Gedrean, on Apr 29 2009, 01:02 PM, said:
VipreRescueScanner is extracted from VipreRescue.exe -
Yep just found that one.
Quote
Maybe, but I was not able to found another source...
Quote
Problem: A virus CANNOT spread from an EXE without the EXE being run or launched ... or worked upon in SOME WAY by a program or function that is susceptible to that virus.
What did you do with that EXE when you were advised it was a virus?
In fact I was not very suspicious.
I thought it was a false positive, anyway my av said it cleaned it...
BUT : what is what I suspect.
VipreRescue.exe is an archive.
VipreRescueScanner.exe is extracted from this archive.
While building my av detected the virus in VipreRescueScanner.exe and cleaned it (but it's still present in VIPRERescue.exe).
VipreRescue.Exe and the cleaned VipreRescueScanner.exe are included on the iso
Today I've booted on the iso (in fact an USB key) and ran Vipre.
The infected VipreRescueScanner is extracted again (I suppose) and executed (I've found infected dll and sys in the minint directories on the USB key).
Them a scan is ran infecting every opened on my HardDisk.
Tada!
Just My 2 cents....
I will have more arguments tomorrow, as I've builded UBCD4Win, the same day on another computer at work, I'll just have to check the vipresrescuescanner.exe on that computer (I've not ran it on this one) and see if it's infected, confirming it or not.
BTW, I've ran a viprerescue.exe suspected in a sandbox environment and got an alert about nvmini.sys (the rootkit of almanahe.

This post has been edited by sioban: 29 April 2009 - 03:46 PM