Hello:

Yesterday, using ClamWin on an XP SP3 machine, I updated the detection database and scanned the C drive.

ClamWin found multiple instances of 'Trojan.Rootkit-1835' in various locations, associated with various files:

C:\I386\ATAPI.SY_: Trojan.Rootkit-1835 FOUND
C:\I386\SP3.CAB: Trojan.Rootkit-1835 FOUND
C:\Program Files\Dell\DBRM\osmedia\I386\ATAPI.SY_: Trojan.Rootkit-1835 FOUND
C:\Program Files\Dell\DBRM\osmedia\I386\SP3.CAB: Trojan.Rootkit-1835 FOUND
C:\WINDOWS\Driver Cache\i386\sp3.cab: Trojan.Rootkit-1835 FOUND
C:\WINDOWS\system32\drivers\atapi.sys: Trojan.Rootkit-1835 FOUND

I did a web search and found that Trojan.Rootkit-1835 had only been added to the detection rules 12/13/09, and could find no other documentation about it.

I'm _hoping_ these are false positives, and wondering if anyone else has reported them as such?

(The computer is remote from me and I may not be able to access it again for several days in order to upload files.)

Thanks very much for your time.

Peter B.

-----

Same thing happened to me on last night's scan:

C:\Documents and Settings\All Users\Application Data\AOL Downloads\updateni_setup90\comps\fw\nisale.exe: Trojan.Onlinegames-2023 FOUND
C:\WINDOWS\Driver Cache\I386\DRIVER.CAB: Trojan.Rootkit-1837 FOUND
C:\WINDOWS\Driver Cache\I386\sp3.cab: Trojan.Rootkit-1835 FOUND
C:\WINDOWS\ServicePackFiles\i386\atapi.sys: Trojan.Rootkit-1835 FOUND
C:\WINDOWS\ServicePackFiles\i386\sp3.cab: Trojan.Rootkit-1835 FOUND
C:\WINDOWS\SYSTEM32\DLLCACHE\atapi.sys: Trojan.Rootkit-1835 FOUND
C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys: Trojan.Rootkit-1835 FOUND


I simply deleted all these files and it didn't cause a problem, but I am wondering if they are false positives.

Thanks! xoxo

Another result here that has me a little worried, though I think it's highly unlikely I have a virus.

Todays Clam AV database update shows:

Submission-ID: 12241592
Sender: Virus Total
Sender: iseclab
Submission notes: Already detected as Trojan.Rootkit-1835
Added: No
Virus name alias: Rootkit.Win32.TDSS.u (Kaspersky AVP), BackDoor.Tdss.565 (Drweb), Rootkit.TDSS.AH (Bitdefender)

... and there is information available about some of the aliases on the web... but nothing to confirm the ClamWin scan result as a true or false positive.

Any suggestions for verification and/or how to deal with the rootkit if found to be malicious?

Thanks Again.

Peter B.

-----

Rootkits are traditionally trickier to remove than other kinds of viruses, but when I deleted these files it seemed they were really gone. I'm going to scan again and see what happens. (And of course it will be interesting to see what the Clamwin mods have to say!)

ME TOO!

Similar Phenemon
(many av products do not confirm these finding (avast, malwarebytes, superanti-spyware, spybot, a2, AD-Aware, ESET ONLINE SCANNER) (virustotal does confirm the results ONLY from clamwin(clamav) and a virus scanner that is no longer available for home use)


This machine seldom if ever ventures onto the internet except to update malware signatures or upgrade software. (This is the second pass on a slow machine aborted after the C:\ drive was complete.




Scan Started Mon Dec 14 04:03:45 2009

-------------------------------------------------------------------------------



C:\hiberfil.sys: Permission denied

C:\WINDOWS\system32\config\default: Permission denied

C:\WINDOWS\system32\config\SAM: Permission denied

C:\WINDOWS\system32\config\SECURITY: Permission denied

C:\WINDOWS\system32\config\software: Permission denied

C:\WINDOWS\system32\config\system: Permission denied



Scanning aborted...



C:\Documents and Settings\All Users\Application Data\CFBD8779-FAAB-4357-84F2-1EC8619FADA6\Ad-AwareInstallation.res: Adware.Toolbar.Gameztar-1 FOUND

C:\Program Files\Lavasoft\Ad-Aware\Download Guard for Internet Explorer.exe: Adware.Toolbar.Gameztar-1 FOUND

C:\WINDOWS\Driver Cache\i386\driver.cab: Trojan.Rootkit-1837 FOUND

C:\WINDOWS\Driver Cache\i386\sp3.cab: Trojan.Rootkit-1835 FOUND

C:\WINDOWS\ServicePackFiles\i386\atapi.sys: Trojan.Rootkit-1835 FOUND

C:\WINDOWS\ServicePackFiles\i386\sp3.cab: Trojan.Rootkit-1835 FOUND

C:\WINDOWS\system32\drivers\atapi.sys: Trojan.Rootkit-1835 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 670315

Engine version: 0.95.3

Scanned directories: 3254

Scanned files: 30001

Infected files: 7



Data scanned: 11812.87 MB



I have a second more general use machine -- very similar results.





