McAfee Stinger flags FlashUtil10m_ActiveX as Virus/Trojan

Report · Mar 08, 2011

I downloaded Stinger from NAI McAfee and I get alert that FlashUtil10m_ActiveX.exe is a FakeAlert!fakealert-REP trojan. This is the report I get. I also scanned the computer with Microsft Security Essentials with Admin privileges. Also scanned with Malwarebyte with Admin privileges and neither found any viruses.

McAfee(r) Labs Stinger(tm) Version 10.1.0.1444 built on Mar 8 2011
Copyright (c) 2011 McAfee, Inc. All Rights Reserved.
Virus data file v1000.0000 created on Mar 7 2011.
Ready to scan for 2239 viruses, trojans and variants.

Scan initiated on Tue Mar 08 16:41:57 2011
C:\Windows\System32\Macromed\Flash\FlashUtil10m_ActiveX.exe
Found the FakeAlert!fakealert-REP trojan !!!
C:\Windows\System32\Macromed\Flash\FlashUtil10m_ActiveX.exe is infected with the FakeAlert!fakealert-REP virus !!!
C:\Windows\System32\Macromed\Flash\FlashUtil10m_ActiveX.exe could not be repaired.
Number of clean files: 625717
Number of infected files: 1

My computer is Windows 7 Pro 64bit.

Report · Mar 09, 2011

Hi, well that's a new one, LOL Norton did the same thing last year. Why any Anti-Virus program can't tell the difference between an Installed Flash file and a Virus/Trojan is beyond my understanding.

What may I ask is their solution?

Thanks,

eidnolb

P.S. I forgot to mention that I'd put my money on MSE and MBAM anytime over McAfee or Norton. My opinion after dealing with both of those.

Message was edited by: eidnolb Add'l remark

Report · Mar 09, 2011

Actually, you might want to make sure it really isn't infected with a Fake AV virus/trojan.

I am just cleaning up 6 machines here from seperate sources which all definately DO have Fake AV infections. All are reporting Fakealert-Rep infections in certain Flash executable files in the windows\system\macromed\flash folder. All were (apparently) infected without user interaction, other than visiting a malicious website. It all looks a bit familiar to me. Very similar to some vulnerabilities in Adobe Reader which allowed computers to be totally compromised without user interaction a little while ago.

My suspicion now is that Adobe Flash may have a similar vulnerability, allowing a hacker to take control without user interaction.

If I'm right, way to go Adobe. You are getting good at this.

Report · Mar 09, 2011

Hi , I understand about cleaning computers of Viruses/Trojans. However, I was under the impression from the OP that this McAfee Stinger was saying that the "FlashUtil10m_ActiveX" was the Virus/Trojan. The FlashUtil10m_ActiveX is a one of the Flash files and it's certainly not a Virus/Trojan.

What I wonder is I've never heard of this McAfee Stinger and why is it making a "comeback" now? I done a little checking and it was around back in 2003!! From what I've read it "removes" malware, etc but doesn't protect from it in the first place.

MBAB finds AND removes malware that McAfee, Norton and AVG can't even prevent, let alone remove. Worthless bloatware in my opinion. I just finished working with someone that had AVG, got the AVG Virus and AVG "removed" it. LOL, MBAM found 15 more on the system.

Malware is a constant battle, that's the majority of the constant updates also, Security. I remember the Reader vulnerability too.

I don't know what the answer is except keep the systems updated, have a good AV/Spyware program and be careful where one goes on the internet.

Hope you get your machines cleaned!!!

Regards,

eidnolb

Report · Mar 09, 2011

Stinger log did not say that "FlashUtil10m_ActiveX" was the virus/trojan. It said it was infected with a Trojan.

Also Stinger is not making a comeback and it is not a supported app, nor is it advertised. I only use it because one of my programming buddies suggested it to me. I have always been able for the last 8 years to download Stinger to do a quick and dirty scan just in case. Just do a search for NAI Stinger and that gets you to the download page. As I mentioned neither Malwarebytes nor Microsoft Security Essentials detected this trojan.

Stinger is a standalone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but rather a tool to assist administrators and users when dealing with an infected system. Stinger utilizes next-generation scan engine technology, including process scanning, digitally signed .DAT files, and scan performance optimizations. It detects and removes threats identified under the "List Viruses" icon in the Stinger application.

What I wonder is I've never heard of this McAfee Stinger and why is it making a "comeback" now? I done a little checking and it was around back in 2003!! From what I've read it "removes" malware, etc but doesn't protect from it in the first place

Well neither Malwarebytes nor Microsoft Security Essential's Real Time scanning protected my system. I'm not about to knock Stinger nor do I rely on it for real time protection. I use it because I know that no virus program is fool proof. I've used it in the past when my system was infected and Stinger was able to detect the malware when my regular virus scanners couldn't. It also shows me that Adobe's Tech support is far from fool proof. So I don't knock what works. In this case Stinger. You might want to try it as well since it is a tool to assist admins and users dealing with an infected system.

