MoonPoint Support Logo

 


Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
July
Sun Mon Tue Wed Thu Fri Sat
 
17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      
2019
Months
JulAug Sep
Oct Nov Dec


Sun, May 21, 2006 7:40 pm

ClamWin 0.88.2.3 Reports Proxy.Exe is Worm.Bobax.AA

I installed ClamWin 0.88.2.3 on a user's system and scanned the system for viruses. ClamWin reported AnalogX's proxy.exe file as Worm.Bobax.AA. I had installed version 4.14 of AnalogX's Proxy program on the system almost a year ago to have proxy server capabilities on the system for troubleshooting. I suspect ClamWin is simply looking at the file name and making its determination solely on that criteria resulting in a false positive report of Worm.Bobax.AA. The virus definitions on the system were updated on 09:18 21 May 2006 and the virus DB version is main: 38, daily: 1474.

Arcabit, which produces the ArcaVir antivirus software, states that Worm.Bobax.AA is a mass mailing worm that attempts to email itself to others from an infected computer. Arcabit's page states the worm creates services.exe on the hard drive. However, there is a legitimate services.exe file in C:\Windows\system32 on Windows XP systems that is produced by Microsoft.

Symantec's W32.Bobax.AA@mm webpage states that the services.exe file created by the worm is placed in %Windir%, which will usually be C:\Windows on Windows XP systems. You can determine the value for %Windir% by typing echo %WINDIR% at a command prompt. On this system, the only services.exe file was in C:\Windows\system32 and appeared to be the legitimate services.exe file. The Symantec webpage also states the worm creates %Windir%\msdefr.exe, which I did not find on the system. Nor did I find a C:\autorun.inf, which the Symantec webpage on the worm states is created by it.

McAfee, which produces antivirus software, states on its AnalogX-Proxy that the AnalogX proxy software is a legitimate tool, though it may sometimes be used by malware to set up proxy servers on a system without a user's knowledge. For instance, McAfee's antivirus software may report AnalogX-Proxy.ldr when a particular trojan file uses the AnalogX proxy program. It isn't unusual for malware authors to use legitimate tools for their own nefarious purposes.

I submitted the proxy.exe file to www.virustotal.com, which provides a free service where you can submit files for automatic analysis by quite a few antivirus programs. ClamAV is one of the antivirus programs running on that system. It reported Worm.Bobax.AA. Seventeen of the twenty-four antivirus programs used on that system reported "no virus found", though. Kaspersky reported "not-a-virus:Server-Proxy.Win32.AnalogX.414" while the McAfee scan reported "potentially unwanted program AnalogX-Proxy". Panda reported "Application/AnalogX-Proxy.A". Symantec did not report that it found anything amiss with the file. TheHacker reported "Aplicacion/AnalogX.414". UNA reported "I-Worm.Win32.virus" and VBA32 reported "RiskWare.Proxy.AnalogX.414". For the full report see VirusTotal Proxy.Exe.

The file may be identified as a potential risk by some antivirus software, because it is possible for it to be misused, but since I installed the software on the system for troubleshooting purposes, I don't want ClamWin identifying it as malware every time it scans the system. If the user reports a problem accessing a website from her system, I can attempt to make a connection myself from the system by activating the proxy server software. So I configured ClamWin to ignore the proxy.exe file when it checks the system. You can exclude proxy.exe from ClamWin's scans by taking the following steps in ClamWin:

  1. Click on Tools.
  2. Select Preferences.
  3. Click on the Filters tab.
  4. Click on the "new" button under "Exclude Matching Filenames". It is the second one to the right of "Patterns", between the "ae" and "X" butons. Type proxy.exe and then click on OK.

I submitted a "false positive" report for ClamAV, which is used by ClamWin to www.clamav.net/sendvirus.html

References:

  1. Vir News - Bobax.AA
    ArcaBit
  2. 7/5: Bobax-AA a Mass-Mailing Worm
    eSecurity Software & Internet Security Product Information News Articles, Advice
    July 5, 2005
  3. W32.Bobax.AA@mm
    Symantec Corporation
  4. services - services.exe - Process Information
    Uniblue
  5. Start-Up Applications - All
  6. AnalogX-Proxy
    McAfee

[/security/worms] permanent link

Mon, Mar 15, 2004 12:25 pm

NetSky Worm

According to the article " NetSky variants spark search for code" at ZDNet, the author of the NetSky worm may have released the source code to the worm.

References:

  1. NetSky variants spark search for code
  2. Second NetSky worm on the loose

[/security/worms] permanent link

Once You Know, You Newegg AliExpress by Alibaba.com

Shop Amazon Local - Subscribe to Deals in Your Neighborhood

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo