UBCD4Win Forums: VipreRescueScanner Infected by W32.Almanahe.B!inf - UBCD4Win Forums

Jump to content

  • (4 Pages)
  • +
  • 1
  • 2
  • 3
  • Last »
  • You cannot start a new topic
  • You cannot reply to this topic

VipreRescueScanner Infected by W32.Almanahe.B!inf

#1 User is offline   sioban Icon

  • Member
  • PipPip
    • Group: Members
    • Posts: 40
    • Joined: 24-April 09

    Posted 29 April 2009 - 09:57 AM

    Hi !

    I would like to inform you that I think that the VipreRescueScanner.exe I've downloaded recently through the plugin of UBCD4WIN is infected by the virus W32.Almanahe.b!inf

    This is the virustotal report : http://www.virustota...d6a00821525ec47

    I say so because the virus was first seen by my AV some days ago (24/04/2009) but I've tested the iso today and my pc is now full of it :(
    0

    #2 User is offline   BvF7734 Icon

    • Ultimate Member
    • PipPipPipPipPip
      • Group: BETA Tester
      • Posts: 681
      • Joined: 09-March 05
      • Location:127.0.0.1
      • Interests:My wife, twin boys, and baby girl. Astrophysics and all things car and computer related.<br /><br />Gaming big time with RTS games.<br /><br />Heavy into MAME and other emulation.

      Posted 29 April 2009 - 10:14 AM

      Did you download the builder from the sites mention in the download section? If it was downloaded from there then there is no virus. More than likely, your machine was already infected and then infected the builder upon extraction.

      Secondarily, you possibly downloaded the builder from a third party site. We can not confirm the authenticity of the project if is from a third party that is not listed in the downloads section of this site.
      \m/ (>.<) \m/

      Be the Ultimate Ninja! Play Billy Vs. SNAKEMAN today!
      BvS Wiki is a good place for information about the above mentioned game.
      It is free and browser based so will play anywhere on any machine!
      You have the right to remain silent. Anything you do or say will be exaggerated or mis-quoted and used against you.
      0

      #3 User is offline   sioban Icon

      • Member
      • PipPip
        • Group: Members
        • Posts: 40
        • Joined: 24-April 09

        Posted 29 April 2009 - 10:40 AM

        I've used the Plugin "Config Tool" to download.
        I know this is very suspicious but that the only way in I've found.

        I don't think my PC was already infected as the virus is detected by my AV.

        In fact my AV raised an alert on VipreRescueScanner.exe the 24/04/2009 but I was not very surprised as a lot of AV/AS are detected as virus by other AV.
        I've builded my key but I was not able to launch VipreRescueScanner as my Ramdrive Size was too short.

        I've changed the Ramdrive today and tested Vipre today.
        All the alert from AV are just after VIPRE scanned my HD...

        That's why I think the origin is from it but I may be wrong.
        But if I'm not, there's potentially a risk.
        I'll download again Vipre tonight to test it and I hope I will not find the virus in it...

        If not, it means two things :
        - I'm wrong
        - They corrected it, but if it's the case I'm very scared about the security of this company.

        This post has been edited by sioban: 29 April 2009 - 10:52 AM

        0

        #4 User is offline   bengt Icon

        • Skeptic
        • PipPipPipPipPipPip
          • Group: Donator/Beta Tester
          • Posts: 1,262
          • Joined: 16-December 05
          • Gender:Male
          • Location:Bork, bork, bork

          Posted 29 April 2009 - 10:42 AM

          Make certain it is not a false positive...what AV are you using ON your computer?

          This post has been edited by bengt: 29 April 2009 - 10:45 AM

          0

          #5 User is offline   sioban Icon

          • Member
          • PipPip
            • Group: Members
            • Posts: 40
            • Joined: 24-April 09

            Posted 29 April 2009 - 10:49 AM

            That's what I thought firstly !

            But if you look at the virustotal report, you'll see it a true positive.

            My AV is Symantec EndPoint.
            0

            #6 User is offline   bengt Icon

            • Skeptic
            • PipPipPipPipPipPip
              • Group: Donator/Beta Tester
              • Posts: 1,262
              • Joined: 16-December 05
              • Gender:Male
              • Location:Bork, bork, bork

              Posted 29 April 2009 - 10:56 AM

              View Postsioban, on Apr 29 2009, 05:49 PM, said:

              That's what I thought firstly !

              But if you look at the virustotal report, you'll see it a true positive.

              My AV is Symantec EndPoint.


              Sometimes code in applications have similar code to that of viruses, worms etc. that is why they get flagged as REAL, or TRUE viruses even though they are not.
              That is why it is called a FALSE POSITIVE.

              I suggest that you remove all files belonging to Vipre, then go to their official homepage, download and install, then check with the AV online scanner again.

              or, create the ubcd4win cd (without Vipre) on a clean computer, boot and run the cd on your computer, scan and then clean the "infected" computer if necesary.

              Please report back.

              This post has been edited by bengt: 29 April 2009 - 11:37 AM

              0

              #7 User is offline   sioban Icon

              • Member
              • PipPip
                • Group: Members
                • Posts: 40
                • Joined: 24-April 09

                Posted 29 April 2009 - 12:16 PM

                View Postbengt, on Apr 29 2009, 11:56 AM, said:

                Sometimes code in applications have similar code to that of viruses, worms etc. that is why they get flagged as REAL, or TRUE viruses even though they are not.
                That is why it is called a FALSE POSITIVE.


                I know what is a false positive.
                That's why when I've seen the first alert from my AV about W32.almanahe.B!inf been found in VipreRescueScanner.exe I was not worried.

                But I assure you that I've been fully infected by this virus, and even rootkited (found the rogue c:\windows\linkinfo.dll which should be in c:\windows\system32)

                You can see the symantec technical details about the dropper there : http://securityrespo...id=2007-041502-
                1338-99
                And the informations about the installed rootkit there : http://www.symantec....-041501-4936-99

                I'm quite accustomed with the management of virus, I've used ComboFix to remove the rootkit and the virus, then scanned my pc with DrWeb to remove anything left.

                Quote

                I suggest that you remove all files belonging to Vipre, then go to their official homepage, download and install, then check with the AV online scanner again.

                or, create the ubcd4win cd (without Vipre) on a clean computer, boot and run the cd on your computer, scan and then clean the "infected" computer if necesary.

                Please report back.


                I've removed Vipre and won't use it again as they can't be trusted.
                However I'll report back to sunbelt.

                This thread was just a warning for users who might be facing the same problem.
                0

                #8 User is offline   bengt Icon

                • Skeptic
                • PipPipPipPipPipPip
                  • Group: Donator/Beta Tester
                  • Posts: 1,262
                  • Joined: 16-December 05
                  • Gender:Male
                  • Location:Bork, bork, bork

                  Posted 29 April 2009 - 12:27 PM

                  You didn't say from where you downloaded the ubcd4win builder file...
                  could you please post the content of your Vipre-PC-Rescue/get_update.cmd

                  This post has been edited by bengt: 29 April 2009 - 12:30 PM

                  0

                  #9 User is offline   Gedrean Icon

                  • Advanced Member
                  • PipPipPipPip
                    • Group: BETA Tester
                    • Posts: 274
                    • Joined: 02-February 07
                    • Gender:Male

                    Posted 29 April 2009 - 12:30 PM

                    View Postsioban, on Apr 29 2009, 01:16 PM, said:

                    View Postbengt, on Apr 29 2009, 11:56 AM, said:

                    Sometimes code in applications have similar code to that of viruses, worms etc. that is why they get flagged as REAL, or TRUE viruses even though they are not.
                    That is why it is called a FALSE POSITIVE.


                    I know what is a false positive.
                    That's why when I've seen the first alert from my AV about W32.almanahe.B!inf been found in VipreRescueScanner.exe I was not worried.

                    But I assure you that I've been fully infected by this virus, and even rootkited (found the rogue c:\windows\linkinfo.dll which should be in c:\windows\system32)

                    You can see the symantec technical details about the dropper there : http://securityrespo...id=2007-041502-
                    1338-99
                    And the informations about the installed rootkit there : http://www.symantec....-041501-4936-99

                    I'm quite accustomed with the management of virus, I've used ComboFix to remove the rootkit and the virus, then scanned my pc with DrWeb to remove anything left.

                    Quote

                    I suggest that you remove all files belonging to Vipre, then go to their official homepage, download and install, then check with the AV online scanner again.

                    or, create the ubcd4win cd (without Vipre) on a clean computer, boot and run the cd on your computer, scan and then clean the "infected" computer if necesary.

                    Please report back.


                    I've removed Vipre and won't use it again as they can't be trusted.
                    However I'll report back to sunbelt.

                    This thread was just a warning for users who might be facing the same problem.


                    The reason why we suggested that you may have already had the virus:

                    When I got infected with Vitro/Virut (very recent virus and just got it a while ago, which is why I'm stuck on a U4W disc to try to recover everything for the last month or 2) my machine had it for a full 38 hours before any AV software was recognizing it.

                    While I don't know if that virus was that new - it is very possible that the virus existed upon your machine undetected before the virus scanner updated and began detecting.

                    That being said, the U4W builder v350 And all its plugins have been run through virustotal several times already.