Report · Mar 10, 2011

OK, for the record, and I'm not sure if this is much help to the OP, but the computers I have been cleaning have all had outdated versions of Adobe Flash Player installed.

To play safe, I have deleted all the suspect files, even when only one security product has identified a particular file as suspect. It is easy enough to reinstall latest version of products like Flash anyway.

I have also taken a sample of the Flash executable flagged as infected by Stinger on one of these infected computers. I will be interested to see if any other security products flag it as infected in another week or two.

Report · Mar 10, 2011

One other benefit of Stinger is that its an 8MB file, it does not install, you just download and run the program. No BLOATWARE.

What I wonder is I've never heard of this McAfee Stinger and why is it making a "comeback" now? I done a little checking and it was around back in 2003!! From what I've read it "removes" malware, etc but doesn't protect from it in the first place.

In order to be real time protection, it would have to be installed, which probably would contribute to bloatware.

Message was edited by: freemankam

Report · Mar 19, 2011

@qravelrash2000 I can ease your mind in regards to wondering if having outdated versions of Adobe Flash Player installed contributed to a case of shared culpability; it did not.

I can confirm that fully updated computers running 64 bit versions of Windows 7 and 64 bit versions of Windows Vista (fully patched with a 100% Secunia PSI score) and loaded with the latest version of Adobe Flash Player in the Google Chrome browser (currently listed as secure by Secunia) are being actively infected with the FakeAlert!fakealert-REP Trojan. As far as the vulnerability being capable of exploit without user interaction, although I suspect that this is possible, I can not verify as of today that a drive-by download would be successful. I can confirm that the exploit is possible by clicking an infected link or by watching a video in which a flash object dumps an infected script.

I too am sick of the ongoing vulnerabilities of the Adobe Flash Player and Java. Flash technology is certainly a double edged sword; it has greatly added to the efficiency of all code writers. Too bad it can't distinguish the color of the code writer's hat!

In defense of Adobe and Sun Micro Systems, I must say though, that the problem is much larger than any one programming language. With the "insecure by design" distinction of virtually all commercially available platforms, we will continue to experience ongoing security related issues.

McAfee Stinger is an excellent tool to have in your arsenal. The days of relying on one Anti-Virus/spyware utility and a firewall for total security are long gone.

I find it humurous that every program listed in this thread is neither fool proof nor immune to exploit; the best any can hope for is the distinction of "no known exploits currently.".

Someone at Adobe should take this seriously and begin working on a patch. This exploit will spread rapidly. I expect Secunia will be "unleashing the dogs" by the middle of next week.

Report · Mar 20, 2011

Yeah, I did spot this after posting my original message http://www.computerweekly.com/Articles/2011/03/15/245912/Adobe-warns-of-zero-day-vulnerability-in-Ad... Maybe I should be grateful to Adobe for producing so many vulnerabilities, After all, people pay me good money to fix their computers afterwards.

Report · Mar 20, 2011

@gravelrash2000 That's the way to look at it brother! Generally speaking, the volume of newly discovered exploits has increased exponentially across the board; Microsoft and Adobe have experienced more than their fair share of the maelstrom. It may seem to be an aggravated circumstance too many but if you take into consideration the market shares in which both companies enjoy, I believe that such prevalance quantifies a much lower percentage of total products affected compared to the balance. I have to say that the talented Adobe team has substantially improved their mitigation procedures; their response times were horrible at this time last year but lately they have been more than reasonable. This fact has has shifted much of the contemptuous public perception towards sympathy; at least in my circle of constituents.

The exploit mentioned in your last post isn't the same vulnerability that is responsible for the FakeAlert!fakealert-REP trojan injection. Here is a Technet blog

http://blogs.technet.com/b/mmpc/archive/2011/03/17/a-technical-analysis-on-the-cve-2011-0609-adobe-f...and below is a Secunia blog http://secunia.com/advisories/43751 that explains the AVM2 Instruction Sequence Handling Vulnerability CVE-2011-0609 dealing with ActionScript Virtual Machine 2 in greater detail. While capable of being triggered by a heap spraying process, CVE-2011-0609 requires performing a series of operations and control flows to possibly cause the verification logic to fail and was most troublesome in regards to effecting Microsoft Excell as well as other Office products. Also it was found that older versions of Adobe Flash Player and Google Chrome versions newer than 10.2.154.18, are not affected. Microsoft has released a Hotfix available for this vulnerability.

The vulnerability we have experienced is capable of exploiting the current non beta version of Google Chrome 10.0.648.151.

On the upside of things, Microsoft knocked one out of the park and over the parking lot when busting up the Rustock botnet!! One for the home team fellows!

http://www.scmagazineus.com/microsoft-prevails-rustock-botnet-shut-down/article/198652/

Message was edited by: StreamReader

Report · Mar 19, 2011

I was surfing some web sites and all of a sudden a window opens and asks if I want to allow Adobe flash player to make changes to my system. Duh NO!!!! Its about time for Adobe to start thinking about their bloatware, Flash and Acrobat, and stop allowing payload dumping from both programs.