McAfee Antivirus Malware Virus Type Names Prefixes

from here from 2017

http://download.nai.com/products/datfiles/4.x/nai/readme.txt

  A97M/    Macro virus that infects Microsoft
            Access 97 files.

   APM/     Macro virus or Trojan horse program
            that infects Ami Pro document and
            template files.

   Bat/     Batch-file virus or Trojan horse
            program. These viruses usually run
            as batch or script files that
            affect a particular program that
            interprets the script or batch
            commands they include. They are
            very portable and can affect nearly
            any platform that can run batch or
            script files. The files themselves
            often have a .bat extension.

   CSC/     Corel Script virus or Trojan horse
            program that infects Corel Draw
            document files, template files, and
            scripts.

   IRC/     Internet Relay Chat script virus.
            This virus type can use early
            versions of the mIRC client
            software to distribute a virus or
            payload.

   JS/      Script virus or Trojan horse
            program written in JavaScript
            language.

   JV/      Potentially harmful Java
            application or applet.

   Linux/   Virus or Trojan horse program
            compiled for Linux operating system 
            in ELF file format.

   LWP/     Potentially harmful software for
            Lotus WordPro.

   MacHC/   Virus or Trojan horse program for
            Apple Macintosh HyperCard scripting
            language.

   MacOS/   Virus or Trojan horse program for
            Apple Macintosh OS versions 6-9.

   MSIL/    Application written using Microsoft
            Intermediate Language framework,
            also known as .NET.

   P98M/    Macro virus or Trojan horse program
            that infects Microsoft Project
            documents and templates.

   PalmOS/  Virus or Trojan horse program for a
            Palm Pilot.

   PDF/     File-infector of Adobe PDF files.

   Perl/    Script virus or Trojan horse
            program written in Perl language.

   PHP/     Script virus or Trojan horse
            program written in PHP language.

   PP97M/   Macro virus. Infects Microsoft
            PowerPoint 97 files.

   RDN/ Denoting the malware signature 
            was authored by McAfee Automation system.

   SunOS/   Potentially harmful software for
            Sun Solaris.

   SWF/     Potentially harmful software for
            Shockwave.

   Unix/    Program or a shell script for a
            version of UNIX.

   V5M/     Macro or script virus, or
            Trojan horse program that infects
            Visio VBA (Visual Basic for
            Applications) macros or scripts.

   VBS/     Script virus or Trojan horse
            program written in Visual Basic
            Script language.

   W16/     File-infector virus that runs in
            16-bit Microsoft Windows
            environments (Windows 3.1x).

   W2K/     Potentially harmful software for
            32-bit Microsoft Windows
            environments, specifically Windows
            NT, 2000, or XP.

   W32/     File-infector or boot-sector virus
            that runs in 32-bit Microsoft
            Windows environments (Windows 95,
            Windows 98, or Windows NT).

   W95/     File-infector virus that runs in
            Microsoft Windows 95, Windows 98,
            and Windows ME environments.

   W97M/    Macro virus that infects Microsoft
            Word 97 files.

   WHLP/    Potentially harmful software for
            32-bit Microsoft Windows
            environments that target Windows
            HLP files.

   WM/      Macro virus that infects Microsoft
            Word 95 files.

   X97M/    Macro virus that infects Microsoft
            Excel 97 files.

   XF/      Macro virus that infects Microsoft
            Excel 95 or 97 via Excel formulas.

   XM/      Macro virus that infects Microsoft
            Excel 95 files.

   AdClicker  - Repeatedly accesses websites that
               are funded by advertising.

   Adware - Installs advertising software but
                  does not ask permission.

   BackDoor - Provides remote access or control
                  through the Internet or network.

   Dialer - Dials a phone number without 
                  asking for permission.

   DDoS  - Operates as a Distributed Denial of
                  Service component.

   Del  - Deletes files.

   Downloader - Downloads software from the
                  Internet, usually to deliver
                  backdoors, password stealers, and
                  sometimes viruses.

   Exploit - Uses a vulnerability or a software
                  defect.

   FDoS  - Denotes a Flooding Denial of
                  Service component.

   KeyLog - Logs keystrokes for immediate or
                  future transmission to the
                  attacker.

   Kit  - Denotes a program designed for
                  creating a virus or Trojan horse
                  program.

   MultiDropper - Drops several Trojan horse programs
                  or viruses (often several different
                  ‘backdoors’).

   Nuke  - Uses defects in software installed 
                  on a remote computer to bring it down.

   ProcKill - Terminates the processes of
                  anti-virus and security products.
                  May also delete files associated
                  with such applications.
 
   PWS  - Steals a password.

   Reboot - Reboots the computer.

   Reg  - Modifies the Registry in an
                  undesirable fashion without asking
                  questions. For example, reduces the
                  security settings or creates
                  abnormal associations or sets.

   Spam  - Acts as a spamming tool.

   Spyware - Monitors browsing habits or other
                  behavior and sends the information
                  out, often for unsolicited
               advertising.

   Uploader - Sends files or other data from the
                  computer.

   Vtool - Denotes a program used by virus
                  writers or hackers for developing
                  software.

   Zap  - Wipes all or part of a hard disk.

Walking Thru a Phishing Email Attachment

Here's a walk-thru of how I look at a Phishing Email Attachment.

There was a McAfee alert 'HTML/Phishing.b' on a file called 'form.html'. This likely came from a user opening/clicking on an attachment in an email.

Since McAfee marked as Infected and deleted it, the file was no longer in the original folder that the alert had triggered. But it was in the McAfee Quarantine folder as a .bup so I was able to extract it like this.

The file that came back was this ugly javascript, obfuscated and hard to read. Just at a high level, if you look at this document it contains this massively long Base64 encoded variable which is then decoded and de-obfuscated by the ugly javascript into some working HTML code that the user's browser or email client would then display.

I know this because I see at the bottom the javascript command 'document.write' which is used to write raw HTML to a page. Now to be safe, I didn't want to run this javascript directly, so I re-saved this javascript and changed 'document.write' to 'console.log'. What this does is allow me to see the HTML without actually having the browser render it (much safer). Then I hit F12 to see my firefox developer tools, re-load the javascript, and see in the console tab that the HTML is now outputted for me.

After the javascript runs, the HTML displayed is this. It's an HTML form styled nicely to phish Paypal credentials and send them to an .ru (russian) website.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

McAfee Cookie Analyzer - Galleta

McAfee has a free tool called Galetta which seems to make viewing Internet Explorer Cookies a little easier.

1.) Find a cookie text file (in a location like C:\Users\XXXX\AppData\Roaming\Microsoft\Windows\Cookies\Low )


2.) Run Galleta
    ] galetta.exe C:\Users\XXXX\AppData\Roaming\Microsoft\Windows\Cookies\Low\EKHU3P50.txt > c:\cookies.txt

3.) Open the output cookies.txt with Excel


4.) View the cookies in a more readable format


Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Look at Zip Files without Opening

If you don't feel comfortable opening a zip file, you can use Didier's zipdump.py tool to inspect the zip safely. The command are simple.


1.) SHOW FILES IN ZIP
  zipdump.py test.zip
2.) EXTRACT A SINGLE FILE
  zipdump.py -f test.zip folder1/file1.txt
3.) VIEW ZIP CONTENTS IN MCAFEE QUARANTINE WITHOUT WRITING TO DISK
  punbup.py -f abc.bup | zipdump.py -
4.) VIEW SINGLE FILE IN ZIP IN MCAFEE QUARANTINE WITHOUT WRITING TO DISK
  punbup.py -f abc.bup | zipdump.py -a -


Have fun.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Test if McAfee is Working

If you need to see whether McAfee Antivirus is enabled and running you can use the EICARgen tool from Didier.

The commands are simple..
1.) Generate a test file called 'McAfeeTestFile.exe'
  EICARgen.exe write McAfeeTestFile.exe
2.) Generate a pdf file called 'McAfeeTestFile.pdf'
  EICARgen.exe pdf McAfeeTestFile.pdf


Immediately upon running this or dropping a file onto a McAfee protected host you should see the familiar popup


Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Viewing files McAfee Quarantined

If you've ever had to work with the McAfee Antivirus product, you know that if it detects something it will Quarantine that file. Basically rendering it useless to the malware/attacker. If you need to extract or get that file back (as a researcher) for further analysis, here's a simple way.

Download the punbup.py tool from herrcore.

Simple basics are...
1.) SHOW FILE INFO punbup.py -d c:\Quarantined\abc.bup

[Details]
DetectionName=W97M/Downloader.q
DetectionType=1
EngineMajor=5700
EngineMinor=7163
DATMajor=7778
DATMinor=0
DATType=2
ProductID=12106
CreationYear=2015
CreationMonth=4
CreationDay=22
CreationHour=19
CreationMinute=14
CreationSecond=42
TimeZoneName=Central Daylight Time
TimeZoneOffset=300
NumberOfFiles=1
NumberOfValues=0

[File_0]
ObjectType=5
OriginalName=\\?\C:\Users\XXX\Downloads\2471f4a0febbfede40f5d700553eb28d97519ac49454bcc79f0fb7383559198b.bin
WasAdded=0


2.) SHOW MD5 HASH OF FILE
punbup.py -c md5 c:\Quarantined\abc.bup
md5 hash for File_0: beb25dc0d73e289432fc624610b103c9


3.) GET THE FILE BACK (be careful!!!)
punbup.py -f c:\Quarantined\abc.bup | clip

or

punbup.py -f c:\Quarantined\abc.bup > badfile.doc


Now it's time to dig in and research.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

McAfee Artemis Alerts and the MD5 Hash

I thought it was interesting to learn from this McAfee KB about Artemis the following

Artemis!1234567890AB

The bold text above equals the first 12 hexadecimal characters of an MD5 hash of the file it found.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.