C:\$WINDOWS.~Q\DATA\Users\admin\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\$WINDOWS.~Q\DATA\Windows\System32\config\systemprofile\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\Users\admin\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\Users\Liza\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
C:\Windows\SoftwareDistribution\Download\d16f45aa864340ccf36504588c6fae4b\excel.cab: W32.Virut.Gen.D-163 FOUND
C:\Windows\SoftwareDistribution\Download\daa4e3a0ea4e94aba329bc28d3b354b1\xlconv.cab: W32.Virut.Gen.D-163 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 649885
Engine version: 0.95.3
Scanned directories: 22209
Scanned files: 153257
Infected files: 6
When I checked the contents of one of the desktop.ini
files, I found the following:
C:\Users\Liza\Desktop>type desktop.ini [.ShellClassInfo] LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769 IconResource=%SystemRoot%\system32\imageres.dll,-183
I suspected it was a false postive and I found someone else reporting it as a false positive in the ClamWin Free Antivirus Support and Discussion Forums at False Positive for worm.autorun.2190. The posting was made on Sat Nov 14, 2009 11:50 pm.
Clamwin 095.2 and 0.95.3(updated 11/14/09) both are giving false positives for worm.autorun.2190 in Vista's desktop.ini.
After getting one for User1 (account never gets used) I created User2 and scanned immediately. Got this:
C:\Users\User2\Desktop\desktop.ini: Worm.Autorun-2190 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 649880
Engine version: 0.95.3
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 2.619 sec (0 m 2 s)
--------------------------------------
CompletedIt's just a text file and both the dlls it references scan clean. You should fix it
A respondent, who posted on November 15, stated the following:
The ClamWin team can't fix false positives. Clam AV furnishes the scanning engine and signature database for ClamWin. You should upload a copy of any false positive files to Clam at http://www.clamav.net/sendvirus/ on the web. Upload the file, indicate it is a false positive, and give them the name of the virus. If will not get fixed until you do this.
The original poster responded "I already have."
I uploaded the desktop.ini file to Virustotal, which is "a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines." It reported the file had already been analyzed by 41 antivirus programs.
File has already been analysed:
MD5: 9e36cc3537ee9ee1e3b10fa4e761045b First received: 2009.02.12 15:35:31 UTC Date: 2009.11.15 10:52:57 UTC [<1D] Results: 1/41 Permalink: analisis/4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026-1258282377
The analysis showed only one of the forty-one antivirus programs reporting the file as infected. The one that reported the file as infected was ClamAV 0.94.1, which reported the file as infected with Worm.Autorun-2190. ClamWin relies on ClamAV, so that might be expected.
Just to raise my confidence level even further that ClamWin was reporting a
false postitive in this case, I submitted
C:\Windows\System32\Shell.dll
to
Virustotal for analysis. In this
case as with most windows systems, %systemroot%
equated to
C:\Windows
. Virustotal reported that a file with the same
MD5
checksum had been analyzed previously and all forty-one antivirus programs with
which it checked the file reported it as uninfected.
File has already been analysed:
MD5: 518c6116079414e7074e726925d07a41 First received: 2009.09.10 17:28:22 UTC Date: 2009.11.12 23:01:02 UTC [>2D] Results: 0/41 Permalink: analisis/419db5cb061eaa5dcc4e6c91e02889c3681da9f69d663a891fbdc3df591a9247-1258066862
I attempted to upload C:\Windows\system32\imageres.dll
to
Virustotal as well, but received an
error message from the website before the upload completed. So I uploaded it
to VirSCAN, another site that will
scan uploaded files with many antivirus programs, instead. It reported the
file had been uploaded before and that none of the thirty-seven antivirus
programs it used to scan the file reported it as infected (see
scanner results).
When I checked the cab files, I found the following:
C:\>dir C:\Windows\SoftwareDistribution\Download\d16f45aa864340ccf36504588c6fae4 b\excel.cab Volume in drive C has no label. Volume Serial Number is 2DF8-C431 Directory of C:\Windows\SoftwareDistribution\Download\d16f45aa864340ccf36504588 c6fae4b 10/27/2009 04:35 PM 8,906,746 excel.cab 1 File(s) 8,906,746 bytes 0 Dir(s) 264,225,153,024 bytes free C:\>dir C:\Windows\SoftwareDistribution\Download\daa4e3a0ea4e94aba329bc28d3b354b 1\xlconv.cab Volume in drive C has no label. Volume Serial Number is 2DF8-C431 Directory of C:\Windows\SoftwareDistribution\Download\daa4e3a0ea4e94aba329bc28d 3b354b1 10/27/2009 04:34 PM 7,753,385 xlconv.cab 1 File(s) 7,753,385 bytes 0 Dir(s) 264,223,055,872 bytes free
I checked the contents of
C:\Windows\SoftwareDistribution\Download\daa4e3a0ea4e94aba329bc28d3b354b1\xlconv.cab
with WinRAR. The only file within it
was xlconv.msp
.
