Please review this issue found while scanning and let me know if it should be deleted. I have the software set to identify only. Many thanks,
Steve

C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache8210500146314039952.tmp: Exploit.JS-7 FOUND


Thanks again -

This could be a real infection or a false positive detection. The only way to tell is to upload it to one of the online file scanning services like Jotti or VirusTotal. They will scan it with multiple scanners, including ClamAV, which furnishes the scanning engine and signature database for ClamWin. If several other AVs (besides Clam) find an infection, it probably is. real If they don't, it is probably a false positive.

You can upload false positive files to ClamAV, starting at https://www.clamav.net/sendvirus/ on the web. Before uploading, be sure to check the false positive block, and tell them the exact name of the virus that is falsely detected by Clam.

Jotti is at https://virusscan.jotti.org/en and VirusTotal is at https://www.virustotal.com/ on the web. I like VirusTotal because it has about 40 different scanners. I like to see three or four of these scanners verify an infection: McAfee, Microsoft, Symantec, Trend Micro, Kaspersky, Nod32. They are used by a lot of businesses and have to get it right! Consequently, they don't have as many false positives as the others. Avira Antivir, Sophos, and Bitdefender are also good scanners, but they have their share of false positives.

Regards,

Thanks Bob,
I uploaded the file to Virus total - they found similar virus' with 6-7 other software antivirus manufacturers. I went ahead and guarantined the file. Should I delete it immediately or wait to see if it is a false positive? Not sure if 6-7 similar sites are proof positive of a virus -

Any resposnce is greatly appreciated,

Thanks,
Steve

Six or seven positive detections are probably enough, although as I said before, make note of which AVs spot it. You don't get many initial detections if a virus is fairly new. If someone has submitted the virus before, both Jotti/VirusTotal will just show you the most recent scan without re-analyzing the file. Look at the scan date--if it is older than three days, re-scan it.

I usually believe an infection if several of these AVs see it: McAfee, Microsoft, Symantec, Trend Micro, Kaspersky, Nod32.

You can also submit a file to Threat Expert at https://www.threatexpert.com/ on the web. They will actually run the file and send you a report via email. If it is an html, javascript, flash, or PDF file, submit it to Wepawet at
https://wepawet.iseclab.org/ on the web. They will run the file while you are waiting and give you a report on screen.

Be especially careful not to delete files in the Windows directory before you verify them. Once you know they are infected, you can delete them manually, or Remove/Quarantine via a ClamWin rescan. Once something is in Quarantine, you will have to delete it manually if you don't want it around, and there's no reason to keep it.

Regards,

Many Thanks Bob -

Happy New Year -

SA

Bob -
Sorry to be a pest -
Can you tell me what this means from ThreatExpert ?

Filename(s) File Size File Hash Alias
1 %Temp%\META-INF\MANIFEST.MF 71 bytes MD5: 0x0651E8D0B9923941227EDDF16AC78D8B
SHA-1: 0x4C50EE505411C923D4BFF8EC234C39106D201061 (not available)
2 %Temp%\myf\y\AppletX.class 3,091 bytes MD5: 0xA9426DCDEA488FB4CC8CDC21390622A2
SHA-1: 0x03FECB8384984E47D91EEF5C1892400E260A71F1 Exploit.Java.CVE-2008-5353 [Ikarus]
3 %Temp%\myf\y\LoaderX.class 2,474 bytes MD5: 0xAE9FB18869318278685836FE778EA822
SHA-1: 0xAF07B04DC30E4F08B4CC9557AE06D8E20E5B03A1 (not available)
4 %Temp%\myf\y\PayloadX.class 2,337 bytes MD5: 0x2D7224CF9F915C92E4CC02D26F036CF9
SHA-1: 0xFFA8D4F8B9B53756DF090010852824D747AD3CFD (not available)
5 [file and pathname of the sample #1] 5,017 bytes MD5: 0x8D0FC1E46E887A2F5AD8E08497430B2A
SHA-1: 0x7DF2204A8B8F0BC8F1DF690D00C3EE1DF5006CB1 (not available)

The information at the end of the scan contains various file "hashes." A hash is a sort of mathematical representation/summary of a file, and there are various methods of creating a hash. For all practical purposes, each file has a separately-identifiable file hash. If you know the hash for a file, you can do a search on the web for that hash and find out what information is available on the file. You can do a hash search on Jotti/VirusTotal if you know the hash for a file. The MD5 hash is probably the most commonly-used hash. Clam gets an MD5 hash for each file that is submitted to it so it can tell if it has already been identified. There are programs available that will compute a hash for you. A hash is a good way to tell if you have downloaded a "good" file because you will often be given the hash (usually MD5) so you can make sure you have the original, unchanged file. You can compute a hash on the file you have downloaded and compare it to the original hash to make sure it is the same. If a virus is in a file, it will have a different hash than the original file.

By the way, you might put future posts about specific viruses in the Virus Scanner forum. This is the forum for General Suggestions/Questions. A question about hashes certainly belongs here though.

Regards,

Thanks Again -

Regards,
SA