > > > some of my garbage contained SirCAM.  I believe this is a different
> and
> > > > yet unreported virus.  Has anyone heard of anything like this?  I
> can't
> > > > find anything about "deleting inbox" on any of the Virus detection
> > > > sites.  I am concerned about propagating it and will keep my
computer
> > > > off line until I can identify and eliminate it.
> > > > Thanks for your help!
> > > > Dave



Mon, 15 Mar 2004 22:37:05 GMT  
 
 [ 5 post ] 

 Relevant Pages 

1. Destructive Virus that McAfee can't detect...

2. Can't update Mcafee Virus Scan

3. I've caught a virus!!!!

4. Using CGI module with 'canned queries'

5. Help on catching 'catch' results

6. Clipper 87 & Mcafee virus Scan

7. McAfee NewsSniffer Warning: Virus posted to this newsgroup

8. uninstalling of McAfee Virus Scan

9. Mcafee virus scan online and signature error

10. McAfee virus upgrade

11. McAfee Virus Scan 6.0

12. McAfee virus scan program

 

 
Powered by phpBB® Forum Software