UBCD4Win Forums: VipreRescueScanner Infected by W32.Almanahe.B!inf - UBCD4Win Forums

Jump to content

  • (4 Pages)
  • +
  • 1
  • 2
  • 3
  • 4
  • You cannot start a new topic
  • You cannot reply to this topic

VipreRescueScanner Infected by W32.Almanahe.B!inf

#16 User is offline   sioban Icon

  • Member
  • PipPip
    • Group: Members
    • Posts: 40
    • Joined: 24-April 09

    Posted 29 April 2009 - 03:44 PM

    View PostGedrean, on Apr 29 2009, 01:02 PM, said:

    Alright I figured it out - sorry.
    VipreRescueScanner is extracted from VipreRescue.exe -


    Yep just found that one.

    Quote

    Here's my expectation: You already had the virus, and as it downloaded and wrote the file the virus found an exe and implanted into it.


    Maybe, but I was not able to found another source...

    Quote

    That being said, it is VERY Possible that, yes, you received a virus through that download, and the VIPRE people had a virus in one of their distributions.

    Problem: A virus CANNOT spread from an EXE without the EXE being run or launched ... or worked upon in SOME WAY by a program or function that is susceptible to that virus.

    What did you do with that EXE when you were advised it was a virus?


    In fact I was not very suspicious.
    I thought it was a false positive, anyway my av said it cleaned it...

    BUT : what is what I suspect.

    VipreRescue.exe is an archive.
    VipreRescueScanner.exe is extracted from this archive.

    While building my av detected the virus in VipreRescueScanner.exe and cleaned it (but it's still present in VIPRERescue.exe).

    VipreRescue.Exe and the cleaned VipreRescueScanner.exe are included on the iso

    Today I've booted on the iso (in fact an USB key) and ran Vipre.
    The infected VipreRescueScanner is extracted again (I suppose) and executed (I've found infected dll and sys in the minint directories on the USB key).
    Them a scan is ran infecting every opened on my HardDisk.

    Tada!

    Just My 2 cents....

    I will have more arguments tomorrow, as I've builded UBCD4Win, the same day on another computer at work, I'll just have to check the vipresrescuescanner.exe on that computer (I've not ran it on this one) and see if it's infected, confirming it or not.

    BTW, I've ran a viprerescue.exe suspected in a sandbox environment and got an alert about nvmini.sys (the rootkit of almanahe.B)

    This post has been edited by sioban: 29 April 2009 - 03:46 PM

    0

    #17 User is offline   rdsok Icon

    • rdsok
    • PipPipPipPipPipPipPipPip
      • Group: Admin
      • Posts: 6,041
      • Joined: 02-October 05
      • Gender:Male
      • Location:Norman, Ok. USA

      Posted 29 April 2009 - 06:43 PM

      There are too many reasons to suspect the computer in question was already infected and not the file that VipreRescueScanner.exe that was downloaded was the initial cause of that infection.

      First... Sunbelt is a very reputable company that actually sells security software and have been in business for a very long time. So while it is possible but it is such a slim possibility that they got infected to almost by itself to be reason to suspect everything else before you suspect their software.

      Second, as Gedrean stated, malware can not infect a computer if it is not ever actually run. It is only after running it that anything can happen.

      Third, the malware in question uses rootkit technology... This could ( and usually does ) effectively hide the malware from any protection software that is already on the system. So just because your AV software had not detected it doesn't mean it was not there and just being hidden.

      I've got several versions of the file in question on my work system... all were the same filesize ( 413,696 bytes ) which is smaller than the one reported ( 454,656 bytes ) ... it has a 11,000 byte difference in size. Today after seeing this report, I tested two of the files I had on the VirusTotal website, one I got on 04-20-2009 and one I got today 04-29-2009 and both were clean.

      These are those two reports just for your info...

      File I got on 04-20-2009 http://www.virustota...9e84ddf4c0838c1
      File I got on 04-29-2009 http://www.virustota...72d4fdd3c0406ff


      I strongly believe, based on my experience with these issues, that as the file was finishing getting downloaded, the infection then infected the download which was what was detected before the rootkit had time to "hide" the newly infected file ( or at least the effect of it being infected )

      The last bit of circumstantial evidence.... use an internet search to see how many other reports exist for this very file being infected. At the time I did one... there was only one... had it been actually an infection being ( unknowningly ) distributed by Sunbelt that number would be much higher at this point ( 5 days later )
      Plan A is always more effective when the device you are working on understands that Plan B involves either a large hammer or screwdriver....
      0

      #18 User is offline   sioban Icon

      • Member
      • PipPip
        • Group: Members
        • Posts: 40
        • Joined: 24-April 09

        Posted 30 April 2009 - 01:47 AM

        View Postrdsok, on Apr 29 2009, 07:43 PM, said:

        First... Sunbelt is a very reputable company that actually sells security software and have been in business for a very long time. So while it is possible but it is such a slim possibility that they got infected to almost by itself to be reason to suspect everything else before you suspect their software.


