ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Windows Notepad Infected? I"m confused...
JimXugle


Joined: 15 Dec 2006
Posts: 2
Reply with quote
I have three computers: a desktop (Mine, Windows SP2), another desktop (Mine, Debian Linux), and a Laptop (My School's, Windows SP2).

I have ClamWin Installed on the Windows Desktop and The Windows laptop (yes, I did get permission), and regular ClamAV (built from source) on the Debian machine. I have the latest virus definitions on all the machines.

I was scanning the laptop, and it finds the following files infected with a virus named "Trojan.SdBot-4031":
C:\I386\NOTEPAD.EX_
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe

When I scan the same files on the desktop, I get the same result. What's interesting is that when I scan my CD of Windows SP2 OEM edition, D:\I386\NOTEPAD.EX_ is infected with Trojan.SdBot-4031 also. When I copy all of the above mentioned files to my Debian machine, and scan them, they're all clean.

Is this a false positive? An Error in the Virus Definitions? A Genuine Virus?

The files I've mentioned above can be found in http://www.xugle.com/Permalink/Notepad.zip http://www.xugle.com/Permalink/Notepad.zip.
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
please scan your file on http://www.virustotal.com and post the results
View user's profileSend private message
pheldal


Joined: 15 Dec 2006
Posts: 4
Reply with quote
alch wrote:
please scan your file on http://www.virustotal.com and post the results


Could it be a false positive. I see the same as OP, but no other AV-tools complain. A scan at virustotal.com shows nothing:

Code:
Complete scanning result of "infected.NOTEPAD.EXE", processed in VirusTotal at 12/15/2006 11:15:14 (CET).

[ file data ]
* name: infected.NOTEPAD.EXE
* size: 69120
* md5.: 519fdf04c56b40f86b5adb033167e1dc
* sha1: b097dd330c89dc18e465fd1a0c88c23fdc9e14c8

[ scan result ]
 AntiVir   7.3.0.15/20061215   found nothing
Authentium   4.93.8/20061214   found nothing
Avast   4.7.892.0/20061214   found nothing
AVG   386/20061214   found nothing
BitDefender   7.2/20061215   found nothing
CAT-QuickHeal   8.00/20061214   found nothing
ClamAV   devel-20060426/20061215   found [Trojan.SdBot-4031]
DrWeb   4.33/20061215   found nothing
eSafe   7.0.14.0/20061214   found nothing
eTrust-InoculateIT   23.73.86/20061215   found nothing
eTrust-Vet   30.3.3252/20061215   found nothing
Ewido   4.0/20061214   found nothing
F-Prot   3.16f/20061214   found nothing
F-Prot4   4.2.1.29/20061214   found nothing
Fortinet   2.82.0.0/20061215   found nothing
Ikarus   T3.1.0.26/20061215   found nothing
Kaspersky   4.0.2.24/20061215   found nothing
McAfee   4919/20061214   found nothing
Microsoft   1.1804/20061215   found nothing
NOD32v2   1922/20061214   found nothing
Norman   5.80.02/20061214   found nothing
Panda   9.0.0.4/20061215   found nothing
Prevx1   V2/20061215   found nothing
Sophos   4.12.0/20061214   found nothing
Sunbelt   2.2.907.0/20061130   found nothing
TheHacker   6.0.3.132/20061214   found nothing
UNA   1.83/20061214   found nothing
VBA32   3.11.1/20061214   found nothing
VirusBuster   4.3.19:9/20061214   found nothing


Trojan.SdBot-4031 was recently added to the daily update-db from clamav. Could it be bogus? If not MS has a serious problem as the alleged infected file is identical to the one distributed on the XP/SP2 CD.


//per
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
It is a false positive and I submitted a report to ClamAV team. Thanks for notifying.
View user's profileSend private message
Thomas123


Joined: 04 Aug 2006
Posts: 5
Reply with quote
I see the same problem with the "notepad.exe", it isn't infected!
How long does it normally take till the problems with the definition files are fixed?

Thanks
View user's profileSend private message
notepad.exe "virus"
zeefreak


Joined: 15 Dec 2006
Posts: 2
Reply with quote
yeh i'm getting the same thing here. just installed 0.88.7 on a laptop last night to replace the about to expire norton. i allowed clamav to quarantine the files and restored from an xp sp2 cd. scanned again, and it quarantined again. unless its missing something somewhere else on the system, i'd say this is a false positive.
View user's profileSend private message
haha
zeefreak


Joined: 15 Dec 2006
Posts: 2
Reply with quote
sorry about the post repeating everything. i thought that the joined date was the post date, since latest appeared to be on top,. thought it was bottom up timestamps, and thought that it was an old thread that maybe needed to be resurrected. looks like a lot of ppl joined yesterday. Wink
View user's profileSend private message
JimXugle


Joined: 15 Dec 2006
Posts: 2
Reply with quote
Awesome... So now I don't have to explain to my school officials how I got a Virus on the brand new laptop Cool
View user's profileSend private message
Iaspis


Joined: 05 Dec 2006
Posts: 4
Reply with quote
Using the latest update, I can see it has been removed. Thanks ClamAV/Clamwin team!
View user's profileSend private message
Windows Notepad Infected? I"m confused...
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic