Missed - again

Robin, also are you running VIPRE Consumer or Enterprise? The Consumer definitions are currently at build 5003. Make sure you're running this new definition build, which shipped last night and has a substantial amount of additional detections.

Robin, please contact us directly at Support@sunbeltsoftware.com so that we can further assist you with removing the threat.

I really feel that those replying ought to read my original (and subsequent posts) rather more carefully.

I did not ask for help in removing the threats. What I asked is clearly set out in my original question.

I asked one question.

Then I gave the names of the Trojans.

Finally, I made a comment which implied - clearly, I thought - that VIPRE should have spotted these Trojans coming in and blocked them.

My original question has not been answered.

Robin,

The problem is that BehavesLike.Win32.Malware (v) and Trojan.Win32.Packed.gen (v) are both generic VIPRE detections that encompass hundreds of thousands, if not millions of trojans. So, it's impossible to tell what files these are.

As to the statement that "VIPRE didn't spot and kill these two trojan", we're having a difficult time understanding how this is possible. If VIPRE detected these, then VIPRE "spotted" them. Is the issue that we're not removing these trojans?

At this point, it may be that the only thing we can do is actually look at these files to understand what's going on. Feel free to email them to me directly, alex@sunbeltsoftware.com, in a password-protected zip file (use the password "infected").

Alex Eckelberry
CEO, Sunbelt Software

Me too, found these this morning.

Trojan: BehavesLike.Win32.Malware (v)
Trojan: Trojan.Win32.Packed.gen (v)

Doug, what files were flagged? Were they removed? Can you give a little more data?

Robin, you are correct that AP would have caught them the first time around. However, Behaves.Like is a new detection that was only available Friday evening. So if you had detection off of that in a deep scan, it's either a) something that VIPRE earlier missed or b) a false positive.

Robin,

I think the problem here is semantics.

Perhaps a bit of explanation is necessary. These two detections are not exact signatures. An exact signature detection would be a detection that looked for specific indications of malware in file.

"Behaves.like" is a behavior detection, meaning it looks at the behavior of a file. "Trojan.packed.gen" is a heuristic detection, meaning it looks at patterns in a file. These are detections design to deal with unknown threats.

There is a small chance that these detection methods will result in a false positive, meaning that a legitimate file will be tagged as malware.

"Behaves.like" is a new detection that we launched Friday evening. This is what I meant by "if you had detection off of that in a deep scan", the antecedent being "Behaves.like". If you had a detection in VIPRE based on this behavior detection, it could be a false positive.

It could also be a legitimate detection. Even if the files were months old, it's not necessarily bad. It could be a harmless remnant of a prior bad file, or it could be a low-risk piece of adware.

However, without seeing the files, it's difficult to know what happened. In the future,you can submit the files to Sunbelt and we will gladly analyze them for you and tell you what they are. You can send the files to support@sunbeltsoftware.com, in a password-protected zip file.

Semantics is fun. Honest. It's the English teacher & Public Examinations marker in me. I know how to use apostrophes! :-)

I accept what you say and thanks for the offer of looking at files.

btw, I love the low-key way you describe yourself as an "Employee". It's a bit like going into a Microsoft forum and see of their people signing themselves as "Steve Balmer - employee". Only he doesn't.

Finally, how about telling me/us all how to find a scan's log file in case it was useful to send.

Thanks

In case this is of use to anyone else following this thread, I also got a few indications for BehavesLike.Win32.Malware (v), and then found that the file associated with it was the same file on all three systems. The affected file was quarantined OK, but then I found that none of my Sage Accounts or Payroll software would start, and they complained of a missing file - which was in quarantine.

I traced the file to a dll installed in many versions of Sage Line 50 Accounts and Sage Payroll applications. The file name was sglist32.dll, and it lives in the windows\system32 folder.

Restoring it from quarantine and adding it to the allways allow list got me back up and running. I have reported this as a potential false positive.

All the best,
Keith A

Hi Robin,

There are a couple of ways to get scan results. The easist (and what I do) is go to Manage | History | Scan, double-click on a scan, select all the items, the right-click and choose copy. Then paste the results into an email to support@sunbeltsoftware.com

We are going to make this a much easier task in a future release, for now, this is the most straightforard method.

Alex
[And hey, don't blow my cover ;-)]

Thanks for that info, Alex.

All my questions answered, I think. Shouldn't I say "That's a wrap."?

Robin, Do you mean Vipre found them but didn't automatically do anything about it? It found BehavesLike.Win32.Malware on my computer last night, in a deep scan, and told me today in the scan results, but I think I have my preferences set to let me decide whether to take Vipre's advice on any action it proposes, so it was waiting for me to authorize the proposed quarantine/disinfect.

Hi guys,

So let me get this straight, BehavesLike.Win32.Malware (v) could indeed be a false positive?

We are currently running Counterspy Enterprise v3 and we noticed yesterday that everyone in my office was infected with BehavesLike.Win32.Malware (v). We’ve been going crazy trying to figure out what was going on. Now that the scan has run we find ourselves running repairs on just about everyone’s machine in order to get normal desktop applications up and running again.

You guys should really consider posting this on your website.

Personally I’m quite frustrated with the confusion and time this has caused my staff and company.

Stephen, the reality is that without looking at it, I don't know if your file is real malware or a false positive. You can always send us files to falsepositve (at) sunbeltsoftware.com and our team will look at it. Or, you can submit files through our research center, at research.sunbeltsoftware.com

Hi Alex,

I understand that there is a chance they are infected however I’m inclined to think it’s unlikely at this point due to a few reasons:

1. This problem only popped up yesterday after you released the update.

2. We received alerts that 95% of our users were somehow infected with this Trojan.

3. We currently rely on multiple vendors to provide desktop level protection and have yet to receive any other alert. In addition we’ve installed alternative applications to run scans none of which report a problem.

4. The file that is being removed effects an application we use on a daily basis. This has essentially forced us to run a repair on just about everyone’s machine.

I’m glad I was lucky enough to stumble onto this thread, but feel bad for those who may not be.

Thanks,
Steve

Steve,

If you think it's an FP, then put it in the Admin Known Good for now. We really could use that file, if you send it to falsepositives (at) sunbeltsoftware.com (or, you can right click on the file in quarantine and send it to Sunbelt -- we do get those submissions).

We'll figure this one out, I'm sorry for the hassle.

Hi Alex,

Yes, that's exactly what we ended up doing. We'll be sending the file over shortly.

Thanks for your concern and timely response on this thread. Not many individuals at your level would have taken the time to do this.

Steve

Stephen, no problem and it's my pleasure. In the future, you can always email me directly if you're not getting the rapid response you deserve as a customer -- my email is alex(at)sunbeltsoftware.com.

Jessie,

In answer to your question (as I stated in the original post in this thread) my concern was not that VIPRE found them and quarantined them after a deep scan, but that it didn't block them in the first place and prevent them from going onto my hard drive.

I've no complaints about VIPRE finding and dealing with stuff (except AntiVirus 2008/9 which it seems unable to clean).

Furthermore, I think that Alex has demonstrated that Sunbelt Software gets there in the end! As Stephan intimates above, a very senior response is much appreciated.

Ok, now I'm confused! I have CounterSpy and I left my computer running a deep scan last night, then I woke up to find that ConterSpy detected Trojan.Win32.Packed.gen (v) .

Went to Sunbelt Website and it is listed as a threat here: http://research.sunbelt-software.com/...(v)&threatid=402458 and here is being mentioned as a probable false positive?

How can I find out what to do now? Clean, delete, quarantine? My definitions are up to date.

The previous CS version used to tell me the location of the file, this one I don't know how to locate them?

misktonic, When you look at the scan results it should list the file that it thinks is the part of that threat. Or if you look in the quarantine it should also list the file that was quarantined.

Misktonic,

If you double click on the threat name shown in the results window it will give you more information about this threat. If you believe a file to be a false positive you can submit it to us at falsepositives (at) sunbeltsoftware.com and we'll check the file for you. Alternatively, you could use a website such as http://www.virustotal.com/ which allows you to upload the file and have it scanned by several different anti-virus engines. This can help you give a better idea of whether the file is a real threat or just a false positive.

Okay, I have some info to add to Robin's problem.

I'm using both your 30-day trial Firewall and Anti-viral/spyware software and have run into the same problem. Note that last Sunday (1 Mar Y2K+9), I re-formatted my hard-drive and re-installed everything. The Sunbelt Firewall and Anti-virial/spyware are the only applications onboard (no AVG, Norton,or SpyBot) so I should be flying with the latest and greatest updates.

Yesterday, I ran a deep scan and a trojan was discovered. However, when I tried to quarantine the critter, I immediately suffered a BSD (blue screen of death). On the second try, I went straight to the folder, found the wascal identified by the Vipre and as I placed the mouse pointer on the line, again the BSD came back to haunt me.

The following is what I was able to glean:

1) Trojan,Win32.Packed.gen(v)
2) Location - C:\Windows\Software Distribution\Download\
3) File identified by Vipre - ed6e0C9941102574f2d58e1312b17b5989f14288
3) The file is 295 Kbytes
4) BSD display:
a) No_MORE_IRP_STACK_LOCATIONS
b) STOP: 0x85A3a730, 0x00000000, 0x00000000, 0x00000000
c) Takes approximately 10 minutes to complete a physical core dump.

I would very much like to know what I need to do to quarintine and erase this bug in my system. So far, I like the easy of use for both firewall and anti-virial/spyware applications and was going to purchase both within the next 10 to 14 days. But not being able to eliminate a file designated as a high level threat is not a game maker. In the meantime, I'm installing SpyBot to see if it can nip this threat in the butte. By the way, SpyBot didn't catch the Trojan, however it did find 4 entries of Microsoft.Windows.RedirectedHosts.

DAA !! -- this looks like a false postive. Rescan your system with definitions 5025 (available shortly) and see if it still shows up.