[sioban]

Gedrean, on Apr 29 2009, 01:02 PM, said:

Alright I figured it out - sorry.
VipreRescueScanner is extracted from VipreRescue.exe -

Yep just found that one.

Quote

Here's my expectation: You already had the virus, and as it downloaded and wrote the file the virus found an exe and implanted into it.

Maybe, but I was not able to found another source...

Quote

That being said, it is VERY Possible that, yes, you received a virus through that download, and the VIPRE people had a virus in one of their distributions.

Problem: A virus CANNOT spread from an EXE without the EXE being run or launched ... or worked upon in SOME WAY by a program or function that is susceptible to that virus.

What did you do with that EXE when you were advised it was a virus?

In fact I was not very suspicious.
I thought it was a false positive, anyway my av said it cleaned it...

BUT : what is what I suspect.

VipreRescue.exe is an archive.
VipreRescueScanner.exe is extracted from this archive.

While building my av detected the virus in VipreRescueScanner.exe and cleaned it (but it's still present in VIPRERescue.exe).

VipreRescue.Exe and the cleaned VipreRescueScanner.exe are included on the iso

Today I've booted on the iso (in fact an USB key) and ran Vipre.
The infected VipreRescueScanner is extracted again (I suppose) and executed (I've found infected dll and sys in the minint directories on the USB key).
Them a scan is ran infecting every opened on my HardDisk.

Tada!

Just My 2 cents....

I will have more arguments tomorrow, as I've builded UBCD4Win, the same day on another computer at work, I'll just have to check the vipresrescuescanner.exe on that computer (I've not ran it on this one) and see if it's infected, confirming it or not.

BTW, I've ran a viprerescue.exe suspected in a sandbox environment and got an alert about nvmini.sys (the rootkit of almanahe.

This post has been edited by sioban: 29 April 2009 - 03:46 PM

[rdsok]

There are too many reasons to suspect the computer in question was already infected and not the file that VipreRescueScanner.exe that was downloaded was the initial cause of that infection.

First... Sunbelt is a very reputable company that actually sells security software and have been in business for a very long time. So while it is possible but it is such a slim possibility that they got infected to almost by itself to be reason to suspect everything else before you suspect their software.

Second, as Gedrean stated, malware can not infect a computer if it is not ever actually run. It is only after running it that anything can happen.

Third, the malware in question uses rootkit technology... This could ( and usually does ) effectively hide the malware from any protection software that is already on the system. So just because your AV software had not detected it doesn't mean it was not there and just being hidden.

I've got several versions of the file in question on my work system... all were the same filesize ( 413,696 bytes ) which is smaller than the one reported ( 454,656 bytes ) ... it has a 11,000 byte difference in size. Today after seeing this report, I tested two of the files I had on the VirusTotal website, one I got on 04-20-2009 and one I got today 04-29-2009 and both were clean.

These are those two reports just for your info...

File I got on 04-20-2009 http://www.virustota...9e84ddf4c0838c1
File I got on 04-29-2009 http://www.virustota...72d4fdd3c0406ff


I strongly believe, based on my experience with these issues, that as the file was finishing getting downloaded, the infection then infected the download which was what was detected before the rootkit had time to "hide" the newly infected file ( or at least the effect of it being infected )

The last bit of circumstantial evidence.... use an internet search to see how many other reports exist for this very file being infected. At the time I did one... there was only one... had it been actually an infection being ( unknowningly ) distributed by Sunbelt that number would be much higher at this point ( 5 days later )

[sioban]

rdsok, on Apr 29 2009, 07:43 PM, said:

First... Sunbelt is a very reputable company that actually sells security software and have been in business for a very long time. So while it is possible but it is such a slim possibility that they got infected to almost by itself to be reason to suspect everything else before you suspect their software.

Maybe, but I was not able to found out another source.

rdsok, on Apr 29 2009, 07:43 PM, said:

Second, as Gedrean stated, malware can not infect a computer if it is not ever actually run. It is only after running it that anything can happen.

It was run !!
Read my precedant post.

rdsok, on Apr 29 2009, 07:43 PM, said:

Third, the malware in question uses rootkit technology... This could ( and usually does ) effectively hide the malware from any protection software that is already on the system. So just because your AV software had not detected it doesn't mean it was not there and just being hidden.

The rootkit is not seen.
The infected PE is seen.

rdsok, on Apr 29 2009, 07:43 PM, said:

I've got several versions of the file in question on my work system... all were the same filesize ( 413,696 bytes ) which is smaller than the one reported ( 454,656 bytes ) ... it has a 11,000 byte difference in size. Today after seeing this report, I tested two of the files I had on the VirusTotal website, one I got on 04-20-2009 and one I got today 04-29-2009 and both were clean.

The extended size correspond of an infected binary.

My infected PE was goten 04-24-2009

rdsok, on Apr 29 2009, 07:43 PM, said:

I strongly believe, based on my experience with these issues, that as the file was finishing getting downloaded, the infection then infected the download which was what was detected before the rootkit had time to "hide" the newly infected file ( or at least the effect of it being infected )

Maybe, but it should have infected other downloads the same day (Avira, A squared free, Kaspersky virus removal tool, etc).
I was building UBCD4WIN.

rdsok, on Apr 29 2009, 07:43 PM, said:

The last bit of circumstantial evidence.... use an internet search to see how many other reports exist for this very file being infected. At the time I did one... there was only one... had it been actually an infection being ( unknowningly ) distributed by Sunbelt that number would be much higher at this point ( 5 days later )

I've done that when I've suspected VIPRE, and found nothing.

Maybe I'm wrong, and after analysing the VIPRERescueScanner.exe I've made the same day on another computer which is clean (the binary and the computer) lead me to think that truth is somewhere else.

[bengt]

Any furher problems with Vipre causing false or real positives I suggest you direct them at Sunbelt since it is obvious that the problem is not with ubcd4win.
hxxp://www.sunbeltsoftware.com

[sioban]

I've just made another virus scan.

The virus is found in VIPRERescueScanner.exe archived in VIPRERescue.exe.

This mean that VIPRERescue.exe is not infected but the VIPRERescueScanner.exe inside it, is infected.

That's not good !

[bengt]

Did a fresh download of the file 5 minutes ago and sent it to virustotal.com for a scan, nothing....

[sioban]

Sorry, I wasn't clear enough.
That's not a build downloaded today, that's the build I've downloaded last friday.

Anyway, the problem is gone.

But that's not because a enterprise is reputable in security manner, that they are protected from hackers modifying source files.
This has been done several times in the past (debian, redhat, kaspersky, microsoft, etc).

EDIT: I have all the infos now, I'll send an email to sunbelt.
- VipreRescue.exe
* date = 21-04-2009 18:29
* size = 143,790,080 octets
* MD5 = ae55481c8dfd9a2f4cd6eb05e0a060cc
NOT INFECTED

- VipreRescueScanner.exe
* date = 16-03-2009 10:36
* size = 454,656 octets
* MD5 = b7f7fc3eb38a2f26239b7330f987bb9a
INFECTED : http://www.virustota...d6a00821525ec47
ThreatExpert Report : http://www.threatexp...39b7330f987bb9a (looks like it detect VM and abort)
Anubis Report : http://anubis.isecla...amp;format=html (I've got the same problem trying to run it sanboxed)

So my tought were rights, VipreRescue.exe came with an infected VipreRescueScanner.exe.

This post has been edited by sioban: 30 April 2009 - 03:05 AM

[BvF7734]

forget it... I wrote a long diatribe and just forget it... never mind.

This post has been edited by hilander999: 30 April 2009 - 02:13 PM

[NDJeff]

Avira AV also reports a virus when downloading the Vipre plug-in. It's detected toward the end of the large download, before the download is finished. I'm pretty certain it's a false positive that some virus scanners pick up.
Microsoft Forefront AV at work does not detect any virus during the download of the same file. Of course, MS antivirus doesnt detect much of anything else, but that's a different story ;p

This post has been edited by NDJeff: 30 April 2009 - 09:50 AM

[pcuser]

@sioban, did you read this yesterday?

Quote

Sunbelt did have a problem with the Rescue Scanner creating false positives. they had pulled it and just put it back online late yesterday with the good version. I would redownload it again and try it.

[sioban]

@NDJeff & @pcuser : did you read my full post ? This is not a False Positive (it's even on the way to be confirmed by Sunbelt...)

