The McAfee Rootkit Detector, when we tested it the other day, did not detect this “variant.” We say variant, because these adversaries can take the executable and repackage it with various tools that make it undetectable to many signature based solutions. Since the posting of this, we have various additional repackaged versions that remain undetected.

All AV vendors have similar challenges detecting these repackaged versions. If your signatures are up to date, you will likely detect the original variant. However, there are more that have been released that are difficult to detect. AV plays an important role here – but cannot be relied upon exclusively.

The IE vulnerability can be used to deliver malware. This particular group has access to a very large spamming bot, and is using custom crafted emails that can be very convincing.

See last response on patching. If they successfully convince you to open an trojan document, or use a zero day, or to voluntarily install, you will be infected. Patching, like AV, is part of the solution and makes you more resistant, but does not make anyone immune.

Currently, we see many machines infected Zeus (74.118.192.124 via tcp 5900), we are advised to use McAfee Rootkit Detector.

We are using Symantec so we just make sure that our definitions is updated and run a full scan (safe mode) http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99 or we really need to use this mcafee rootkit detective?

BY the way, about infection, is it exploiting something in a unpatch vulnerabilities in the IE browser?
I wanted to know if this issue similar to conficker that as long as we patch MS08-067 the machine is conficker free?

Or this malware can infect users even if they have no vulnerability at all as long as the user will click malicious something on the net?
how can a certain malware infect a fully patch machine (assuming no more 0-day vulnerability issue), can it still infect or exploit?

Thanks