ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
wmiprvse.exe - "Trojan.Downloader-91205"
dipso


Joined: 24 Mar 2010
Posts: 9
Reply with quote
Dear Sirs/Madams,

May I have some advice on this little item that ClamWin picked up:

wmiprvse.exe - listed by clam as "Trojan.Downloader-91205"
and listed by cp secure as "BackDoor.W32.Agent.afqs"

Jotti scan result http://virusscan.jotti.org/en-gb/scanresult/6f5e27952d0cdc5baadb26941bd119c3f04798e8/d7da9d87c36c11dc6ba0a88d4f5d93a1ce085814 http://virusscan.jotti.org/en-gb/scanresult/6f5e27952d0cdc5baadb26941bd119c3f04798e8/d7da9d87c36c11dc6ba0a88d4f5d93a1ce085814 does not show any alarm bells from the other scanners, but I don't know whether to freak out or not.

Is this a false positive or a confirmed danger? I read a whole back (mid 2009) that it was declared a false positive by some sites, but I don't know if the file has changed since then, or if it has become a target of an actual trojan etc

The file was found here: C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\wmiprvse.exe

Any help would be great.
I hope this is in the right area.

Thank you,
Dipso
View user's profileSend private message
My guess is false positive
regi


Joined: 24 Mar 2010
Posts: 1
Reply with quote
Clamwin found the same on one of my computers today, along with six other files identified as Trojans that I have since determined to be false positives. Ran wmiprvse.exe through Jotti and VirusTotal as well without warnings from other scanners.
View user's profileSend private message
dipso


Joined: 24 Mar 2010
Posts: 9
Reply with quote
Thanks for replying regi Smile!

May I ask if: When you ran the file wmiprvse.exe through jotti, did you get an alarm from CP Secure (besides clamwin)?

And I did not know about VirusTotal, so thank you for mentioning it.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
You can also look at the date when the file was put on your computer. If it was several months ago (or longer), it probably is a false positive. Of course some viruses are smart enough to change the date, but yhen you can right click on the Properties of the file in Windows Explorer to see when it was last modified. If it is recent, and you did not modify it, it is probably a virus.

Regards,
View user's profileSend private message
dipso


Joined: 24 Mar 2010
Posts: 9
Reply with quote
Thanks for that piece of advice.

I checked, and it was created on Oct 2009, but modified on Feb 2009.
I think that's because I setup windows in oct, but the file itself was modified by microsoft in feb?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
A modification date that is older than the actual creation date could be a sign that the file is infected.

Jotti/VirusTotal only provide the results of a static scan of a file. Here are some more places you can check a file out. These places will actually run the file and give you a report, so this is the last word, and it's better than running the file on your own machine to see what it does. Try Threat Expert at http://www.threatexpert.com/submit.aspx on the web or Anubis at http://anubis.iseclab.org/ on the web. Threat Expert will often give you a threat rating if a file is "evil."

The two places mentioned above can only deal with Windows executable files. You can check out Javascript, PDF files, Flash files, or URL locations at Wepawet, located at http://wepawet.iseclab.org/ on the web.

Regards,
View user's profileSend private message
dipso


Joined: 24 Mar 2010
Posts: 9
Reply with quote
Thanks for those links. Bookmaered them all for future use Smile!
View user's profileSend private message
dgermann


Joined: 21 Mar 2010
Posts: 12
Reply with quote
Hi--

Anubis is reporting this as malware, if I am reading the report correctly:
http://anubis.iseclab.org/?action=result&task_id=12688be8828f53154397747e2aca813e2&format=html

Is that how you read it too?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
No, I don't think there is anything "evil" indicated there. The wimprvse.exe file has something to do with the Windows Security Center, among other administrative stuff. It is usually okay if a program reads registry keys, does some mapping of computer resources, and even creates a registry key or two of its own.

If it is an evil file, you will probably see multiple registry entries, some open ports/attempts to contact someone, and sometimes a lowering/bypassing of Windows security. More than likely the Anubis report would be "busy" with lots of items.

