I installed ClamWin 0.88.2.3 on a user's system and scanned the system for viruses. ClamWin reported AnalogX's proxy.exe file as Worm.Bobax.AA. I had installed version 4.14 of AnalogX's Proxy program on the system almost a year ago to have proxy server capabilities on the system for troubleshooting. I suspect ClamWin is simply looking at the file name and making its determination solely on that criteria resulting in a false positive report of Worm.Bobax.AA. The virus definitions on the system were updated on 09:18 21 May 2006 and the virus DB version is main: 38, daily: 1474.
Arcabit, which produces the ArcaVir
antivirus software, states that
Worm.Bobax.AA is a mass mailing worm that attempts to email itself
to others from an infected computer. Arcabit's page states the worm
creates services.exe on the hard drive. However, there is a
legitimate services.exe file in C:\Windows\system32 on Windows
XP systems that is produced by Microsoft.
Symantec's
W32.Bobax.AA@mm webpage states that the services.exe file created by the
worm is placed in %Windir%, which will usually be
C:\Windows on Windows XP systems. You can determine the value
for %Windir% by typing echo %WINDIR% at a command
prompt. On this system, the only services.exe file was in
C:\Windows\system32 and appeared to be the legitimate services.exe
file. The Symantec webpage also states the worm creates %Windir%\msdefr.exe, which
I did not find on the system. Nor did I find a C:\autorun.inf,
which the Symantec webpage on the worm states is created by it.
McAfee, which produces antivirus software, states on its AnalogX-Proxy that the AnalogX proxy software is a legitimate tool, though it may sometimes be used by malware to set up proxy servers on a system without a user's knowledge. For instance, McAfee's antivirus software may report AnalogX-Proxy.ldr when a particular trojan file uses the AnalogX proxy program. It isn't unusual for malware authors to use legitimate tools for their own nefarious purposes.
I submitted the proxy.exe file to www.virustotal.com, which provides a free service where you can submit files for automatic analysis by quite a few antivirus programs. ClamAV is one of the antivirus programs running on that system. It reported Worm.Bobax.AA. Seventeen of the twenty-four antivirus programs used on that system reported "no virus found", though. Kaspersky reported "not-a-virus:Server-Proxy.Win32.AnalogX.414" while the McAfee scan reported "potentially unwanted program AnalogX-Proxy". Panda reported "Application/AnalogX-Proxy.A". Symantec did not report that it found anything amiss with the file. TheHacker reported "Aplicacion/AnalogX.414". UNA reported "I-Worm.Win32.virus" and VBA32 reported "RiskWare.Proxy.AnalogX.414". For the full report see VirusTotal Proxy.Exe.
The file may be identified as a potential risk by some antivirus software, because it is possible for it to be misused, but since I installed the software on the system for troubleshooting purposes, I don't want ClamWin identifying it as malware every time it scans the system. If the user reports a problem accessing a website from her system, I can attempt to make a connection myself from the system by activating the proxy server software. So I configured ClamWin to ignore the proxy.exe file when it checks the system. You can exclude proxy.exe from ClamWin's scans by taking the following steps in ClamWin:
- Click on Tools.
- Select Preferences.
- Click on the Filters tab.
- Click on the "new" button under "Exclude Matching Filenames". It is the second one to the right of "Patterns", between the "ae" and "X" butons. Type proxy.exe and then click on OK.
I submitted a "false positive" report for ClamAV, which is used by ClamWin to www.clamav.net/sendvirus.html
References:
