WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] VBS\Psyme VirusSDcan Alert! (McAfee) (19 posts)

  1. Joerg
    Member
    Posted 3 years ago #

    Hello,

    usually I work on my multisite WP installation (backend) at home on my iMac via Safari, FF etc.

    Recently I worked on a PC with FF 3.6.18 (also tried IE 7.0.5730.13IS) installed and got a message from McAfee that a script has been stopped due to a VBS\Psyme trojan detection in load-script.php.

    I downloaded all my files from the web to a local folder on that PC and did a scan to it, but there was no detection of any trojan etc. made. I also scanned the entire PC without any find.

    I also deleted all cached files on both browser and McAfee kept warning when I login to my backend of WP 3.2.

    Any idea? Is it just the outdated browser configuration on that PC (sorry I'm not allowed to upgrade to the most recent browsers on that machine to test it myself)? Or is there still a chance that there is a trojan virus?

    Many thanks for your help and advice.

    Cheers
    Yogie

  2. If you downloaded from wp.org (this site) it's either a false alert, OR your website is infected itself.

  3. Joerg
    Member
    Posted 3 years ago #

    I had the hope someone could clarify or let me know if the problem is not only on my site to determine what the truth is.

    I downloaded the WP 3.2 upgrade via the auto upgrade procedure and beyond that I downloaded WP 3.2 from here and deleted the files on the web-server and uploaded WP 3.2 by hand. Same alert responses from McAfee after new upload.

    And as said before I have downloaded the entire files and scanned these locally no alerts then. So it simply seems that the alert only occurs when I work at the WP back-end and load-scripts.php is called.

  4. Which means it's your SERVER that is infected, not WP. Which sucks :/

    1) Call your host NOW.

    2) Consider http://codex.wordpress.org/FAQ_My_site_was_hacked

  5. Joerg
    Member
    Posted 3 years ago #

    Well my Host did a check and was not able to find any virus or trojan and my laptop is virus free as well. So this is definitely something that is McAfee related.

  6. jwarcher
    Member
    Posted 3 years ago #

    YogieAnamCara, did you find anything else out about this problem?

    I just heard about this issue today from my boss who has McAfee on her computer. I logged into a computer with McAfee and get the virus alert for VBS/Psyme when I try to access admin pages in the back end. The front-facing pages aren't affected. If I'm logged into a regular user account, I don't get the alert at all, even when viewing my profile.

    I downloaded everything on the web server and scanned with Microsoft Internet Essentials (Windows 7) and nothing was found. I used WinMerge and couldn't find any differences between the live site and a fresh copy of WordPress.

    We upgraded to WP3.2 on July 7th. I upgraded to 3.2.1 today and overwrote all files on the server. Still, I get the McAfee warnings when logged into the back-end as an administrator. My Windows 7 computer doesn't detect any problems using Microsoft's Internet Essentials.

    Here is a log entry from McAfee:
    7/18/2011 12:22:04 PM Deleted [DOMAIN deleted]\[username deleted by me] C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\[username deleted by me]\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WL2UEN8I\load-scripts[1].php VBS/Psyme (Trojan)

    I'm waiting to hear back from my host, but this is looking like a false alarm to me. The only thing that worries me is I don't see other people with the same issue when searching with Google.

  7. jwarcher
    Member
    Posted 3 years ago #

    Okay, did some more investigation. I rolled back my database to May 12th and the McAfee alert goes away. My next snapshot is May 19th, and if I roll back to that date, the alert appears.

    We upgraded to WP3.1 on March 23rd and WP3.2 on July 7th.

    I'll have to take a close look at these two SQL files and see what I can find. I'm not really sure what I'm looking for or if VBS/Psyme affects the database.

  8. jwarcher
    Member
    Posted 3 years ago #

    Okay, after investigating more, the problem is with the plugin Exec-PHP, so obviously this IS a false positive from McAfee. (sigh)

  9. Joerg
    Member
    Posted 3 years ago #

    jwarcher, this is the same I found out and what my host confirmed. It is a false positive from McAfee. So no worries!

  10. jwarcher
    Member
    Posted 3 years ago #

    I switched to the "PHP Execution" plugin and all is well.

  11. johninnit
    Member
    Posted 3 years ago #

    Thanks very much for posting this help everyone. I've switched to PHP Execution as well and the McAfee conflict luckily seems to be gone. Shame a McAfee mistake is making us switch away from a perfectly good plugin, but hey ho...

  12. Joerg
    Member
    Posted 3 years ago #

    I also switched over to PHP Execution. Thanks for sharing the solution!

  13. johnzeiger
    Member
    Posted 3 years ago #

    I'm not experiencing the McAfee issue but thought I'd check out PHP Execution as an alternative to Exec-PHP since it doesn't work with another plugin I use - Widget Entries (allows WYSIWYG editing of Text widgets).

    Unfortunately, with PHP Execution my custom footer PHP no longer works inside a Text widget let alone within Widget Entries.

  14. m_e_wade
    Member
    Posted 3 years ago #

    Thanks for the discussion. I manage a site at work that handles a lot of the administration of our ERP system, and I had the exact problem listed, McAfee barking about VBS/Psyme. I had Exec-PHP applied so I disabled it, applied PHP Execution, and the problem went away.

    Better support than I could have received if I had paid good money for it!

  15. Karesansui
    Member
    Posted 3 years ago #

    Shame a McAfee mistake is making us switch away from a perfectly good plugin, but hey ho...

    After I was unable to do any admin editing with Firefox on widgets and widget area's.

    Stop/Restart did not help but I found out that it still worked in Chrome end MS IEv9.

    McAfee came up with the Trojan... three times ..... and counting.
    And removal of it resolved my problem. Problem is that it has not gone then, has it ? Now looking to kill it forever (EXEC-PHP ???)
    It all started after the update to WP 3.2.1 this very morning....

  16. Karesansui
    Member
    Posted 3 years ago #

    Out of the blue - jwarcher:

    I switched to the "PHP Execution" plugin and all is well.

    How did you come to the conclusion that there would be any connection between EXEC-PHP and this virus ??

    I got it immediately after the update to WP 3.2.1. EXEC-PHP was untouched.

  17. Karesansui
    Member
    Posted 3 years ago #

    And yes, problem solved after inactivating EXEC-PHP.

    I have informed the EXEC-PHP author about this.
    http://bluesome.net/post/2005/08/18/50/#response-50

    But then, knowing this, should the plugin not be put in HOLD on the WP-site ?!

  18. I dropped a note to plugins[at]wordpress.org about this one. I don't actually see anything in the plugin (it's not been touched in 15 months) to cause this, especially now.

    I'm pretty sure it's a false positive, but I'm not a PHP security expert. I did download the files and run them through my psycho virus scanner and came up clean.

  19. jwarcher
    Member
    Posted 3 years ago #

    How did you come to the conclusion that there would be any connection between EXEC-PHP and this virus ??

    Like I posted above, I rolled back my database using snapshots from PHPMyAdmin until I found the last good configuration and then compared to the one right after it. The only thing I could see that had changed was EXEC-PHP being added. I updated the database to the current day and disabled EXEC-PHP and the problem went away.

    I don't have McAfee on the computer I develop on, so the problem was there for a couple months without me noticing. When my boss logged in to the back end on her computer with McAfee, then I heard about the issue. I was pretty worried at first, but learned that the VBS\Psyme virus has been in the wild for several years, which made me think it unlikely that we were looking at a real, unpathched vulnerability.

    WordPress should definitely pull the plug-in until it is updated or until McAfee stops misidentifying this "virus."

Topic Closed

This topic has been closed to new replies.

About this Topic