I post the Virustotal report for the lazy men :

Quote

Fichier VIPRERescueScanner.exe reçu le 2009.04.24 14:49:05 (CET)
Situation actuelle: terminé
Résultat: 38/40 (95.00%)

Antivirus Version Dernière mise à jour Résultat
a-squared 4.0.0.101 2009.04.24 Virus.Win32.Alman.b!IK
AhnLab-V3 5.0.0.2 2009.04.24 Win32/Alman.C
AntiVir 7.9.0.155 2009.04.24 W32/Almanahe.B
Antiy-AVL 2.0.3.1 2009.04.24 Virus/Win32.Alman.b
Authentium 5.1.2.4 2009.04.23 W32/Alman.C
Avast 4.8.1335.0 2009.04.23 Win32:Alman
AVG 8.5.0.287 2009.04.24 Win32/Alman
BitDefender 7.2 2009.04.24 Win32.Almanahe.D
CAT-QuickHeal 10.00 2009.04.23 W32.Almanahe.B
ClamAV 0.94.1 2009.04.24 W32.Alman-2
Comodo 1130 2009.04.23 -
DrWeb 4.44.0.09170 2009.04.24 Win32.Alman
eSafe 7.0.17.0 2009.04.23 Win32.Almanahe.B
eTrust-Vet 31.6.6474 2009.04.24 Win32/Almanahe.F!x386
F-Prot 4.4.4.56 2009.04.23 W32/Alman.C
F-Secure 8.0.14470.0 2009.04.24 Virus.Win32.Alman.b
Fortinet 3.117.0.0 2009.04.24 W32/Alman.DB
GData 19 2009.04.24 Win32.Almanahe.D
Ikarus T3.1.1.49.0 2009.04.24 Virus.Win32.Alman.b
K7AntiVirus 7.10.714 2009.04.23 Virus.Win32.Alman.b
Kaspersky 7.0.0.125 2009.04.24 Virus.Win32.Alman.b
McAfee 5594 2009.04.23 W32/Almanahe.c
McAfee+Artemis 5594 2009.04.23 W32/Almanahe.c
McAfee-GW-Edition 6.7.6 2009.04.24 Win32.Almanahe.B
Microsoft 1.4602 2009.04.24 Virus:Win32/Almanahe.B
NOD32 4033 2009.04.24 Win32/Alman.NAB
Norman 6.00.06 2009.04.24 W32/Alman.B
nProtect 2009.1.8.0 2009.04.24 Virus/W32.Alman.B
Panda 10.0.0.14 2009.04.23 W32/Almanahe.C
PCTools 4.4.2.0 2009.04.24 Win32.Alman.B
Prevx1 3.0 2009.04.24 -
Rising 21.26.43.00 2009.04.24 Worm.Magistr.g
Sophos 4.41.0 2009.04.24 W32/Alman-C
Sunbelt 3.2.1858.2 2009.04.24 Virus.Win32.Alman.b (v)
Symantec 1.4.4.12 2009.04.24 W32.Almanahe.B!inf
TheHacker 6.3.4.0.313 2009.04.24 W32/Almanahe.C
TrendMicro 8.700.0.1004 2009.04.24 PE_CORELINK.C-1
VBA32 3.12.10.3 2009.04.24 Virus.Win32.Alman.ab
ViRobot 2009.4.24.1708 2009.04.24 Win32.Alman.B
VirusBuster 4.6.5.0 2009.04.23 Win32.Alman.B

This post has been edited by sioban: 30 April 2009 - 12:11 PM

[bengt]

@sioban
we get it, but you are referring to an old file, get the new one and stop whining...

[sioban]

Hey !

I'm not whining !
I'm just answering to a question pcuser asked !

Looks like some people are quite aggressive here.

That's sad.

[bengt]

sioban, on Apr 30 2009, 09:48 PM, said:

Hey !

I'm not whining !
I'm just answering to a question pcuser asked !

Looks like some people are quite aggressive here.

That's sad.

I am off my medication and need a hug

This post has been edited by bengt: 30 April 2009 - 02:53 PM

[SteelTrepid]

Yeah, let's just settle down here a little. This should be a friendly discussion, no need for fights or anything. I don't think we will ever find out the true answer to this, but can have a decent discussion about it.