I prefer to use Threat Expert (TE) over Anubis because TE reports (emailed) are usually better (not always) . TE usually gives you a threat rating if the file is evil--you will see yellow/red blocks. TE also tells you what other AVs also say a file is evil.

Regards,
View user's profileSend private message
saintgeorge


Joined: 11 Feb 2010
Posts: 2
Location: germany
Reply with quote
Hi,

ClamWin 0.95.3 also detected this file as infected on my computer today:
Quote:
C:\WINDOWS\system32\dllcache\wmiprvse.exe: moved to 'C:\Dokumente und Einstellungen\All Users\.clamwin\quarantine\wmiprvse.exe.infected'

C:\WINDOWS\system32\wbem\wmiprvse.exe: moved to 'C:\Dokumente und Einstellungen\All Users\.clamwin\quarantine\wmiprvse.exe.infected.000'

C:\WINDOWS\system32\dllcache\wmiprvse.exe: Trojan.Downloader-91205 FOUND

C:\WINDOWS\system32\wbem\wmiprvse.exe: Trojan.Downloader-91205 FOUND

First I deleted the infected files. Then I searched with the XP Search Engine. It found two files with this name, one in C:\WINDOWS\system32\wbem; the other in C:\WINDOWS\ServicePackFiles\i386; and a Prefetch File WMIPRVSE.EXE.

I sent both files to virustotal; result: zero (of 42). I also sent them to ThreatExpert. Here are the URL's:

http://www.threatexpert.com/report.aspx?md5=f3a045bc55e307705665c263d91e8c88 http://www.threatexpert.com/report.aspx?md5=f3a045bc55e307705665c263d91e8c88

http://www.threatexpert.com/report.aspx?md5=971132068954f67ff53d4b82fcad844c http://www.threatexpert.com/report.aspx?md5=971132068954f67ff53d4b82fcad844c
I did another scan and ClamWin detected no infection anymore.
Google reported to the number of the Downloader only old entries from 2005 or 2007. So I suppose this was a f/p.
Regards
saintgeorge
View user's profileSend private message
dipso


Joined: 24 Mar 2010
Posts: 9
Reply with quote
Thanks for all the extra info.

I'm off to read other sections of ClamWin's forum. There's alot of useful stuff here!
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
SaintGeorge: yes, it looks like you had a couple of false positives. You should not delete any files in Windows until you have verified ClamWin's detection as a positive infection via either Jotti, VirusTotal, or Threat Expert. You could lose acces to Windows on your computer if you delete an important file that had a false positive detection. Notice on the Threat Expert report, there was nothing bad there--no threat rating, no ports opened to communicate with a location on the web, no attempt to bypass/lower Windows security--it was a short report.

In the future, always upload false positive files to Clam AV at http://www.clamav.net/lang/en/sendvirus/ on the web so they can "fix" them. On the upload form, be sure to check "false positive", fill in the name of the falsely detected virus, and tell why it is a false positive in the Comments section. You will be helping to improve ClamWin when you do.

Regards,
View user's profileSend private message
dipso


Joined: 24 Mar 2010
Posts: 9
Reply with quote
Out of curiosity, when people submit "false positives", how closely do the clam team look at the submission?

Are the files automatically excluded from the definitins, or is there more examination?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
False positives are processed just like virus submissions. All submissions are checked with several in-house AVs. A sigmaker selects the file/program and then runs it on an isolated PC/virtual machine to see if it exhibits any malicious items/actions. If it is malicious, the sigmaker then prepares a signature, based on file size, type, and characteristics.

Regards,
View user's profileSend private message
dipso


Joined: 24 Mar 2010
Posts: 9
Reply with quote
Good to know Very Happy

I was worried that all false positives go right to an automated software that adds them.

You must get gazillions of entries to go through each day Shocked
View user's profileSend private message
wmiprvse.exe - "Trojan.Downloader-91205"
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  

  
  
 Reply to topic