ClamWin 0.95.3 Scan of Windows 7 Home Premium Edition Laptop on 2009-11-15

I scanned a laptop running Windows 7 Home Premium Edition with ClamWin Free Antivirus version 0.95.3 on 2009-11-15. ClamWin reported the following:

C:\$WINDOWS.~Q\DATA\Users\admin\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\$WINDOWS.~Q\DATA\Windows\System32\config\systemprofile\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\Users\admin\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\Users\Liza\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\Windows\SoftwareDistribution\Download\d16f45aa864340ccf36504588c6fae4b\excel.cab: W32.Virut.Gen.D-163 FOUND
C:\Windows\SoftwareDistribution\Download\daa4e3a0ea4e94aba329bc28d3b354b1\xlconv.cab: W32.Virut.Gen.D-163 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 649885
Engine version: 0.95.3
Scanned directories: 22209
Scanned files: 153257
Infected files: 6

When I checked the contents of one of the desktop.ini files, I found the following:

C:\Users\Liza\Desktop>type desktop.ini

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183

I suspected it was a false postive and I found someone else reporting it as a false positive in the ClamWin Free Antivirus Support and Discussion Forums at False Positive for worm.autorun.2190. The posting was made on Sat Nov 14, 2009 11:50 pm.

Clamwin 095.2 and 0.95.3(updated 11/14/09) both are giving false positives for worm.autorun.2190 in Vista's desktop.ini.

After getting one for User1 (account never gets used) I created User2 and scanned immediately. Got this:

C:\Users\User2\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 649880
Engine version: 0.95.3
Scanned directories: 0
Scanned files: 1
Infected files: 1

Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 2.619 sec (0 m 2 s)
--------------------------------------
Completed

It's just a text file and both the dlls it references scan clean. You should fix it

A respondent, who posted on November 15, stated the following:

The ClamWin team can't fix false positives. Clam AV furnishes the scanning engine and signature database for ClamWin. You should upload a copy of any false positive files to Clam at http://www.clamav.net/sendvirus/ on the web. Upload the file, indicate it is a false positive, and give them the name of the virus. If will not get fixed until you do this.

The original poster responded "I already have."

I uploaded the desktop.ini file to Virustotal, which is "a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines." It reported the file had already been analyzed by 41 antivirus programs.

File has already been analysed:

MD5: 9e36cc3537ee9ee1e3b10fa4e761045b
First received: 2009.02.12 15:35:31 UTC
Date: 2009.11.15 10:52:57 UTC [<1D]
Results: 1/41
Permalink: analisis/4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026-1258282377

The analysis showed only one of the forty-one antivirus programs reporting the file as infected. The one that reported the file as infected was ClamAV 0.94.1, which reported the file as infected with Worm.Autorun-2190. ClamWin relies on ClamAV, so that might be expected.

Just to raise my confidence level even further that ClamWin was reporting a false postitive in this case, I submitted C:\Windows\System32\Shell.dll to Virustotal for analysis. In this case as with most windows systems, %systemroot% equated to C:\Windows. Virustotal reported that a file with the same MD5 checksum had been analyzed previously and all forty-one antivirus programs with which it checked the file reported it as uninfected.

File has already been analysed:

MD5: 518c6116079414e7074e726925d07a41
First received: 2009.09.10 17:28:22 UTC
Date: 2009.11.12 23:01:02 UTC [>2D]
Results: 0/41
Permalink: analisis/419db5cb061eaa5dcc4e6c91e02889c3681da9f69d663a891fbdc3df591a9247-1258066862

I attempted to upload C:\Windows\system32\imageres.dll to Virustotal as well, but received an error message from the website before the upload completed. So I uploaded it to VirSCAN, another site that will scan uploaded files with many antivirus programs, instead. It reported the file had been uploaded before and that none of the thirty-seven antivirus programs it used to scan the file reported it as infected (see scanner results).

When I checked the cab files, I found the following:

C:\>dir C:\Windows\SoftwareDistribution\Download\d16f45aa864340ccf36504588c6fae4
b\excel.cab
 Volume in drive C has no label.
 Volume Serial Number is 2DF8-C431

 Directory of C:\Windows\SoftwareDistribution\Download\d16f45aa864340ccf36504588
c6fae4b

10/27/2009  04:35 PM         8,906,746 excel.cab
               1 File(s)      8,906,746 bytes
               0 Dir(s)  264,225,153,024 bytes free

C:\>dir C:\Windows\SoftwareDistribution\Download\daa4e3a0ea4e94aba329bc28d3b354b
1\xlconv.cab
 Volume in drive C has no label.
 Volume Serial Number is 2DF8-C431

 Directory of C:\Windows\SoftwareDistribution\Download\daa4e3a0ea4e94aba329bc28d
3b354b1

10/27/2009  04:34 PM         7,753,385 xlconv.cab
               1 File(s)      7,753,385 bytes
               0 Dir(s)  264,223,055,872 bytes free

I checked the contents of C:\Windows\SoftwareDistribution\Download\daa4e3a0ea4e94aba329bc28d3b354b1\xlconv.cab with WinRAR. The only file within it was xlconv.msp.

xlconv.cab contents

I uploaded it to VirSCAN.org for analysis. The VirSCAN analysis showed only 1 of the 37 antivirus programs it used as reporting the file as infected. That one was ClamAV, which reported W32.Virut.Gen.D-163.

I then uploaded C:\Windows\SoftwareDistribution\Download\d16f45aa864340ccf36504588c6fae4b\excel.cab to VirSCAN. Like the other .cab file, only ClamAV, out of the 37 antivirus programs used by VirSCAN reported an infection. Again, ClamAV reported W32.Virut.Gen.D-163. See VirSCAN analysis of excel.cab.

I also uploaded the excel.cab to Jotti's malware scan site, which is another site that will check uploaded files with multiple antivirus programs. It also reported the file had been scanned before and of the 21 antivirus programs it used, only ClamAV reported it as infected. See Jotti analysis of excel.cab.

I also found someone else reporting ClamWin falsely identifying these two cab files as containing malware at False Positive Virus Threats. He posted on Friday, November 13, 2009.

I had a problem with this before, it killed my excel on MS Office 2007. I experienced it again yesterday, I am running 10 machines, I am running Windows base and Linux base machines. I have found that it only happens with the Clamwin version which I updated to ClamAV 0.95.3. As stated I also run (prefer) Linux machines, I have copied the suspect files to an external storage device, and scanned these files using the built-in antivirus (ClamAV Linux version) to scan the storage drive and it found nothing. None of the files identified by the Windows version were seen as a threat by the Linux versions. I hope this will help in the attempt to corrent this issue. P.S. these files are still showing up as threats.

C:\Program Files\Microsoft Office\Office12\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
C:\Program Files\Microsoft Office\Office12\excelcnv.exe: W32.Virut.Gen.D-163 FOUND
C:\Windows\Installer\1495bd.msp: W32.Virut.Gen.D-163 FOUND
C:\Windows\Installer\1495d5.msp: W32.Virut.Gen.D-163 FOUND
C:\Windows\SoftwareDistribution\Download\d16f45aa864340ccf36504588c6fae4b\excel.cab: W32.Virut.Gen.D-163 FOUND
C:\Windows\SoftwareDistribution\Download\d16f45aa864340ccf36504588c6fae4b\excel.cab: moved to 'C:\ProgramData\.clamwin\quarantine\excel.cab.infected'
C:\Windows\SoftwareDistribution\Download\daa4e3a0ea4e94aba329bc28d3b354b1\xlconv.cab: W32.Virut.Gen.D-163 FOUND
C:\Windows\SoftwareDistribution\Download\daa4e3a0ea4e94aba329bc28d3b354b1\xlconv.cab: moved to 'C:\ProgramData\.clamwin\quarantine\xlconv.cab.infected'

Someone responded to that poster on November 13 by stating "There was a MS Office update, the False positive will be rectified promptly." I just installed ClamWin on the laptop and updated its definitions today, so as of November 15 the false positives seem to be still occurring.

The laptop has Norton Internet Security 2009 on it and has been recently scanned with that software, which has reported nothing but cookies found. I also scanned the system with Spybot Search & Destroy on November 1 and Malwarebytes' Anti-Malware on November 14 with neither reporting any problems. I started a scan with Microsoft Windows Defender yesterday evening, which completed today, November 15. It also did not find any malware. So I'm 99% confident at this point that ClamWin is reporting a false positive for desktop.ini and fairly confident that its identification of malware within xlconv.cab and excel.cab are also false positives.

I submitted excel.cab as a false positive at ClamAV VirusDB submission, which provides a form for uploading files a submitter feels are infected, but not identified by ClamAV or those that the submitter believes are false positives. The form asks submitters to not submit more than two files per day. Since someone else reported that he had already submitted desktop.ini, I didn't submit it. I didn't submit xlconv.cab, either. I'm going to scan the files on the system again in a few days with whatever antivirus defnitions are available then to see if ClamWin stops reporting the files as infected.

The information for ClamWin on the system now is as follows:

ClamAV 0.95.3
Protecting from 650576 Viruses
Virus DB Version: (main: 51; daily: 10025)
Updated: 22:40 14 Nov 2009

Interestingly, when I turned on the display of system and hidden files and folders and right-clicked on the desktop.ini file for the user account desktop and chose "Scan with ClamWin Free AntiVirus", it reported it as uninfected. Scanning the two .cab files that way, though led to ClamWin still reporting them as infected.

Valid HTML 4.01 Transitional