Sign In
Register
Help
My Etrust Antivirus (CA) says that the following files inside of UBCD4WinV255.exe are infected with a virus called Win32.PSW.Bancos.ZC
<plugin\IDSuite\IDSuite_SFX.exe> Win32.PSW.Bancos.ZC
<plugin\k-meleon\k-meleon.exe> Win32.PSW.Bancos.ZC
I verified the MD5 hash of the file I downloaded and it matches the hash listed on your downloads page.
Am I missing something here, or is there really this virus infecting your plugins?
Page 1 of 1
Possible Virus in UBCD4WinV255.exe UBCD4WinV255.exe infected with VIRUS?
MultiQuote
#2
swift_jmh 
- Newbie
-
- Group: Members
- Posts: 2
- Joined: 19-November 05
Posted 19 November 2005 - 08:49 AM
I forgot to mention that after looking this virus up in the CA virus database - http://www3.ca.com/s...fo/default.aspx
I was only able to find the following info on a virus named: Win32.PSW.Bancos.L
which seems like it is related to Win32.PSW.Bancos.ZC
Win32.Bancos.L is a trojan that is uses phishing techniques to steal personal information that could then be used to perpetrate identity theft and fraud. It targets customers of particular Brazilian banks: Caixa, BancoBrazil and Bradesco.
Method of Installation
This trojan has been seen in the wild distributed in a UPX-packed, self-extracting zip file that contains two files: Exec.exe and MSWINSCK.OCX. When the zip is executed, it in turn executes exec.exe (the trojan proper).
Upon execution of exec.exe, Bancos.L copies itself to %System%\netbom6.exe and also copies a VB file that is required to run this program: %System%\MSWINSCK.OCX.
It then edits the registry to ensure that this copy is executed at each Windows start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netbom6 = %System%\netbom6.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\netbom6 = %System%\netbom6.exe
Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
The worm also deletes the copy of exec.exe that it was initially run from.
I was only able to find the following info on a virus named: Win32.PSW.Bancos.L
which seems like it is related to Win32.PSW.Bancos.ZC
Win32.Bancos.L is a trojan that is uses phishing techniques to steal personal information that could then be used to perpetrate identity theft and fraud. It targets customers of particular Brazilian banks: Caixa, BancoBrazil and Bradesco.
Method of Installation
This trojan has been seen in the wild distributed in a UPX-packed, self-extracting zip file that contains two files: Exec.exe and MSWINSCK.OCX. When the zip is executed, it in turn executes exec.exe (the trojan proper).
Upon execution of exec.exe, Bancos.L copies itself to %System%\netbom6.exe and also copies a VB file that is required to run this program: %System%\MSWINSCK.OCX.
It then edits the registry to ensure that this copy is executed at each Windows start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netbom6 = %System%\netbom6.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\netbom6 = %System%\netbom6.exe
Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
The worm also deletes the copy of exec.exe that it was initially run from.
This post has been edited by swift_jmh: 19 November 2005 - 08:53 AM
#3
stidyup
- Forum News
-
- Group: Moderator
- Posts: 5809
- Joined: 21-June 04
- Location:Yorkshire, UK, Earth, Milky Way, the known Universe and probably the unknown too....
Posted 19 November 2005 - 09:23 AM
CA is giving a false positive.
Jotti Virus SCan
Virus Total
Find the suspect file and scan the file at either of the above sites and it will verify the file is clean. To do this you may have to disable CA or exclude the file from scanning.
In the past AVG, ClamWin and AntiVir have all given false positives. I have Sophos and McAfee on my PC and bot say V2.55 is clean.
Jotti Virus SCan
Virus Total
Find the suspect file and scan the file at either of the above sites and it will verify the file is clean. To do this you may have to disable CA or exclude the file from scanning.
In the past AVG, ClamWin and AntiVir have all given false positives. I have Sophos and McAfee on my PC and bot say V2.55 is clean.
RescueME Virus Removal
Mirror
Fear is the path to the dark side. Fear leads to anger. Anger leads to hate. Hate leads to suffering.
Mirror
Fear is the path to the dark side. Fear leads to anger. Anger leads to hate. Hate leads to suffering.
#4
rdsok
- rdsok
-
- Group: Admin
- Posts: 6257
- Joined: 02-October 05
- Gender:Male
- Location:Norman, Ok. USA
Posted 19 November 2005 - 01:28 PM
@swift_jmh
In addition to what stidyup mentioned, I would also add that you should report the false positive to CA so they may correct this. You may be able to disable CA's heuristic scanning until this is resolved but I would recommend turning it back on as soon as possible so you aren't unprotected against other new malware.
In addition to what stidyup mentioned, I would also add that you should report the false positive to CA so they may correct this. You may be able to disable CA's heuristic scanning until this is resolved but I would recommend turning it back on as soon as possible so you aren't unprotected against other new malware.
This post has been edited by rdsok: 19 November 2005 - 01:29 PM
Plan A is always more effective when the device you are working on understands that Plan B involves either a large hammer or screwdriver....
#5
ynotpe
- Newbie
-
- Group: Members
- Posts: 2
- Joined: 21-November 05
Posted 21 November 2005 - 05:11 PM
----Original Message Follows----
From: "Virus" <VirusNoSpAM@ca.com>
To: Tony Pedretti <ynotpeNoSpAM@hotmail.com>
Subject: RE: False positive with UBCD4WinV25.exe
Date: Mon, 21 Nov 2005 15:56:49 -0500
We were able to duplicate your reported problem. Detection of
Win32.PSW.Bancos.ZC in file UBCD4WinV25.exe using Vet signature
11.9.9516 was a false alarm. This has been corrected in signature 9521.
Please update your signature.
-----Original Message-----
From: Tony Pedretti [mailto:ynotpeNoSpAM@hotmail.com]
Sent: Saturday, November 19, 2005 1:14 PM
To: Virus
Subject: False positive with UBCD4WinV25.exe
It appears version 2.5 of the Ultimate Boot CD is falsily identified as
Win32.PSW.Bancos.ZC by the current sigs on eTrust AV 7.1.501.
http://www.ubcd4win....?showtopic=2491
I can't send the 65MB file zipped up via email but it can downloaded
from
here... http://public.planet...UBCD4WinV25.exe
Thanks,
Tony Pedretti
From: "Virus" <VirusNoSpAM@ca.com>
To: Tony Pedretti <ynotpeNoSpAM@hotmail.com>
Subject: RE: False positive with UBCD4WinV25.exe
Date: Mon, 21 Nov 2005 15:56:49 -0500
We were able to duplicate your reported problem. Detection of
Win32.PSW.Bancos.ZC in file UBCD4WinV25.exe using Vet signature
11.9.9516 was a false alarm. This has been corrected in signature 9521.
Please update your signature.
-----Original Message-----
From: Tony Pedretti [mailto:ynotpeNoSpAM@hotmail.com]
Sent: Saturday, November 19, 2005 1:14 PM
To: Virus
Subject: False positive with UBCD4WinV25.exe
It appears version 2.5 of the Ultimate Boot CD is falsily identified as
Win32.PSW.Bancos.ZC by the current sigs on eTrust AV 7.1.501.
http://www.ubcd4win....?showtopic=2491
I can't send the 65MB file zipped up via email but it can downloaded
from
here... http://public.planet...UBCD4WinV25.exe
Thanks,
Tony Pedretti
Page 1 of 1