        Maybe, but I was not able to found out another source.

        View Postrdsok, on Apr 29 2009, 07:43 PM, said:

        Second, as Gedrean stated, malware can not infect a computer if it is not ever actually run. It is only after running it that anything can happen.


        It was run !!
        Read my precedant post.

        View Postrdsok, on Apr 29 2009, 07:43 PM, said:

        Third, the malware in question uses rootkit technology... This could ( and usually does ) effectively hide the malware from any protection software that is already on the system. So just because your AV software had not detected it doesn't mean it was not there and just being hidden.


        The rootkit is not seen.
        The infected PE is seen.

        View Postrdsok, on Apr 29 2009, 07:43 PM, said:

        I've got several versions of the file in question on my work system... all were the same filesize ( 413,696 bytes ) which is smaller than the one reported ( 454,656 bytes ) ... it has a 11,000 byte difference in size. Today after seeing this report, I tested two of the files I had on the VirusTotal website, one I got on 04-20-2009 and one I got today 04-29-2009 and both were clean.


        The extended size correspond of an infected binary.

        My infected PE was goten 04-24-2009

        View Postrdsok, on Apr 29 2009, 07:43 PM, said:

        I strongly believe, based on my experience with these issues, that as the file was finishing getting downloaded, the infection then infected the download which was what was detected before the rootkit had time to "hide" the newly infected file ( or at least the effect of it being infected )


        Maybe, but it should have infected other downloads the same day (Avira, A squared free, Kaspersky virus removal tool, etc).
        I was building UBCD4WIN.

        View Postrdsok, on Apr 29 2009, 07:43 PM, said:

        The last bit of circumstantial evidence.... use an internet search to see how many other reports exist for this very file being infected. At the time I did one... there was only one... had it been actually an infection being ( unknowningly ) distributed by Sunbelt that number would be much higher at this point ( 5 days later )


        I've done that when I've suspected VIPRE, and found nothing.

        Maybe I'm wrong, and after analysing the VIPRERescueScanner.exe I've made the same day on another computer which is clean (the binary and the computer) lead me to think that truth is somewhere else.
        0

        #19 User is offline   bengt Icon

        • Skeptic
        • PipPipPipPipPipPip
          • Group: Donator/Beta Tester
          • Posts: 1,262
          • Joined: 16-December 05
          • Gender:Male
          • Location:Bork, bork, bork

          Posted 30 April 2009 - 02:07 AM

          Any furher problems with Vipre causing false or real positives I suggest you direct them at Sunbelt since it is obvious that the problem is not with ubcd4win.
          hxxp://www.sunbeltsoftware.com
          0

          #20 User is offline   sioban Icon

          • Member
          • PipPip
            • Group: Members
            • Posts: 40
            • Joined: 24-April 09

            Posted 30 April 2009 - 02:17 AM

            I've just made another virus scan.

            The virus is found in VIPRERescueScanner.exe archived in VIPRERescue.exe.

            This mean that VIPRERescue.exe is not infected but the VIPRERescueScanner.exe inside it, is infected.

            That's not good !
            0

            #21 User is offline   bengt Icon

            • Skeptic
            • PipPipPipPipPipPip
              • Group: Donator/Beta Tester
              • Posts: 1,262
              • Joined: 16-December 05
              • Gender:Male
              • Location:Bork, bork, bork

              Posted 30 April 2009 - 02:26 AM

              Did a fresh download of the file 5 minutes ago and sent it to virustotal.com for a scan, nothing....
              0

              #22 User is offline   sioban Icon

              • Member
              • PipPip
                • Group: Members
                • Posts: 40
                • Joined: 24-April 09

                Posted 30 April 2009 - 02:32 AM

                Sorry, I wasn't clear enough.
                That's not a build downloaded today, that's the build I've downloaded last friday.

                Anyway, the problem is gone.

                But that's not because a enterprise is reputable in security manner, that they are protected from hackers modifying source files.
                This has been done several times in the past (debian, redhat, kaspersky, microsoft, etc).

