Dear Sirs/Madams,

May I have some advice on this little item that ClamWin picked up:

wmiprvse.exe - listed by clam as "Trojan.Downloader-91205"
and listed by cp secure as "BackDoor.W32.Agent.afqs"

Jotti scan result https://virusscan.jotti.org/en-gb/scanresult/6f5e27952d0cdc5baadb26941bd119c3f04798e8/d7da9d87c36c11dc6ba0a88d4f5d93a1ce085814 https://virusscan.jotti.org/en-gb/scanresult/6f5e27952d0cdc5baadb26941bd119c3f04798e8/d7da9d87c36c11dc6ba0a88d4f5d93a1ce085814 does not show any alarm bells from the other scanners, but I don't know whether to freak out or not.

Is this a false positive or a confirmed danger? I read a whole back (mid 2009) that it was declared a false positive by some sites, but I don't know if the file has changed since then, or if it has become a target of an actual trojan etc

The file was found here: C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\wmiprvse.exe

Any help would be great.
I hope this is in the right area.

Thank you,
Dipso

Clamwin found the same on one of my computers today, along with six other files identified as Trojans that I have since determined to be false positives. Ran wmiprvse.exe through Jotti and VirusTotal as well without warnings from other scanners.

Thanks for replying regi !

May I ask if: When you ran the file wmiprvse.exe through jotti, did you get an alarm from CP Secure (besides clamwin)?

And I did not know about VirusTotal, so thank you for mentioning it.

You can also look at the date when the file was put on your computer. If it was several months ago (or longer), it probably is a false positive. Of course some viruses are smart enough to change the date, but yhen you can right click on the Properties of the file in Windows Explorer to see when it was last modified. If it is recent, and you did not modify it, it is probably a virus.

Regards,

Thanks for that piece of advice.

I checked, and it was created on Oct 2009, but modified on Feb 2009.
I think that's because I setup windows in oct, but the file itself was modified by microsoft in feb?

A modification date that is older than the actual creation date could be a sign that the file is infected.

Jotti/VirusTotal only provide the results of a static scan of a file. Here are some more places you can check a file out. These places will actually run the file and give you a report, so this is the last word, and it's better than running the file on your own machine to see what it does. Try Threat Expert at https://www.threatexpert.com/submit.aspx on the web or Anubis at https://anubis.iseclab.org/ on the web. Threat Expert will often give you a threat rating if a file is "evil."

The two places mentioned above can only deal with Windows executable files. You can check out Javascript, PDF files, Flash files, or URL locations at Wepawet, located at https://wepawet.iseclab.org/ on the web.

Regards,

Thanks for those links. Bookmaered them all for future use !

Hi--

Anubis is reporting this as malware, if I am reading the report correctly:
https://anubis.iseclab.org/?action=result&task_id=12688be8828f53154397747e2aca813e2&format=html

Is that how you read it too?

No, I don't think there is anything "evil" indicated there. The wimprvse.exe file has something to do with the Windows Security Center, among other administrative stuff. It is usually okay if a program reads registry keys, does some mapping of computer resources, and even creates a registry key or two of its own.

If it is an evil file, you will probably see multiple registry entries, some open ports/attempts to contact someone, and sometimes a lowering/bypassing of Windows security. More than likely the Anubis report would be "busy" with lots of items.

I prefer to use Threat Expert (TE) over Anubis because TE reports (emailed) are usually better (not always) . TE usually gives you a threat rating if the file is evil--you will see yellow/red blocks. TE also tells you what other AVs also say a file is evil.

Regards,

Hi,

ClamWin 0.95.3 also detected this file as infected on my computer today:
First I deleted the infected files. Then I searched with the XP Search Engine. It found two files with this name, one in C:\WINDOWS\system32\wbem; the other in C:\WINDOWS\ServicePackFiles\i386; and a Prefetch File WMIPRVSE.EXE.

I sent both files to virustotal; result: zero (of 42). I also sent them to ThreatExpert. Here are the URL's:

https://www.threatexpert.com/report.aspx?md5=f3a045bc55e307705665c263d91e8c88 https://www.threatexpert.com/report.aspx?md5=f3a045bc55e307705665c263d91e8c88

https://www.threatexpert.com/report.aspx?md5=971132068954f67ff53d4b82fcad844c https://www.threatexpert.com/report.aspx?md5=971132068954f67ff53d4b82fcad844c
I did another scan and ClamWin detected no infection anymore.
Google reported to the number of the Downloader only old entries from 2005 or 2007. So I suppose this was a f/p.
Regards
saintgeorge

Thanks for all the extra info.

I'm off to read other sections of ClamWin's forum. There's alot of useful stuff here!

SaintGeorge: yes, it looks like you had a couple of false positives. You should not delete any files in Windows until you have verified ClamWin's detection as a positive infection via either Jotti, VirusTotal, or Threat Expert. You could lose acces to Windows on your computer if you delete an important file that had a false positive detection. Notice on the Threat Expert report, there was nothing bad there--no threat rating, no ports opened to communicate with a location on the web, no attempt to bypass/lower Windows security--it was a short report.

In the future, always upload false positive files to Clam AV at https://www.clamav.net/lang/en/sendvirus/ on the web so they can "fix" them. On the upload form, be sure to check "false positive", fill in the name of the falsely detected virus, and tell why it is a false positive in the Comments section. You will be helping to improve ClamWin when you do.

Regards,

Out of curiosity, when people submit "false positives", how closely do the clam team look at the submission?

Are the files automatically excluded from the definitins, or is there more examination?

False positives are processed just like virus submissions. All submissions are checked with several in-house AVs. A sigmaker selects the file/program and then runs it on an isolated PC/virtual machine to see if it exhibits any malicious items/actions. If it is malicious, the sigmaker then prepares a signature, based on file size, type, and characteristics.

Regards,

Good to know

I was worried that all false positives go right to an automated software that adds them.

You must get gazillions of entries to go through each day