When I remotely logged into a user's system this morning to check an FTP transfer log on it prior to running a backup of the system, I saw Microsoft AntiSpyware's scan report indicated it had detected one item during its nightly scan of the system. The spyware it detected was "PWS.Bancos.A (Password Stealer)".
Item Details
PWS.Bancos.A
Type: Password Stealer
Threat Level: Severe
Description: A Trojan that captures or transmits passwords to an
attacker.
Advice: Severe-risk tiems have an extreme potential for adverse effect,
such as a security exploit, and should be removed.
When I looked at the registry key values detected, I saw they referred to "Intel\Landesk\VirusProtect6" (see Scan Results).
The Intel LANDesk software allows enterprises to manage client PCs1, so I thought this might be a false positive.
The spyware definitions on the system were version 5805 (2/11/2006 8:12:18 AM).
Microsoft AntiSpyware Version: 1.0.701
This version expires on: 7/31/2006
Spyware Definition Version: 5805 (2/11/2006 8:12:18 AM)
After finding PWS.Bancos.A Password Stealer on the user's system, I checked the Microsoft Antispyware results from its early morning run on my wife's PC. I found the same report of PWS.Bancos.A being detected with references to the same registry entries. And a short time later, I received an email from the vice president of the company where I had found the first report of the problem. She had also found the same scan results when she came in to the office to work on her system.
After extensive searching for any postings regarding this detection, I did find an indication that it was a false positive in a February 10, 2006 posting at Siljaline's IE & Security Blog, where I found the following posted.
Definitions "5807" released to address a false-positive detection some essential components of several Symantec Corporate Antivirus versions are being identified as PWS.Banco.A
The 3 systems in question are all running Symantec AntiVirus Corporate Edition 8.0. I monitor the installation of programs on systems with Inctrl. Inctrl2 can record the file and registry changes that occur during software installation. Looking at an installation report for SAV 8.0, I found that the Software\Intel\Landesk registry keys were created during the installation of that software.
According to Trend Micro, the company was one of the original developers of the Intel LANDesk Virus Protect (LDVP) technology 3. But in 1998, Symantec purchased Intel Corporation's anti-virus business and also licensed Intel systems management technology which it combined with its own antivirus technology4.
Inside Microsoft Antispyware, I went to "File" and selected "Check Updates". Newer spyware definitions were downloaded and I then saw the version number listed as 5807 when I selected "Help" and "About Microsoft AntiSpyware".
Microsoft AntiSpyware Version: 1.0.701
This version expires on: 7/31/2006
Spyware Definition Version: 5807 (2/11/2006 8:12:18 AM)
When I ran a full scan with those definitions nothing was detected. I updated the definitions on my wife's system and ran a scan of her system also. Likewise, this time nothing was detected.
For anyone who finds Microsoft AntiSpyware is reporting a false positive, Microsoft provides a False Positive Report Form.
Reference:
-
LANDesk Management Suite 8.6
Network America -
Stay in Control
PC Magazine
By Neil J. Rubenking -
Trend Micro Offers Free Upgrades And Support to Intel Landesk Virus Protect
Customers Worldwide
Trend Micro
1998 Press Release -
Symantec buys Intel's Anti-Virus Business
Symantec Corporation
September 28, 1998 -
MS Anti-Spyware Defs. "5807" now available
Siljaline's IE & Security Blog
Posted Friday, February 10, 2006 3:41 PM by siljaline -
Microsoft AntiSpyware False Positive Report Form
Microsoft Corporation