Virus scanner update log (I believe the messages started after the latest updates)

ClamAV update process started at Tue Dec 08 10:58:19 2009
main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
Downloading daily-10115.cdiff [100%]
Downloading daily-10116.cdiff [100%]
Downloading daily-10117.cdiff [100%]
Downloading daily-10118.cdiff [100%]
Downloading daily-10119.cdiff [100%]
Downloading daily-10120.cdiff [100%]
Downloading daily-10121.cdiff [100%]
Downloading daily-10122.cdiff [100%]
Downloading daily-10123.cdiff [100%]
daily.cld updated (version: 10123, sigs: 120445, f-level: 44, builder: ccordes)
Database updated (665480 signatures) from database.clamav.net (IP: 193.1.193.64)
--------------------------------------
ClamAV update process started at Wed Dec 09 13:23:50 2009
main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
Downloading daily-10124.cdiff [100%]
Downloading daily-10125.cdiff [100%]
Downloading daily-10126.cdiff [100%]
Downloading daily-10127.cdiff [100%]
Downloading daily-10128.cdiff [100%]
Downloading daily-10129.cdiff [100%]
Downloading daily-10130.cdiff [100%]
Downloading daily-10131.cdiff [100%]
Downloading daily-10132.cdiff [100%]
Downloading daily-10133.cdiff [100%]
Downloading daily-10134.cdiff [100%]
Downloading daily-10135.cdiff [100%]
Downloading daily-10136.cdiff [100%]
Downloading daily-10137.cdiff [100%]
Downloading daily-10138.cdiff [100%]
Downloading daily-10139.cdiff [100%]
Downloading daily-10140.cdiff [100%]
Downloading daily-10141.cdiff [100%]
daily.cld updated (version: 10141, sigs: 122683, f-level: 44, builder: arnaud)
Database updated (667718 signatures) from database.clamav.net (IP: 155.98.64.87)
--------------------------------------
ClamAV update process started at Mon Dec 14 03:50:25 2009
main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
Downloading daily-10142.cdiff [100%]
Downloading daily-10143.cdiff [100%]
Downloading daily-10144.cdiff [100%]
Downloading daily-10145.cdiff [100%]
Downloading daily-10146.cdiff [100%]
Downloading daily-10147.cdiff [100%]
Downloading daily-10148.cdiff [100%]
Downloading daily-10149.cdiff [100%]
Downloading daily-10150.cdiff [100%]
Downloading daily-10151.cdiff [100%]
Downloading daily-10152.cdiff [100%]
Downloading daily-10153.cdiff [100%]
Downloading daily-10154.cdiff [100%]
Downloading daily-10155.cdiff [100%]
Downloading daily-10156.cdiff [100%]
Downloading daily-10157.cdiff [100%]
Downloading daily-10158.cdiff [100%]
Downloading daily-10159.cdiff [100%]
Downloading daily-10160.cdiff [100%]
daily.cld updated (version: 10160, sigs: 125984, f-level: 44, builder: guitar)
Database updated (671019 signatures) from database.clamav.net (IP: 150.214.142.197)

Windows XP SP2

I rec'd:

C:\WINDOWS\Driver Cache\i386\driver.cab: Trojan.Rootkit-1837 FOUND

I deleted the file, it appeared to be deleted. I copied the file from the CD, rescanned the folder and received the same message. As others are getting this same detection, I am not concerned.

I would feel more comfortable knowing it was a false positive though.

If you have several detections of the same virus, there is a good chance that it is a false positive. Malware frequently uses some of the same code a "good files," so false positives sometimes happen. You should verify an infection before you have clamWin remove/quarantine it (this means you should set ClamWin['s infected files option to Report Only). You can verify it by uploading one of the files involved to Jotti or VirusTotal where they will scan the file with multiple antivirus programs. If several other AVs, besides Clam, say a file is infected, it probably is--I like to see at least 5 AVs verify it.

If only a couple of AVs see an infection, it is probably false. You can upload false positive files to Clam at https://www.clamav.net/sendvirus/ on the web. When you get to the upload page, check the False Positive Block, tell the name of the virus, and tell them not many other AVs on Jotti/VirusTotal say it is infected. This is the only way to fix a false positive in ClamWin, and you will be helping it to be a better antivirus.

You sometimes see lots of false positives in Windows/Office files when Microsoft sends out security updates. False positives also occur more frequently with the Generic (Gen) detections--such as Virut.Gen or Swizzor.Gen.

Regards,

I had checked the auto remove, came in to work monday, computer would not boot. Live and learn =)

C:\WINDOWS\Driver Cache\i386\sp3.cab: Trojan.Rootkit-1835 FOUND
C:\WINDOWS\Driver Cache\i386\sp3.cab: Removed
C:\WINDOWS\ServicePackFiles\i386\atapi.sys: Trojan.Rootkit-1835 FOUND
C:\WINDOWS\ServicePackFiles\i386\atapi.sys: Removed
C:\WINDOWS\ServicePackFiles\i386\sp3.cab: Trojan.Rootkit-1835 FOUND
C:\WINDOWS\ServicePackFiles\i386\sp3.cab: Removed
C:\WINDOWS\SYSTEM32\config\default: Permission denied
C:\WINDOWS\SYSTEM32\config\SAM: Permission denied
C:\WINDOWS\SYSTEM32\config\SECURITY: Permission denied
C:\WINDOWS\SYSTEM32\config\software: Permission denied
C:\WINDOWS\SYSTEM32\config\system: Permission denied
C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys: Trojan.Rootkit-1835 FOUND
C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys: Removed

Below is what VirusTotal had to say about 'atapi.sys' (contained in 'For_Rootkit_Scan.zip)...

What think you?

Peter B.

--

Complete scanning result of "For_Rootkit_Scan.zip", processed in VirusTotal at 12/14/2009 20:44:04 (CET).

[ file data ]
* name..: For_Rootkit_Scan.zip
* size..: 54613
* md5...: 6bddb3dc2e7b2c94b949fe4595da23b8
* sha1..: 9c40ac9f6968e04d9bc1e0a7518aa4fa6cb020f9
* peid..: -

[ scan result ]
a-squared 4.5.0.43/20091214 found nothing
AhnLab-V3 5.0.0.2/20091214 found nothing
AntiVir 7.9.1.108/20091214 found nothing
Antiy-AVL 2.0.3.7/20091214 found nothing
Authentium 5.2.0.5/20091202 found nothing
Avast 4.8.1351.0/20091214 found nothing
AVG 8.5.0.427/20091214 found nothing
BitDefender 7.2/20091214 found nothing
CAT-QuickHeal 10.00/20091214 found nothing
ClamAV 0.94.1/20091214 found [Trojan.Rootkit-1835]
Comodo 3242/20091214 found nothing
DrWeb 5.0.0.12182/20091214 found nothing
eSafe 7.0.17.0/20091214 found [Win32.Rootkit]
eTrust-Vet 35.1.7174/20091214 found nothing
F-Prot 4.5.1.85/20091214 found nothing
F-Secure 9.0.15370.0/20091214 found nothing
Fortinet 4.0.14.0/20091214 found nothing
GData 19/20091214 found nothing
Ikarus T3.1.1.74.0/20091214 found nothing
Jiangmin 13.0.900/20091214 found nothing
K7AntiVirus 7.10.920/20091214 found nothing
Kaspersky 7.0.0.125/20091214 found nothing
McAfee 5832/20091214 found nothing
McAfee+Artemis 5832/20091214 found nothing
McAfee-GW-Edition 6.8.5/20091214 found nothing
Microsoft 1.5302/20091214 found nothing
NOD32 4687/20091214 found nothing
Norman 6.04.03/20091214 found nothing
nProtect 2009.1.8.0/20091214 found nothing
Panda 10.0.2.2/20091214 found nothing
PCTools 7.0.3.5/20091214 found nothing
Prevx 3.0/20091214 found nothing
Rising 22.26.00.04/20091214 found nothing
Sophos 4.48.0/20091214 found nothing
Sunbelt 3.2.1858.2/20091214 found nothing
Symantec 1.4.4.12/20091214 found nothing
TheHacker 6.5.0.2.092/20091212 found nothing
TrendMicro 9.100.0.1001/20091214 found nothing
VBA32 3.12.12.0/20091213 found nothing
ViRobot 2009.12.14.2087/20091214 found nothing
VirusBuster 5.0.21.0/20091214 found nothing

[ notes ]
packers (Kaspersky): PE_Patch

And this is what Jotti said:



--

Peter B.

-----

Bluetick, the same thing happened to me a few years ago with a false positive in Winlogon. I lost access to my Windows OS for a few days. Since then, I have ClamWin set to Report Only, I verify all infections and then remove them.

Peter, it certainly looks like a false positive, but the only way to "fix" it is to upload the file involved to ClamAV at https://www.clamav.net/sendvirus/ on the web. Be sure to tell them it is a false positive by checking the false positive block.

False positives happen to all antivirus programs--it's nothing to get upset about. Malware is just a program, after all, and it can use the same code as "good" software. The thing to do is to tell the AV company about it so they can fix it. ClamWin uses Clam AV's signature database. If the false positive file is too large to upload to Clam, we can help with that, but there's not much else we can do about it.

Regards,

Yeah I deleted these files and trashed them and now my computer won't boot. (I figured that I would get a warning if they were critical system files, because that has been the case before.)

FYI - I scanned a new (fresh out of the package) Microsoft Windows XP Professional (Version 2002) CD-ROM using Clamwin with the latest virus definitions. It detected the Trojan.Rootkit-1837 virus on the OEM Windows XP CD.

Virus name: Trojan.Rootkit-1837
File name: E:\i386\ATAPI.SY_
File name: E:\i386\SP3.CAB
File creation Date: March 31, 2003

The file creation date is very interesting. This exercise definitely adds credibility to the false-positive theory!

It does appear to be a false positive and we are dealing with it. Thanks for notifying