OT Another Ad-Aware false positive?

[John Doe]

Using Ad-Aware 7.1.0.11, now it's identifying

"C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe"

as having

"Win32.Worm.Viking"

There is no indication from my firewall that it has ever tried to phone
home. No indications of malicious activity on my system.

 

[John Doe]

Isn't that how worms work....in secret.

Can you elaborate?

Apparently the alleged worm is doing nothing.

Have you tried downloading the new AA V8 Anniversary Free version.

No. Does it have a different set of definitions?

If you don't know, don't worry about it. Eventually someone who does
know something about it might comment. That's what happened last time.

 

[GortWeasel]

Using Ad-Aware 7.1.0.11, now it's identifying

"C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe"

as having

"Win32.Worm.Viking"

There is no indication from my firewall that it has ever tried to phone
home. No indications of malicious activity on my system.

Hang on, not so long ago you said you didn't use a firewall. Have you
been telling porkies?

This worm appears to be well documented, and you can remove it manually.

If you have a registry key with this signature ([HKLM\SOFTWARE\Soft
\DownloadWWW]) then you are infected.

There is lots of information on it here.
http://www.viruslist.com/en/viruses/encyclopedia?virusid=73406#doc1

 

[John Doe]

John Doe wrote:

Hang on, not so long ago you said you didn't use a firewall.

That's a lie, Jack. That is the opposite of what I have said. I
always use a firewall. A firewall is one of several ways my system
is monitored.

Have you been telling porkies?

Are you trying to coin a word, Jack?

This worm appears to be well documented, and you can remove it
manually.

Not if it is another Ad-Aware false positive.

If you have a registry key with this signature
([HKLM\SOFTWARE\Soft \DownloadWWW]) then you are infected.

Nope, no such registry entry in my system. When the process
ACRORD32.EXE is running, there is no such worm process LOGO1.EXE
running as listed on that page either. According to that page, it
allegedly replaces the infected file, but that has not happened,
otherwise the PDF viewer wouldn't run.

 

[Franc Zabkar]

That's a lie, Jack. That is the opposite of what I have said. I
always use a firewall. A firewall is one of several ways my system
is monitored.


Are you trying to coin a word, Jack?

Porky = Pork Pie = Lie in Cockney rhyming slang:
http://en.wikipedia.org/wiki/Pork_pie

This worm appears to be well documented, and you can remove it
manually.

Not if it is another Ad-Aware false positive.

If you have a registry key with this signature
([HKLM\SOFTWARE\Soft \DownloadWWW]) then you are infected.

Nope, no such registry entry in my system. When the process
ACRORD32.EXE is running, there is no such worm process LOGO1.EXE
running as listed on that page either. According to that page, it
allegedly replaces the infected file, but that has not happened,
otherwise the PDF viewer wouldn't run.

Upload your suspect file to an online virus scanner, eg:
http://www.virustotal.com/

- Franc Zabkar

 

[John Doe]

Porky = Pork Pie = Lie in Cockney rhyming slang:
http://en.wikipedia.org/wiki/Pork_pie

That bounces off of too many rails, and Wiki stuff is no more
authoritative than USENET anyway.

This worm appears to be well documented, and you can remove it
manually.

Not if it is another Ad-Aware false positive.

If you have a registry key with this signature
([HKLM\SOFTWARE\Soft \DownloadWWW]) then you are infected.

Nope, no such registry entry in my system. When the process
ACRORD32.EXE is running, there is no such worm process LOGO1.EXE
running as listed on that page either. According to that page, it
allegedly replaces the infected file, but that has not happened,
otherwise the PDF viewer wouldn't run.

Upload your suspect file to an online virus scanner, eg:
http://www.virustotal.com/

http://www.virustotal.com/analisis/97881d873832a4154338dd7e2f5054be

 

[John Doe]

And, after updating definitions, apparently another false positive
appeared.

Win32.Worm.LovGate
qsp2ie07103010.dll

Uploaded and verified it is okay.

I suppose further instances should not be considered news. Maybe it's
just a sign of the times.

 

[Franc Zabkar]

And, after updating definitions, apparently another false positive
appeared.

Win32.Worm.LovGate
qsp2ie07103010.dll

Uploaded and verified it is okay.

I suppose further instances should not be considered news. Maybe it's
just a sign of the times.

Here is an interesting file which contains Chernobyl (CIH) code,
possibly a harmless remnant. A Compaq user claims it shipped with his
Compaq installation CD.
http://www.users.on.net/~fzabkar/00000004.zip

Here is the analysis:
http://www.virustotal.com/analisis/8ffd4e27645b508d2372ce1bb59c7949

There are 4 positives out of 39.

IIRC, the name of the file is that which was given to it by Uniextract
(?) after extracting it from a Wise installation archive. The original
filename is probably an EXE.

You can see the CIH text in the body of the file, at the end.

According to Wikipedia ...

"Due to its infection mechanism, most antivirus software can
deactivate the virus but cannot completely clean infected files."

http://en.wikipedia.org/wiki/CIH_virus#Removal

It appears that Compaq's file may have been infected and then cleaned,
instead of being restored from a good backup. This begs the question,
if a file shows signs of having been infected and cleaned, should that
be regarded as a positive result or not?

- Franc Zabkar