                    ---

                    How, exactly, did you download this particular item "VipreRescueScanner.exe" ?? The plugin for Vipre PC Rescue included in UBCD4W has a different exe name.
                    Also, the update downloads "VIPRERescue.exe" - no mention of "Scanner"...
                    Here since February 2007, and just now got 7 demerits. I love me some Troll thread.
                    0

                    #10 User is offline   sioban Icon

                    • Member
                    • PipPip
                      • Group: Members
                      • Posts: 40
                      • Joined: 24-April 09

                      Posted 29 April 2009 - 12:47 PM

                      @bengt : from www.securitywonks.net
                      @gedrean : allmost all antivirus detect it (see the report on virustotal) but that's a possibility

                      Anyway I'm not saying UBCD4WIN is infected, I'm saying that the VIPRE binarie downloaded by the plugin is [was ?].
                      0

                      #11 User is offline   sioban Icon

                      • Member
                      • PipPip
                        • Group: Members
                        • Posts: 40
                        • Joined: 24-April 09

                        Posted 29 April 2009 - 12:51 PM

                        View PostGedrean, on Apr 29 2009, 01:30 PM, said:

                        How, exactly, did you download this particular item "VipreRescueScanner.exe" ?? The plugin for Vipre PC Rescue included in UBCD4W has a different exe name.
                        Also, the update downloads "VIPRERescue.exe" - no mention of "Scanner"...


                        I was wondering the same thing when I've read the getupdate.cmd.
                        I need to investigate that.
                        0

                        #12 User is offline   wesleyh Icon

                        • Member
                        • PipPip
                          • Group: Members
                          • Posts: 51
                          • Joined: 29-April 09

                          Posted 29 April 2009 - 01:00 PM

                          Sunbelt did have a problem with the Rescue Scanner creating false positives. they had pulled it and just put it back online late yesterday with the good version. I would redownload it again and try it.
                          0

                          #13 User is offline   Gedrean Icon

                          • Advanced Member
                          • PipPipPipPip
                            • Group: BETA Tester
                            • Posts: 274
                            • Joined: 02-February 07
                            • Gender:Male

                            Posted 29 April 2009 - 01:02 PM

                            View Postsioban, on Apr 29 2009, 12:51 PM, said:

                            View PostGedrean, on Apr 29 2009, 01:30 PM, said:

                            How, exactly, did you download this particular item "VipreRescueScanner.exe" ?? The plugin for Vipre PC Rescue included in UBCD4W has a different exe name.
                            Also, the update downloads "VIPRERescue.exe" - no mention of "Scanner"...


                            I was wondering the same thing when I've read the getupdate.cmd.
                            I need to investigate that.


                            Alright I figured it out - sorry.
                            VipreRescueScanner is extracted from VipreRescue.exe -

                            And here is the current report as extracted from a download just a minute ago:
                            http://www.virustota...be9e4c2eb3b6de9

                            It indicates it was last scanned Apr 27th. 0 of 40 reports.

                            Here's my expectation: You already had the virus, and as it downloaded and wrote the file the virus found an exe and implanted into it.

                            That being said, it is VERY Possible that, yes, you received a virus through that download, and the VIPRE people had a virus in one of their distributions.

                            Problem: A virus CANNOT spread from an EXE without the EXE being run or launched ... or worked upon in SOME WAY by a program or function that is susceptible to that virus.

                            What did you do with that EXE when you were advised it was a virus?
                            And I really doubt that unzip was infected by a virus it extracted from the viprerescue.exe - as it just inspects the self-extracting exe and finds the archive within, then extracts from that.

                            I would expect the virus would not bother allowing itself to be extracted, and instead overflow or somehow exploit a problem in unzip, thus infecting it and bypassing the waste of time that is extracting VipreRescueScanner.exe - and then infecting your system.
                            Leaving you wonder why unzip just locked out in the middle of your config.

                            Thus why I think the system was already infected.
                            Here since February 2007, and just now got 7 demerits. I love me some Troll thread.
                            0

                            #14 User is offline   sioban Icon

                            • Member
                            • PipPip
                              • Group: Members
                              • Posts: 40
                              • Joined: 24-April 09

                              Posted 29 April 2009 - 01:02 PM

                              Again, my virus is not a false positive.
                              But of course I can't say at 100 % that the virus came from VIPRE.
                              0

                              #15 User is offline   Gedrean Icon

                              • Advanced Member
                              • PipPipPipPip
                                • Group: BETA Tester
                                • Posts: 274
                                • Joined: 02-February 07
                                • Gender:Male

                                Posted 29 April 2009 - 01:03 PM

                                View Postwesleyh, on Apr 29 2009, 01:00 PM, said:

                                Sunbelt did have a problem with the Rescue Scanner creating false positives. they had pulled it and just put it back online late yesterday with the good version. I would redownload it again and try it.


                                The problem is he has that virus report cropping up in numerous programs/exes on his computer, thus not a false positive.
                                He had to remove it with removal tools.
                                Here since February 2007, and just now got 7 demerits. I love me some Troll thread.
                                0

                                • (4 Pages)
                                • +
                                • 1
                                • 2
                                • 3
                                • Last »
                                • You cannot start a new topic
                                • You cannot reply to this topic

                                1 User(s) are reading this topic
                                0 members, 1 guests, 0 anonymous users