                EDIT: I have all the infos now, I'll send an email to sunbelt.
                - VipreRescue.exe
                * date = 21-04-2009 18:29
                * size = 143,790,080 octets
                * MD5 = ae55481c8dfd9a2f4cd6eb05e0a060cc
                NOT INFECTED

                - VipreRescueScanner.exe
                * date = 16-03-2009 10:36
                * size = 454,656 octets
                * MD5 = b7f7fc3eb38a2f26239b7330f987bb9a
                INFECTED : http://www.virustota...d6a00821525ec47
                ThreatExpert Report : http://www.threatexp...39b7330f987bb9a (looks like it detect VM and abort)
                Anubis Report : http://anubis.isecla...amp;format=html (I've got the same problem trying to run it sanboxed)

                So my tought were rights, VipreRescue.exe came with an infected VipreRescueScanner.exe.

                This post has been edited by sioban: 30 April 2009 - 03:05 AM

                0

                #23 User is offline   BvF7734 Icon

                • Ultimate Member
                • PipPipPipPipPip
                  • Group: BETA Tester
                  • Posts: 681
                  • Joined: 09-March 05
                  • Location:127.0.0.1
                  • Interests:My wife, twin boys, and baby girl. Astrophysics and all things car and computer related.<br /><br />Gaming big time with RTS games.<br /><br />Heavy into MAME and other emulation.

                  Posted 30 April 2009 - 07:58 AM

                  forget it... I wrote a long diatribe and just forget it... never mind.

                  This post has been edited by hilander999: 30 April 2009 - 02:13 PM

                  \m/ (>.<) \m/

                  Be the Ultimate Ninja! Play Billy Vs. SNAKEMAN today!
                  BvS Wiki is a good place for information about the above mentioned game.
                  It is free and browser based so will play anywhere on any machine!
                  You have the right to remain silent. Anything you do or say will be exaggerated or mis-quoted and used against you.
                  0

                  #24 User is offline   NDJeff Icon

                  • Newbie
                  • Pip
                    • Group: Members
                    • Posts: 5
                    • Joined: 24-April 09

                    Posted 30 April 2009 - 09:22 AM

                    Avira AV also reports a virus when downloading the Vipre plug-in. It's detected toward the end of the large download, before the download is finished. I'm pretty certain it's a false positive that some virus scanners pick up.
                    Microsoft Forefront AV at work does not detect any virus during the download of the same file. Of course, MS antivirus doesnt detect much of anything else, but that's a different story ;p

                    This post has been edited by NDJeff: 30 April 2009 - 09:50 AM

                    0

                    #25 User is offline   pcuser Icon

                    • Project Programmer
                    • PipPipPipPipPipPipPip
                      • Group: Moderator & Development
                      • Posts: 3,889
                      • Joined: 20-November 04
                      • Gender:Male
                      • Location:Kneebrasskee

                      Posted 30 April 2009 - 10:33 AM

                      @sioban, did you read this yesterday?

                      Quote

                      Sunbelt did have a problem with the Rescue Scanner creating false positives. they had pulled it and just put it back online late yesterday with the good version. I would redownload it again and try it.

                      If you're afraid of taking any chances then the chances are great that you will never learn anything

                      Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
                      0

                      #26 User is offline   sioban Icon

                      • Member
                      • PipPip
                        • Group: Members
                        • Posts: 40
                        • Joined: 24-April 09

                        Posted 30 April 2009 - 12:04 PM

                        @NDJeff & @pcuser : did you read my full post ? This is not a False Positive (it's even on the way to be confirmed by Sunbelt...)

                        I post the Virustotal report for the lazy men :

                        Quote

                        Fichier VIPRERescueScanner.exe reçu le 2009.04.24 14:49:05 (CET)
                        Situation actuelle: terminé
                        Résultat: 38/40 (95.00%)

