McAfee DAT files contain detection and repair information for threats. The Minimum DAT field specifies the lowest/oldest DAT version that is capable of detecting the first incarnation of a threat, and the release date. The highest/newest DAT version should always be used for the most complete protection and are available on the Anti-Virus Updates page.
Each description displays the minimum, fully tested, DAT version that includes regular detection for a particular threat. These fully tested DATs are released on a daily basis. If necessary, they are also released when a Medium, Medium On Watch, or High risk threat is discovered. An EXTRA.DAT will also be posted for these more prevalent threats, if necessary.
For each description listed, detection is always available. In the event that the DAT version specified is not yet available, an EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page. Alternatively, minimally tested HOURLY BETA DAT files are available for downloading.
Overview
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
This trojan is downloaded by one of the W32/Bagle variants. It modifies security settings on the victims computer.
Symptoms
When executed it copies itself to the %Windir% folder as:
It further drops a DLL component under the name firewall_anti.dll into the %Windir% folder. This DLL is injected into the same memory space as Explorer.exe.
The following registry keys is created so that it runs each time after a reboot:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "firewall_anti"
= %Windir%\firewall_anti.exe
The following registry key is created so that it runs as a service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpFilterDriver\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_IPFILTERDRIVER
It blocks access to any of the following websites:
pandasoftware.com
clamav.net
www.clamav.net
www.bitdefender.com
bitdefender.com
ravantivirus.com
www.ravantivirus.com
drweb.ru
www.drweb.com
drweb.com<
antivir.de
www.antivir.de
216.200.68.152
212.113.20.69
63.210.193.12
84.53.142.22
84.53.142.6
kaspersky.ru
grisoft.com
www3.ca.com
www.viruslist.ru
www.viruslist.com
www.trendmicro.com
www.symantec.com
www.sophos.com
www.networkassociates.com
www.nai.com
www.my-etrust.com
www.mcafee.com
www.kaspersky.ru
www.kaspersky.com
www.kaspersky-labs.com
www.grisoft.com
www.fastclick.net
www.f-secure.com
www.awaps.net
www.avp.ru
www.avp.com
www.avp.ch
windowsupdate.microsoft.com
viruslist.ru
viruslist.com
vil.nai.com
us.mcafee.com
updates5.kaspersky-labs.com
updates4.kaspersky-labs.com
updates3.kaspersky-labs.com
updates2.kaspersky-labs.com
updates1.kaspersky-labs.com
updates.symantec.com
update.symantec.com
trendmicro.com
symantec.com
support.microsoft.com
spd.atdmt.com
sophos.com
service1.symantec.com
securityresponse.symantec.com
secure.nai.com
rads.mcafee.com
phx.corporate-ir.net
office.microsoft.com
networkassociates.com
nai.com
my-etrust.com
msdn.microsoft.com
media.fastclick.net
mcafee.com
mast.mcafee.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
kaspersky.com
kaspersky-labs.com
ids.kaspersky-labs.com
go.microsoft.com
ftp.sophos.com
ftp.kasperskylab.ru
ftp.f-secure.com
ftp.downloads2.kaspersky-labs.com
ftp.avp.ch
fastclick.net
f-secure.com
engine.awaps.net
downloads4.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads.microsoft.com
downloads-us3.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
downloads-eu1.kaspersky-labs.com
download.microsoft.com
download.mcafee.com
dispatch.mcafee.com
customer.symantec.com
clicks.atdmt.com
click.atdmt.com
www.ca.com
ca.com
banners.fastclick.net
banner.fastclick.net
awaps.net
avp.ru
avp.com
avp.ch
atdmt.com
ar.atwola.com
ads.fastclick.net
ad.fastclick.net
ad.doubleclick.net
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. .
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -
This trojan is downloaded by one of the W32/Bagle variants. It modifies security settings on the victims computer.
Symptoms
Symptoms -
When executed it copies itself to the %Windir% folder as:
It further drops a DLL component under the name firewall_anti.dll into the %Windir% folder. This DLL is injected into the same memory space as Explorer.exe.
The following registry keys is created so that it runs each time after a reboot:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "firewall_anti"
= %Windir%\firewall_anti.exe
The following registry key is created so that it runs as a service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpFilterDriver\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_IPFILTERDRIVER
It blocks access to any of the following websites:
pandasoftware.com
clamav.net
www.clamav.net
www.bitdefender.com
bitdefender.com
ravantivirus.com
www.ravantivirus.com
drweb.ru
www.drweb.com
drweb.com<
antivir.de
www.antivir.de
216.200.68.152
212.113.20.69
63.210.193.12
84.53.142.22
84.53.142.6
kaspersky.ru
grisoft.com
www3.ca.com
www.viruslist.ru
www.viruslist.com
www.trendmicro.com
www.symantec.com
www.sophos.com
www.networkassociates.com
www.nai.com
www.my-etrust.com
www.mcafee.com
www.kaspersky.ru
www.kaspersky.com
www.kaspersky-labs.com
www.grisoft.com
www.fastclick.net
www.f-secure.com
www.awaps.net
www.avp.ru
www.avp.com
www.avp.ch
windowsupdate.microsoft.com
viruslist.ru
viruslist.com
vil.nai.com
us.mcafee.com
updates5.kaspersky-labs.com
updates4.kaspersky-labs.com
updates3.kaspersky-labs.com
updates2.kaspersky-labs.com
updates1.kaspersky-labs.com
updates.symantec.com
update.symantec.com
trendmicro.com
symantec.com
support.microsoft.com
spd.atdmt.com
sophos.com
service1.symantec.com
securityresponse.symantec.com
secure.nai.com
rads.mcafee.com
phx.corporate-ir.net
office.microsoft.com
networkassociates.com
nai.com
my-etrust.com
msdn.microsoft.com
media.fastclick.net
mcafee.com
mast.mcafee.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
kaspersky.com
kaspersky-labs.com
ids.kaspersky-labs.com
go.microsoft.com
ftp.sophos.com
ftp.kasperskylab.ru
ftp.f-secure.com
ftp.downloads2.kaspersky-labs.com
ftp.avp.ch
fastclick.net
f-secure.com
engine.awaps.net
downloads4.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads.microsoft.com
downloads-us3.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
downloads-eu1.kaspersky-labs.com
download.microsoft.com
download.mcafee.com
dispatch.mcafee.com
customer.symantec.com
clicks.atdmt.com
click.atdmt.com
www.ca.com
ca.com
banners.fastclick.net
banner.fastclick.net
awaps.net
avp.ru
avp.com
avp.ch
atdmt.com
ar.atwola.com
ads.fastclick.net
ad.fastclick.net
ad.doubleclick.net
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. .
Removal -
Removal -
Detection is included in our BETA DAT files
and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.
Additional Windows ME/XP removal considerations
Variants
Variants -
