W2K3 SBS

C:\ClientApps\wxpsp2\i386\AGENTSVR.EX_: Trojan.Agent-148352 FOUND
C:\ClientApps\wxpsp2\i386\WORDPAD.EX_: Trojan.Agent-148339 FOUND

UPDATE INFO
ClamAV update process started at Thu Mar 25 22:26:46 2010
main.cld is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven)
Downloading daily-10625.cdiff [100%]
Downloading daily-10626.cdiff [100%]
daily.cld updated (version: 10626, sigs: 44768, f-level: 44, builder: guitar)
Database updated (749495 signatures) from database.clamav.net (IP: 130.59.10.36)



Doubtful these are infected. Anyone else get this around March 25th?

tec-knowledge,

Yes, I've received a similar response on an XP Pro SP3 machine as shown below. Unfortunately, the user of said machine has a history of downloading junk and corrupting his system, so I have to consider this a legitimate threat. A scan run the day before reported: C:\WINDOWS\system32\dllcache\wmiprvse.exe: Trojan.Downloader-91205 FOUND. This user's system is generally functional, and it is a bad time to completely take it offline. Using Bart PE, I replaced the infected file, but clearly I haven't removed the source of the problem.

Scan Started Thu Mar 25 19:30:00 2010

(non-pertinent lines omitted)

C:\WINDOWS\$NtServicePackUninstall$\agentsvr.exe: Trojan.Agent-148352 FOUND
C:\WINDOWS\$NtServicePackUninstall$\agentsvr.exe: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\agentsvr.exe.infected'
C:\WINDOWS\$NtServicePackUninstall$\wordpad.exe: Trojan.Agent-148339 FOUND
C:\WINDOWS\$NtServicePackUninstall$\wordpad.exe: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\wordpad.exe.infected'
C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\wmiprvse.exe: Trojan.Downloader-91205 FOUND

-CJA

I scanned these files with the latest Malwarebytes and MSSE and they both reported no infections. I'll re-scan with AVG and post back. I submitted these as "False Positives" to ClamWin just to be sure. This computer is a fairly fresh install of SBS 2K3 and no computers have attached to these files. The ones that showed up as infected were the XPSP2 client install compressed files on the server. Also, this computer is not used to access the web.

I'll scan with AVG and report back.

Your efforts are appreciated.

Regards,
CJA

Malwarebytes = Nothing
MSSE = Nothing
AVG = Nothing

Re-updated ClamWin and found them again.

Thats 3 against 1. I'm going fishing.

You might want to scan the user's infected system with another AV software, since you have the wmiprvse.exe detection and I did not.

P.S. I know what you mean about troublesome users. I have a couple of those myself. Made my life a lot easier when I started blocking Facebook at the router. Have not had a single virus call since. Users are unhappy, but I'm firm on this one.

Re-submitted to ClamWin. Received error the first time.

Good work!

I don't have much blocked at the router level, but I have pointed our server's DNS to OpenDNS and set up restrictions to provide a "modest" work environment. It is funny... users hear that their system is behind a firewall and then presume that they must be immune to virus infestation and malware.

For the price, ClamWin is a nice tool. Surprisingly, it has caught several virus attachments which otherwise would have been delivered to my Outlook mailbox.

Thanks again for your efforts.

Regards,
CJA

Yes, I use an alternate DNS service too, but if I block it on the router as well, it keeps them from a workaround. Facebook and Myspace are the only things I am blocking at the router.


Have a great weekend!

what's the verdict on these as False Positives? (false or true)? got the same results on my personal computer, same two EXE's and trojan #s in question.

I submitted a false positive review request, but havent heard anything yet. I've updated ClamWin several times, but it still identifies these as infected. In my case, I don't see how these could be infected. Mine is a server freshly formatted (1 month) with sbs 2003 and only 4 computers have ever attached to this. They are all my computers and the directory in which the alleged infection exists is a xpsp2 client install folder. I don't think it has ever been accessed. If these are infected, it would be my first virus in years. Another reason why I am skeptical about it. If I hear back, I'll post here.

Good Luck!

Have these false positives been corrected on your machines? I did not see any current false positive reports at the moment on the submission interface. Both signatures are based on the primary executable in the file(s). This doesn't usually give many false positives--unless a common installer/unarchiver/decryptor is used by the malware which kicks in before the malware is activated. Malware sometimes will use the same routines as "good" software to install/unarchive/decrypt.

Please resubmit to Clam if you still have false positive detections.

Regards,

OK, I just submitted the files in question. Hope this helps.

I've had these same files detected:

C:\WINDOWS\$NtServicePackUninstall$\agentsvr.exe: Trojan.Agent-148352 FOUND
C:\WINDOWS\$NtServicePackUninstall$\wordpad.exe: Trojan.Agent-148339 FOUND

I doubt they're infected, scanned with Malwarebytes, AVAST Free, and SuperAntispyware and they all came back clean.

Please submit all false positive files (and undetected virus files) to Clam AV at https://www.clamav.net/lang/en/sendvirus/ on the web. Clam AV furnishes the scanning engine and maintains the virus signature database used by ClamWin. It is especially important to put the exact false positive name in the submission form, so the sigmaker responsible for the false positive will be informed of it.

Regards,

Thanks Guitarbob, That is where I submitted it, but I did a couple of things wrong the first time. I attached the log file instead of the files themselves. Also, I neglected to change the platform from Linux/Unix to Windows. Sorry about that...first time.

Did you get the corrected ones I submitted last night?