                        Antivirus Version Dernière mise à jour Résultat
                        a-squared 4.0.0.101 2009.04.24 Virus.Win32.Alman.b!IK
                        AhnLab-V3 5.0.0.2 2009.04.24 Win32/Alman.C
                        AntiVir 7.9.0.155 2009.04.24 W32/Almanahe.B
                        Antiy-AVL 2.0.3.1 2009.04.24 Virus/Win32.Alman.b
                        Authentium 5.1.2.4 2009.04.23 W32/Alman.C
                        Avast 4.8.1335.0 2009.04.23 Win32:Alman
                        AVG 8.5.0.287 2009.04.24 Win32/Alman
                        BitDefender 7.2 2009.04.24 Win32.Almanahe.D
                        CAT-QuickHeal 10.00 2009.04.23 W32.Almanahe.B
                        ClamAV 0.94.1 2009.04.24 W32.Alman-2
                        Comodo 1130 2009.04.23 -
                        DrWeb 4.44.0.09170 2009.04.24 Win32.Alman
                        eSafe 7.0.17.0 2009.04.23 Win32.Almanahe.B
                        eTrust-Vet 31.6.6474 2009.04.24 Win32/Almanahe.F!x386
                        F-Prot 4.4.4.56 2009.04.23 W32/Alman.C
                        F-Secure 8.0.14470.0 2009.04.24 Virus.Win32.Alman.b
                        Fortinet 3.117.0.0 2009.04.24 W32/Alman.DB
                        GData 19 2009.04.24 Win32.Almanahe.D
                        Ikarus T3.1.1.49.0 2009.04.24 Virus.Win32.Alman.b
                        K7AntiVirus 7.10.714 2009.04.23 Virus.Win32.Alman.b
                        Kaspersky 7.0.0.125 2009.04.24 Virus.Win32.Alman.b
                        McAfee 5594 2009.04.23 W32/Almanahe.c
                        McAfee+Artemis 5594 2009.04.23 W32/Almanahe.c
                        McAfee-GW-Edition 6.7.6 2009.04.24 Win32.Almanahe.B
                        Microsoft 1.4602 2009.04.24 Virus:Win32/Almanahe.B
                        NOD32 4033 2009.04.24 Win32/Alman.NAB
                        Norman 6.00.06 2009.04.24 W32/Alman.B
                        nProtect 2009.1.8.0 2009.04.24 Virus/W32.Alman.B
                        Panda 10.0.0.14 2009.04.23 W32/Almanahe.C
                        PCTools 4.4.2.0 2009.04.24 Win32.Alman.B
                        Prevx1 3.0 2009.04.24 -
                        Rising 21.26.43.00 2009.04.24 Worm.Magistr.g
                        Sophos 4.41.0 2009.04.24 W32/Alman-C
                        Sunbelt 3.2.1858.2 2009.04.24 Virus.Win32.Alman.b (v)
                        Symantec 1.4.4.12 2009.04.24 W32.Almanahe.B!inf
                        TheHacker 6.3.4.0.313 2009.04.24 W32/Almanahe.C
                        TrendMicro 8.700.0.1004 2009.04.24 PE_CORELINK.C-1
                        VBA32 3.12.10.3 2009.04.24 Virus.Win32.Alman.ab
                        ViRobot 2009.4.24.1708 2009.04.24 Win32.Alman.B
                        VirusBuster 4.6.5.0 2009.04.23 Win32.Alman.B

                        This post has been edited by sioban: 30 April 2009 - 12:11 PM

                        0

                        #27 User is offline   bengt Icon

                        • Skeptic
                        • PipPipPipPipPipPip
                          • Group: Donator/Beta Tester
                          • Posts: 1,262
                          • Joined: 16-December 05
                          • Gender:Male
                          • Location:Bork, bork, bork

                          Posted 30 April 2009 - 12:49 PM

                          @sioban
                          we get it, but you are referring to an old file, get the new one and stop whining...
                          0

                          #28 User is offline   sioban Icon

                          • Member
                          • PipPip
                            • Group: Members
                            • Posts: 40
                            • Joined: 24-April 09

                            Posted 30 April 2009 - 02:48 PM

                            Hey !

                            I'm not whining !
                            I'm just answering to a question pcuser asked !

                            Looks like some people are quite aggressive here.

                            That's sad.
                            0

                            #29 User is offline   bengt Icon

                            • Skeptic
                            • PipPipPipPipPipPip
                              • Group: Donator/Beta Tester
                              • Posts: 1,262
                              • Joined: 16-December 05
                              • Gender:Male
                              • Location:Bork, bork, bork

                              Posted 30 April 2009 - 02:50 PM

                              View Postsioban, on Apr 30 2009, 09:48 PM, said:

                              Hey !

                              I'm not whining !
                              I'm just answering to a question pcuser asked !

                              Looks like some people are quite aggressive here.

                              That's sad.


                              I am off my medication and need a hug :surrender:


                              This post has been edited by bengt: 30 April 2009 - 02:53 PM

                              0

                              #30 User is offline   SteelTrepid Icon

                              • Administrator
                              • PipPipPipPipPipPipPipPip
                                • Group: Admin
                                • Posts: 6,191
                                • Joined: 27-April 04
                                • Gender:Male
                                • Location:Ohio

                                Posted 30 April 2009 - 02:58 PM

                                Yeah, let's just settle down here a little. This should be a friendly discussion, no need for fights or anything. I don't think we will ever find out the true answer to this, but can have a decent discussion about it.
                                "I play Russian roulette everyday, a man's sport, with a bullet called life"

                                "My cause is noble, my power is pure"
                                0

                                • (4 Pages)
                                • +
                                • 1
                                • 2
                                • 3
                                • 4
                                • You cannot start a new topic
                                • You cannot reply to this topic

                                1 User(s) are reading this topic
                                0 members, 1 guests, 0 anonymous users