Anyone Have Clue about “Injector.VMX” Trojan / Virus?

I’ve got an “odd case” at a client site.

A SonicWall security appliance claims one machine as the “injector.VMX” trojan / virus on it.

The Trend Micro antivirus on the machine says it is clean.

Trying to find out more about “injector.VMX” comes up with very little. Mostly some “scareware” sites trying to get me to install their supposed “fix” when I know nothing about their sites or the fix. CERT didn’t pop anything that I could find.

So I’m at a bit of a loss how to proceed.

Any information about it, or how to remove it, or if it is really something else, frankly, anything would help.

Being at best a mediocre Windows PC Guy, I’m a bit out of my depth on this one.

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits. Bookmark the permalink.

10 Responses to Anyone Have Clue about “Injector.VMX” Trojan / Virus?

  1. E.M.Smith says:

    Looks like it is likely a “False Positive” on the SonicWall:

    https://www.reddit.com/r/sonicwall/comments/ns5sfd/anyone_else_getting_numerous_gav_blocks_from_the/

    Posted byu/uebersoldat
    4 days ago
    Anyone else getting numerous GAV blocks from the Akamai network the past 12 hours?
    Gateway Anti-Virus Alert: Injector.VMX (Trojan) blocked.

    I noticed this is on machines with Quickbooks installed and the QB Web Connector service is throwing an error but I’m still digging.

    Hopefully it’s just a false positive!

    EDIT: Heard back from Sonicwall support, it’s a false positive in my case. Obligatory ‘update your signatures’ if you haven’t already.

    Started the same “4 days ago” as the report I ran into.

    Other folks getting the same pattern:

    pibegardel
    Same here, inundated with emails. It’s a vacation day for me (of course) so I ran some quick virus sweeps on the PCs and they came back clean. Called my SonicWall support people but they hadn’t heard of a virus definition gone rogue. I was debating going in until I saw this post. QuickBooks is installed on those PC so my guess is that y’all are right. Forwarded this post to my SonicWall support people.
    […]
    cybermansa
    Yes, we are getting slammed with these as well starting from around midnight across multiple PCs and clients. I thought it was related to 21H1 update but Quickbooks makes sense and now that I think of it I do believe it is installed on and was open on most the affected PCs. Not sure if ALL. Did a new definitions update come out last night? Does seem to be a false positive. Was going to open a ticket with Sonicwall.

    So “never mind”…

  2. Ossqss says:

    Watch the SQL injections.

  3. p.g.sharrow says:

    From my grandson. Who is the most expert person I know about Windows/Intel stuff;
    ‘Injector:VMX is a behavior-based flag. Means it sent or received a file or packet that looked like it had an application that could inject code into another application or into Windows’ boot at runtime.

    Some antiviruses will flag tools like Sk8r and KMSPico (Windows Hack-Activation software/) as Injector:VMX.

    They run at such a low level, an antivirus running on the computer can’t even see it. Tell the client to install the boot drive of the flagged machine in another machine as a secondary HDD, then have TrendMicro scan it from there.

  4. John Hultquist says:

    Nothing to say on this issue, but . . .
    I got a phishing (sp. ?) email this morning from a site claiming to be McAfee Security and wanting me to connect or call and pay about $600 via an auto-pay deal.
    I hit the “report as spam” button (using gmail).

    Is there a computer term for an on-screen button? ’cause it is not a real button.
    John

  5. E.M.Smith says:

    @Jim2:

    The “howtoremove” site is one of the “scareware” sites I was talking about. Mostly pushing their “fix it” software. They have a lot of “Bum’s Rush” push to install their software and not much actual information about the trojan.

    @P.G.:

    Thanks for that idea (moving boot disk to another machine and then scanning). I’ll keep that in the back pocket “just in case”.

    As of now, it looks very much like the SonicWall “signature” is picking up Quickbooks too and having a bit of a tizzy over a non-virus application. I.e. the “signature” is slight and close enough to Quickbooks that it gives a False Positive.

    This would explain the sudden onset AFTER the Sonicwall was in place (new signature update happened) and while Trend Micro AV was installed and running. I.e. “how did it get in?” Answer: It didn’t get in… It also explains why there was zero unexpected CPU activity (monitoring at a detail level showed nothing out of the ordinary on the box).

    So at this point, I’m mostly going to assure the “Signatures” are updated with whatever Sonicwall pushes as the replacement, then let things run again for a few days (when the machine ought to no longer be flagged…).

    @John Hultquist:

    I don’t know if it is Apple Specific terminology or not, be we always just called them “Radio Buttons”.

    You have a choice of a few “buttons” and pushing one of them makes something happen.
    https://en.wikipedia.org/wiki/Radio_button

  6. philjourdan says:

    I found the false positives as well. However, I did find one site, that I do trust, that says they can remove it (it is freeware)

    http://www.combo-fix.com/threat-database/injector-vmx-threat-alert/

    I have used Combofix several times when all else failed to rid a computer of a bad bug.

  7. u.k.(us) says:

    Which side would you rather be on, the hacker or anti-hacker ?
    Anti-hacker sounds like more fun :)

Anything to say?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.