Darn spelling correction! :-) "is tasked with" Warm regards,
Stu Sjouwerman Co-Founder, Publisher, Sunbelt Media P: +1-727-562-0101 ext 218 F: +1-727-562-5199 s...@sunbelt-software.com -----Original Message----- From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] Sent: Friday, March 26, 2010 12:15 PM To: NT System Admin Issues Cc: Joe Frederick Subject: RE: False-positives on Vipre this morning Joe Frederick here at Sunbelt is takes with handling FP's when they come up. You can report these directly to him. He's cc-d. Warm regards, Stu Sjouwerman Co-Founder, Publisher, Sunbelt Media P: +1-727-562-0101 ext 218 F: +1-727-562-5199 s...@sunbelt-software.com -----Original Message----- From: Angus Scott-Fleming [mailto:angu...@geoapps.com] Sent: Friday, March 26, 2010 1:01 AM To: NT System Admin Issues Subject: Re: False-positives on Vipre this morning On 25 Mar 2010 at 22:57, Burian, Matthew J. (mjb) wrote: > That one file you saw in the recycle bin sounds very similar in name > to the Microsoft Antimalware process of "MsMpEng.exe" used in OneCare > and now used in Security Essentials. (Also may be used with Windows > Defender??) > > Just an interesting, though probably unrelated similarity in file naming. Probably an intentional mis-naming by the malware. Actually it turned out to be a true nasty trojan, not an FP (although I had those today also*). Info pages here: W32/IRCbot.gen.aj http://vil.nai.com/vil/content/v_252087.htm W32/Rimecud http://vil.nai.com/vil/content/v_237984.htm My infections had the filename of the first of those but the exact file- location and registry-keys of the second. VIPRE identified them as "Worm.Win32.Rimecud" [where DO they get these names???] and the VIPRE info page (doesn't say anything useful, unfortunately) is here: http://www.sunbeltsecurity.com/ThreatDisplay.aspx?name=Worm.Win32.Rimecud&tid=4268277&cs=50289929C7DB40A0D03710195D3B1B1C or here if the above wraps unusably: http://preview.tinyurl.com/ydtnjw6 I had three machines where the VIPRE "Deep Scan" found this. I need to make sure I get Deep Scans on the rest of the network RSN as this spreads via network shares among other methods. Angus * FPs on half a dozen files in hidden directory C:\hp\recovery\wizard\fsadmin\ on one XP Home machine that still sits on my network. Submitted them to Sunbelt after dealing with Rimecud. No answer yet, but it was after 9 PM Florida time when I submitted them. -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ .. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
