Just a heads up.

ClamWin detected threat during memory scan, C:\WINDOWS\system32\rsaenh.dll: Win32.Zhelatin.Variants.siggen-1 FOUND

File in question appears to be a very old cryptographic library for Windows XP. I have reported the false positive to ClamAV team.

I saw some old signatures like that come through recently and wondered what was going on, but old viruses do crop up now and then. Hopefully, not many users will be affected by the false positive. There may be a few others also.

Regards,

I have the same results today with two machines running clamwin 0.95.3 db 51/10361 and winxp sp2 (w/ current updates) on one machine and clamwin 0.95.3 db 51/10362 and winxp sp2 (w/ current updates) on the other.

I note that a google search for 'zhelatin.variants.siggen-1' only points to this forum and the lordpake's blog page where he crossposted his post here. Same for 'variants.siggen-1' which makes me suspicious this this a false positive.

I note the machines are running winxp sp2, not sp3.

google search for 'rsaenh.dll zhelatin' also turns up nothing, which makes no sense if this is really related to an old virus.

I am also running XP sp2.

I also failed at finding any *proper* clues about this threat, other than the Clam detection.

virustotal.com, virscan.org and jotti.org all return negative results (except for clamav) for rsaenh.dll containing the zhelatin.variants.siggen-1 virus. See the following links:

https://www.virustotal.com/analisis/66fa5845ed397538f92b30cb06202470071b6f45698647e1f86e784942f6c4c4-1265486857

https://www.virscan.org/report/0f07fe552b9dd6f18bbb233f171f5adc.html

https://virusscan.jotti.org/en/scanresult/ee0be6c6bc32030e596991bf05bf366cca6c3214/49c947fb1cc0cdc23f11dac873b126846714b371

also, zhelatin (and variants) as mentioned at various places on the web is from 2007 and installs as a separate app - a p2p mailbot of some sort, modding the registry to start as a service. I see no indication of any similar install on either machine, and does not fit the profile of a hacked dll, though you never know. See https://www.f-secure.com/v-descs/email-worm_w32_zhelatin_cq.shtml

I just hopped on here to confirm a similar result. Same detection w/ ClamWin also under WinXP SP2. Assumed false positive.

cheers...

Zhelatin siggin-1 appeared yesterday on our 2 computers. Appears to have come from a Jacquie Lawson electronic greeting card a good friend sent us, with attachment of course. Definitely not a false positive, because my wife's computer now opens Internet Explorer automatically (Firefox is the default) and tries to get her to buy a) virus software. b) viagra, c) porn films. Hasn't hit me yet, but I downloaded a day later. What to do?

Oh, both run XP pro, SP3.

Same hit for several days.

Do not have latest patches on WinXP SP2.

Virus writing is a steady, full-time job for some people who are after your identity, bank account or control of your computer. You need to stay patched, run good security software, and use safe surfing (think before you click).

Both virus files and "good" files can share similar code that is used in a signature for the virus. So the detection can be correct for some users but a false positive for others. Send the false positive files to ClamAV at
https://www.clamav.net/sendvirus/ on the web. Be sure to select the false positive indication and tell the name of the false detection and why you think it is false in the comments section.

If you are infected, I suggest running a complete scan in Windows Safe mode. That can prevent some viruses from "hiding." ClamWin doesn't clean a computer--it only removes infected files that it can detect. There can be associated files it does not detect, and it doesn't do anything with "evil" registry keys. So you may need other help to completely clean it up if it has become active--even if detected by ClamWin.

After the ClamWin Safe Mode scan, I suggest running Microsoft's Malicious Removal Tool. It is in your Windows system directory as MRT.exe. That's C:\WINDOWS\system32\MRT.exe. If this thing is old, it should clean it up. If that doesn't work, Malwarebytes' free antimalware program is very good. Get it at https://www.malwarebytes.org/index.php on the web and install it. Finally, there are other sources of help listed on the ClamWin Antimalware page--including online scans (Eset Nod32 or Trend Micro House Call are good), and Linux Rescue CDs (F-Secure is good).

Regards,

Hello together,

I have also many computers where ClamWin (with updated virus definition) detects a Win32.Zhelatin.Variants in the file "rsaenh.dll"...!
I have uploaded this file via https://www.clamav.net/sendvirus/ to the ClamAV team.

How long does it take till this "false positive detection" is fixed?

Thanks in advance for the answer...!

Regards
Thomas

This is indeed a False Alarm and ensure that you don't allow the rsaenh.dll to be deleted otherwise your windows activation will fail and you will not be able to logon. If you do need to recover the file, login using Safe Mode and then move the file from the quarantine folder back to the *system32* folder.


Ric

Keep ClamWin's Infected File option set to Report Only. You can exclude that filename in ClamWin's Preferences, Filters, Exclude Matching Filenames. I expect Clam will have this fixed soon. Each sigmaker basically handles his own false positives, and they don't necessarily work on signatures every day.

Regards,

Not that I want to complain about open source software but the response to this false alarm seems a little slow? It think it has been almost a week since this first started coming up. Also, I believe it underscores the need to have an easy undo capability in the software. I have set my installation to notify only due to the danger of Clamwin quarantining a system file - but this doesn't really protect my system. Also, I wonder if it has been considered to maintain a list of important system files - and in the event that a virus is detected in these files handle it differently?