I uploaded it to VirSCAN.org for analysis. The VirSCAN analysis showed only 1 of the 37 antivirus programs it used as reporting the file as infected. That one was ClamAV, which reported W32.Virut.Gen.D-163.
I then uploaded
C:\Windows\SoftwareDistribution\Download\d16f45aa864340ccf36504588c6fae4b\excel.cab
to VirSCAN. Like the other
.cab file,
only ClamAV, out of the 37 antivirus
programs used by VirSCAN reported an infection. Again, ClamAV
reported W32.Virut.Gen.D-163. See
VirSCAN analysis of excel.cab.
I also uploaded the excel.cab
to
Jotti's malware scan site, which
is another site that will check uploaded files with multiple antivirus
programs. It also reported the file had been scanned before and of the
21 antivirus programs it used, only ClamAV reported it as infected. See
Jotti analysis of excel.cab.
I also found someone else reporting ClamWin falsely identifying these two cab files as containing malware at False Positive Virus Threats. He posted on Friday, November 13, 2009.
I had a problem with this before, it killed my excel on MS Office 2007. I experienced it again yesterday, I am running 10 machines, I am running Windows base and Linux base machines. I have found that it only happens with the Clamwin version which I updated to ClamAV 0.95.3. As stated I also run (prefer) Linux machines, I have copied the suspect files to an external storage device, and scanned these files using the built-in antivirus (ClamAV Linux version) to scan the storage drive and it found nothing. None of the files identified by the Windows version were seen as a threat by the Linux versions. I hope this will help in the attempt to corrent this issue. P.S. these files are still showing up as threats.
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
C:\Program Files\Microsoft Office\Office12\excelcnv.exe: W32.Virut.Gen.D-163 FOUND
C:\Windows\Installer\1495bd.msp: W32.Virut.Gen.D-163 FOUND
C:\Windows\Installer\1495d5.msp: W32.Virut.Gen.D-163 FOUND
C:\Windows\SoftwareDistribution\Download\d16f45aa864340ccf36504588c6fae4b\excel.cab: W32.Virut.Gen.D-163 FOUND
C:\Windows\SoftwareDistribution\Download\d16f45aa864340ccf36504588c6fae4b\excel.cab: moved to 'C:\ProgramData\.clamwin\quarantine\excel.cab.infected'
C:\Windows\SoftwareDistribution\Download\daa4e3a0ea4e94aba329bc28d3b354b1\xlconv.cab: W32.Virut.Gen.D-163 FOUND
C:\Windows\SoftwareDistribution\Download\daa4e3a0ea4e94aba329bc28d3b354b1\xlconv.cab: moved to 'C:\ProgramData\.clamwin\quarantine\xlconv.cab.infected'
Someone responded to that poster on November 13 by stating "There was a MS Office update, the False positive will be rectified promptly." I just installed ClamWin on the laptop and updated its definitions today, so as of November 15 the false positives seem to be still occurring.
The laptop has Norton Internet Security
2009 on it and has been recently scanned with that software, which has
reported nothing but cookies found. I also scanned the system with
Spybot Search & Destroy
on November 1 and Malwarebytes'
Anti-Malware on November 14 with neither reporting any problems.
I started a scan with
Microsoft Windows Defender yesterday evening, which completed today,
November 15. It also did not find any malware. So I'm 99% confident at
this point that ClamWin is reporting a false positive for
desktop.ini and fairly confident that
its identification of malware within xlconv.cab
and excel.cab
are also false positives.
I submitted excel.cab
as a false positive
at ClamAV VirusDB submission,
which provides a form for uploading files a submitter feels
are infected, but not identified by ClamAV or those that
the submitter believes are false positives. The form asks
submitters to not submit more than two files per day.
Since someone else reported that he had already submitted
desktop.ini
, I didn't submit it. I didn't
submit xlconv.cab
, either. I'm going to
scan the files on the system again in a few days with
whatever antivirus defnitions are available then to see
if ClamWin stops reporting the files as infected.
The information for ClamWin on the system now is as follows:
ClamAV 0.95.3
Protecting from 650576 Viruses
Virus DB Version: (main: 51; daily: 10025)
Updated: 22:40 14 Nov 2009
Interestingly, when I turned on the display of system and hidden files and folders and right-clicked on the desktop.ini file for the user account desktop and chose "Scan with ClamWin Free AntiVirus", it reported it as uninfected. Scanning the two .cab files that way, though led to ClamWin still reporting them as infected.