How did I get this virus?

Spooter · 26 Jun 2009 at 13:09

Ok

- Clean Install of XP fully patched - Genuine
- Installed Mcafee 8.5 AV software and the latest superdat

The PC should now detect a virus upon read or right provided its listed in the detections. However I ran a scan on the system and it detected this virus http://vil.nai.com/vil/content/v_100261.htm

How did it not get detected before the full scan?

It should have detected when written to the disk?

The only way I can see it got on there was before that short time before the AV software was installed but that would have been before and Outlook or internet browsing would have been done.

div0 · 26 Jun 2009 at 13:17

Obvious question - what AV?

And is it a legit copy of XP? Downloaded Operating Systems and Programs often come bundled with unexpected nasties.

Also, from your link:

Detections of this exploit do not necessarily mean that any malicious code was executed. It simply means that a Java applet was found to contain the exploit code. Conversely malicious code may have been run, which could result in any number of modifications to the system.

Ratbag · 26 Jun 2009 at 13:20

Is it some sinister XP version off the internet?

What AV are you using? The reference to superdat makes me think mcaffee which fills me with a sense of foreboding.

Possible false positive?

eXor · 26 Jun 2009 at 13:23

I usually install with the ethernet cable unplugged.

If I used wireless, I'd disable that as well.

I have my essential post-install apps and their MD5 hashes ( from the official websites ) on a clean USB stick. This stick is never plugged into any running Windows install. It's only plugged in when I'm downloading the post-install apps.. from Linux.

So, I install and set up Windows Firewall and AV. Only then do I go online for Windows updates.

Are you behind a router? Is your copy of Windows legit?

Maybe it's a false positive?

wombraider · 26 Jun 2009 at 13:26

Do you use IE by any chance ?

Kona* · 26 Jun 2009 at 13:26

Now I'm not accusing you of doing this but I've heard of people using hacked copies of AV programs and the Keygen or Installer for the program has trojans/viruses/keyloggers included - just a possibility!

neil_g · 26 Jun 2009 at 13:28

going by "superdat" and the link to NAI, looks like he's using mcafee

Spooter · 26 Jun 2009 at 13:40

Yes sorry guys McAfee, I didnt display it because I didnt want just the comment, change AV. Its doing its job on 3000 other machines.

Edit yes im and behind a firewall.

AV genuine and XP. I am talking about a Enterprise environment.

Possible false positive?

Not sure looks like something was found and moved to quarantine folder.

Duke · 26 Jun 2009 at 13:48

Spooter said:
I am talking about a Enterprise environment.

Something bouncing around the network?

Spooter · 26 Jun 2009 at 13:59

Not seeing this on any other machines and or reported by epolicy. Having not built the original machine I can only think it was on there before AV then detected once installed and fully scan.

thevet · 26 Jun 2009 at 16:23

Kona* said:
Now I'm not accusing you of doing this but I've heard of people using hacked copies of AV programs and the Keygen or Installer for the program has trojans/viruses/keyloggers included - just a possibility!

this is very much true but there are ways to get around it