MoonPoint Support Logo

 


Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
May
Sun Mon Tue Wed Thu Fri Sat
 
21
     
2006
Months
May


Sun, May 21, 2006 7:40 pm

ClamWin 0.88.2.3 Reports Proxy.Exe is Worm.Bobax.AA

I installed ClamWin 0.88.2.3 on a user's system and scanned the system for viruses. ClamWin reported AnalogX's proxy.exe file as Worm.Bobax.AA. I had installed version 4.14 of AnalogX's Proxy program on the system almost a year ago to have proxy server capabilities on the system for troubleshooting. I suspect ClamWin is simply looking at the file name and making its determination solely on that criteria resulting in a false positive report of Worm.Bobax.AA. The virus definitions on the system were updated on 09:18 21 May 2006 and the virus DB version is main: 38, daily: 1474.

Arcabit, which produces the ArcaVir antivirus software, states that Worm.Bobax.AA is a mass mailing worm that attempts to email itself to others from an infected computer. Arcabit's page states the worm creates services.exe on the hard drive. However, there is a legitimate services.exe file in C:\Windows\system32 on Windows XP systems that is produced by Microsoft.

Symantec's W32.Bobax.AA@mm webpage states that the services.exe file created by the worm is placed in %Windir%, which will usually be C:\Windows on Windows XP systems. You can determine the value for %Windir% by typing echo %WINDIR% at a command prompt. On this system, the only services.exe file was in C:\Windows\system32 and appeared to be the legitimate services.exe file. The Symantec webpage also states the worm creates %Windir%\msdefr.exe, which I did not find on the system. Nor did I find a C:\autorun.inf, which the Symantec webpage on the worm states is created by it.

McAfee, which produces antivirus software, states on its AnalogX-Proxy that the AnalogX proxy software is a legitimate tool, though it may sometimes be used by malware to set up proxy servers on a system without a user's knowledge. For instance, McAfee's antivirus software may report AnalogX-Proxy.ldr when a particular trojan file uses the AnalogX proxy program. It isn't unusual for malware authors to use legitimate tools for their own nefarious purposes.

I submitted the proxy.exe file to www.virustotal.com, which provides a free service where you can submit files for automatic analysis by quite a few antivirus programs. ClamAV is one of the antivirus programs running on that system. It reported Worm.Bobax.AA. Seventeen of the twenty-four antivirus programs used on that system reported "no virus found", though. Kaspersky reported "not-a-virus:Server-Proxy.Win32.AnalogX.414" while the McAfee scan reported "potentially unwanted program AnalogX-Proxy". Panda reported "Application/AnalogX-Proxy.A". Symantec did not report that it found anything amiss with the file. TheHacker reported "Aplicacion/AnalogX.414". UNA reported "I-Worm.Win32.virus" and VBA32 reported "RiskWare.Proxy.AnalogX.414". For the full report see VirusTotal Proxy.Exe.

The file may be identified as a potential risk by some antivirus software, because it is possible for it to be misused, but since I installed the software on the system for troubleshooting purposes, I don't want ClamWin identifying it as malware every time it scans the system. If the user reports a problem accessing a website from her system, I can attempt to make a connection myself from the system by activating the proxy server software. So I configured ClamWin to ignore the proxy.exe file when it checks the system. You can exclude proxy.exe from ClamWin's scans by taking the following steps in ClamWin:

  1. Click on Tools.
  2. Select Preferences.
  3. Click on the Filters tab.
  4. Click on the "new" button under "Exclude Matching Filenames". It is the second one to the right of "Patterns", between the "ae" and "X" butons. Type proxy.exe and then click on OK.

I submitted a "false positive" report for ClamAV, which is used by ClamWin to www.clamav.net/sendvirus.html

References:

  1. Vir News - Bobax.AA
    ArcaBit
  2. 7/5: Bobax-AA a Mass-Mailing Worm
    eSecurity Software & Internet Security Product Information News Articles, Advice
    July 5, 2005
  3. W32.Bobax.AA@mm
    Symantec Corporation
  4. services - services.exe - Process Information
    Uniblue
  5. Start-Up Applications - All
  6. AnalogX-Proxy
    McAfee

[/security/worms] permanent link

Sun, May 21, 2006 4:33 pm

Determining an Image File's Dimensions with Command Line Tools

If you are working on a Unix or Linux system and need to determine the dimensions for an image, there are a number of command line tools that may be available to you on the system. If you are including an image on a webpage, if you specify the file's dimensions, then visitor's to your website can view other information on your webpages while potentially large images are still being downloaded for viewing by the visitor's browser. If you specify the dimensions of the image files within your webpages, the browser will allocate the space needed to display the image and then display other parts of the webpage while it is still downloading large image files.

You can specify the image dimensions in pixels like this:

<img src="banana.jpg" alt="A banana" width="320" height="378">

One command line tool that can be used to determine a JPEG file's size is rdjpgcom. The utility is used to display comments that can be embedded in JPG files (you can insert comments with wrjpgcom), but you can also display the dimensions for a JPG file with the --verbose option.

$ rdjpgcom -verbose banana.jpg
JPEG image is 921w * 592h, 3 color components, 8 bits per sample
JPEG process: Baseline

If you have ImageMagick installed on the system, you can also use the identify command to determine the dimensions of an image file. Note: if you are using RedHat Linux, or another version of Linux that uses RPM to manage software on the system, you can issue the command rpm -qi ImageMagick to see whether it is installed.

$ identify banana.jpg
banana.jpg JPEG 921x592 DirectClass 8-bit 87kb 0.0u 0:01

The identify utility displays the width followed by the height.

Another command that may be available to you is imgsize.

$ imgsize banana.jpg
imgsize banana.jpg
width="921" height="592"

[/graphics] permanent link

Sun, May 21, 2006 3:24 pm

WindUpdates.MediaGateway (Adware) - May 21, 2006

Microsoft AntiSpyware Beta1 found WindUpdates.MediaGateway on a user's computer when I scanned it, but the adware did not actually appear to be active on the system. Microsoft AntiSpyware appeared to be detecting only remnants of the adware that had previously been removed with Microsoft AntiSpyware.

[ More Info]

[/security/spyware/windupdates_mediagateway] permanent link

Once You Know, You Newegg AliExpress by Alibaba.com

Shop Amazon Local - Subscribe to Deals in Your Neighborhood

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo