Jump to content
This Topic

Win32:Doomber-C [Wrm]

WDGC

By WDGC
in Malware Prevention and Security

 Share

Recommended Posts

WDGC

WDGC

Posted
Posted

About a week ago I downloaded PsTools 2.24 from the Sysinternals website:

http://www.sysinternals.com/index.html

The latest avast! A-V update [0602-3, 13/01/06] reports Win32:Doomber-C [Wrm], which it calls a Virus/Worm, as being present in psinfo.exe, which is a component of PsTools 2.24.

Prior to the 0602-3, 13/01/06 update, avast! did not detect this "virus/worm" and nor do any other scanning programs I use - Ad-Aware, Spybot, MSASW, ewido, Webroot Spy Sweeper, all with latest definitions.

It seems highly unlikely a program from a site of the eminence and standing of Sysinternals would contain a virus/worm.

Is this detection a false positive?

Any information regarding this matter would be appreciated.

.


WDGC

WDGC

Posted
  • Author
Posted

I also uploaded the file to Virus Total and Kaspersky:

http://www.virustotal.com/xhtml/index_en.html

http://www.kaspersky.com/scanforvirus

Here are the results:

14/01/2006

Jotti's malware scan 2.99-TRANSITION_TO_3.00

File to upload & scan: Virus

Service

Service load:

0% 100%

File: Psinfo.exe

Status:

POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)

MD5 ed55f8877ff59fc4780bfaa91d0dcdfb

Packers detected:

-

Scanner results

AntiVir

Found nothing

ArcaVir

Found nothing

Avast

Found Win32:Doomber-C

AVG Antivirus

Found nothing

BitDefender

Found nothing

ClamAV

Found nothing

Dr.Web

Found nothing

F-Prot Antivirus

Found nothing

Fortinet

Found nothing

Kaspersky Anti-Virus

Found nothing

NOD32

Found nothing

Norman Virus Control

Found nothing

UNA

Found nothing

VBA32

Found nothing

This is a report processed by VirusTotal on 01/14/2006 at 06:34:41 (CET) after scanning the file "Psinfo.exe" file.

Antivirus Version Update Result

AntiVir 6.33.0.77 01.13.2006 no virus found

Avast 4.6.695.0 01.13.2006 Win32:Doomber-C

AVG 718 01.13.2006 no virus found

Avira 6.33.0.77 01.13.2006 no virus found

BitDefender 7.2 01.14.2006 no virus found

CAT-QuickHeal 8.00 01.11.2006 no virus found

ClamAV devel-20051123 01.13.2006 no virus found

DrWeb 4.33 01.13.2006 no virus found

eTrust-Iris 7.1.194.0 01.14.2006 no virus found

eTrust-Vet 12.4.1.0 01.13.2006 no virus found

Ewido 3.5 01.13.2006 no virus found

Fortinet 2.54.0.0 01.14.2006 no virus found

F-Prot 3.16c 01.13.2006 no virus found

Ikarus 0.2.59.0 01.13.2006 no virus found

Kaspersky 4.0.2.24 01.14.2006 no virus found

McAfee 4674 01.13.2006 no virus found

NOD32v2 1.1364 01.13.2006 no virus found

Norman 5.70.10 01.13.2006 no virus found

Panda 9.0.0.4 01.13.2006 no virus found

Sophos 4.01.0 01.14.2006 no virus found

Symantec 8.0 01.14.2006 no virus found

TheHacker 5.9.2.074 01.14.2006 no virus found

UNA 1.83 01.13.2006 no virus found

VBA32 3.10.5 01.13.2006 no virus found

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Kaspersky File Scanner

You're clean!

Kaspersky Anti-Virus has not detected any viruses at this time in the file you submitted.

However, only a fully-functional antivirus solution with regularly updated virus definitions can ensure comprehensive protection against malware. If you do not have an antivirus solution installed, you may wish to consider purchasing one today.

* Download a trial version of Kaspersky Anti-Virus

* Purchase Kaspersky Anti-Virus in our E-Store

* Purchase Kaspersky Anti-Virus from a certified partner

Scanned file: Psinfo.exe

Psinfo.exe - OK

Statistics:

Known viruses: 171751 Updated: 14-01-2006

File size (Kb): 132 Virus bodies: 0

Files: 1 Warnings: 0

Archives: 0 Suspicious: 0

.

LLXX

LLXX

Posted
Posted

From a manual inspection of the file, it contains many network paths and networking-related items that look suspicious, as well as containing an appended executable. Perhaps that was why it was detected as a worm.

WDGC

WDGC

Posted
  • Author
Posted

False positive fixed.

The latest avast! A-V update [0602-4, 14/01/06] doesn't detect Win32:Doomber-C [Wrm] as being present in psinfo.exe

.

WDGC

WDGC

Posted
  • Author
Posted
  atomizer said:
i just scanned it with my trusty ClamWin and came up clean.

Well, I should hope so - as my last post indicates - the avast! detection was a false positive.

Apart from that did you not read the results I posted earlier?

To wit:

ClamAV devel-20051123 01.13.2006 no virus found

ClamAV

Found nothing

.

atomizer

atomizer

Posted
Posted
  WDGC said:
Well, I should hope so - as my last post indicates - the avast! detection was a false positive.

Apart from that did you not read the results I posted earlier?

i did, but i didn't look for Clam because i just assumed it wouldn't be there :blushing:

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...