D
Duh_OZ
Back in July 2005 I reported how a small script file was being reported
as "Univ.bat/a" by McAfee and Sybari. Fast forward to 2007. I
submitted to virustotal again, and although McAfee now says it is clean
(which it is) a few other vendors are calling a Zapchast variant.
Little trouble making file keeps popping up false positives :0)
==============
AntiVir 7.3.0.21 01.09.2007 BAT/Zapchast.3
BitDefender 7.2 01.11.2007 Trojan.Bat.Zapchast.CU
ClamAV devel-20060426 01.11.2007 Trojan.BAT.Zapchast
Ewido 4.0 01.10.2007 Trojan.Zapchast
Ikarus T3.1.0.27 01.09.2007 Trojan.BAT.Zapchast
Kaspersky 4.0.2.24 01.11.2007 Trojan.BAT.Zapchast
Norman 5.80.02 01.10.2007 BAT/Zapchast.L
==================
@echo on
cd /d c:\temp
if not exist %windir%\system32\wbem goto TryInstall
cd /d %windir%\system32\wbem
net stop winmgmt
winmgmt /kill
if exist Rep_bak rd Rep_bak /s /q
rename Repository Rep_bak
for %%i in (*.dll) do RegSvr32 -s %%i
for %%i in (*.exe) do call :FixSrv %%i
for %%i in (*.mof,*.mfl) do Mofcomp %%i
net start winmgmt
goto End
:FixSrv
if /I (%1) == (wbemcntl.exe) goto SkipSrv
if /I (%1) == (wbemtest.exe) goto SkipSrv
if /I (%1) == (mofcomp.exe) goto SkipSrv
%1 /RegServer
:SkipSrv
goto End
:TryInstall
if not exist wmicore.exe goto End
wmicore /s
net start winmgmt
:End
============
as "Univ.bat/a" by McAfee and Sybari. Fast forward to 2007. I
submitted to virustotal again, and although McAfee now says it is clean
(which it is) a few other vendors are calling a Zapchast variant.
Little trouble making file keeps popping up false positives :0)
==============
AntiVir 7.3.0.21 01.09.2007 BAT/Zapchast.3
BitDefender 7.2 01.11.2007 Trojan.Bat.Zapchast.CU
ClamAV devel-20060426 01.11.2007 Trojan.BAT.Zapchast
Ewido 4.0 01.10.2007 Trojan.Zapchast
Ikarus T3.1.0.27 01.09.2007 Trojan.BAT.Zapchast
Kaspersky 4.0.2.24 01.11.2007 Trojan.BAT.Zapchast
Norman 5.80.02 01.10.2007 BAT/Zapchast.L
==================
@echo on
cd /d c:\temp
if not exist %windir%\system32\wbem goto TryInstall
cd /d %windir%\system32\wbem
net stop winmgmt
winmgmt /kill
if exist Rep_bak rd Rep_bak /s /q
rename Repository Rep_bak
for %%i in (*.dll) do RegSvr32 -s %%i
for %%i in (*.exe) do call :FixSrv %%i
for %%i in (*.mof,*.mfl) do Mofcomp %%i
net start winmgmt
goto End
:FixSrv
if /I (%1) == (wbemcntl.exe) goto SkipSrv
if /I (%1) == (wbemtest.exe) goto SkipSrv
if /I (%1) == (mofcomp.exe) goto SkipSrv
%1 /RegServer
:SkipSrv
goto End
:TryInstall
if not exist wmicore.exe goto End
wmicore /s
net start winmgmt
:End
============