Trojan

[Joe G]

I use AVG free edition and is up to date. This morning all of a sudden
during a virus scan it located a Trojan on my system. Well, the file in
question is "sbwcrv.exe". This is the program from the US Treasury used to
monitor individual US Savings Bonds. I have had this program on this
computer for many a year and never had it trigger a virus before. Has
anyone else had any problem like this? I can give all of my specs for the
computer is needed but I don't think it is necessary at this time.

Joe

 

[David H. Lipman]

From: "Joe G" <[email protected]>

| I use AVG free edition and is up to date. This morning all of a sudden
| during a virus scan it located a Trojan on my system. Well, the file in
| question is "sbwcrv.exe". This is the program from the US Treasury used to
| monitor individual US Savings Bonds. I have had this program on this
| computer for many a year and never had it trigger a virus before. Has
| anyone else had any problem like this? I can give all of my specs for the
| computer is needed but I don't think it is necessary at this time.
|
| Joe
|



Please submit a copy of "sbwcrv.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

When you get the report, please post back the exact results.

Based upon the above results, you can send a copy in an email to Grisoft stating you believe
this is a False Positive (e-mail address removed) and send the report as well.

 

[Joe G]

From: "Joe G" <[email protected]>

| I use AVG free edition and is up to date. This morning all of a sudden
| during a virus scan it located a Trojan on my system. Well, the file in
| question is "sbwcrv.exe". This is the program from the US Treasury used
to
| monitor individual US Savings Bonds. I have had this program on this
| computer for many a year and never had it trigger a virus before. Has
| anyone else had any problem like this? I can give all of my specs for
the
| computer is needed but I don't think it is necessary at this time.
|
| Joe
|



Please submit a copy of "sbwcrv.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's
scanners.
That will give you an idea what it is and who recognizes it. In addition,
unless told
otherwise, Virus Total will provide the sample to all participating
vendors.

When you get the report, please post back the exact results.

Based upon the above results, you can send a copy in an email to Grisoft
stating you believe
this is a False Positive (e-mail address removed) and send the report as well.

OK, here are the results, but they are using the AVG dated 11-29-05 and the
problem started this morning (12-01-05)

This is a report processed by VirusTotal on 12/02/2005 at 01:21:56 (CET)
after scanning the file "SBWizard.exe" file.
Antivirus Version Update Result
AntiVir 6.32.0.6 12.01.2005 no virus found
Avast 4.6.695.0 12.01.2005 no virus found
AVG 718 11.29.2005 no virus found
Avira 6.32.0.6 12.01.2005 no virus found
BitDefender 7.2 12.02.2005 no virus found
CAT-QuickHeal 8.00 12.01.2005 no virus found
ClamAV devel-20051108 12.01.2005 no virus found
DrWeb 4.33 12.01.2005 no virus found
eTrust-Iris 7.1.194.0 12.01.2005 no virus found
eTrust-Vet 11.9.1.0 12.01.2005 no virus found
Fortinet 2.48.0.0 12.01.2005 no virus found
F-Prot 3.16c 12.01.2005 no virus found
Ikarus 0.2.59.0 12.01.2005 no virus found
Kaspersky 4.0.2.24 12.02.2005 no virus found
McAfee 4641 12.01.2005 no virus found
NOD32v2 1.1310 12.01.2005 no virus found
Norman 5.70.10 12.01.2005 no virus found
Panda 8.02.00 12.01.2005 no virus found
Sophos 4.00.0 12.01.2005 no virus found
Symantec 8.0 12.01.2005 no virus found
TheHacker 5.9.1.047 12.01.2005 no virus found
VBA32 3.10.5 12.01.2005 no virus found



VirusTotal is a free service offered by Hispasec Sistemas. There are no
guarantees about the availability and continuity of this service. Although
the detection rate afforded by the use of multiple antivirus engines is far
superior to that offered by just one product, these results DO NOT guarantee
the harmlessness of a file. Currently, there is not any solution that offers
a 100% effectiveness rate for detecting viruses and malware.

 

[Joe G]

OK, I just redownloaded the file from the US Government and tested it before
unzipping it and guess what we found? LOL

This is a report processed by VirusTotal on 12/02/2005 at 01:32:19 (CET)
after scanning the file "sbwcrv.exe" file.
Antivirus Version Update Result
AntiVir 6.32.0.6 12.01.2005 no virus found
Avast 4.6.695.0 12.01.2005 no virus found
AVG 718 11.29.2005 BackDoor.Generic.WIM
Avira 6.32.0.6 12.01.2005 no virus found
BitDefender 7.2 12.02.2005 no virus found
CAT-QuickHeal 8.00 12.01.2005 no virus found
ClamAV devel-20051108 12.01.2005 no virus found
DrWeb 4.33 12.01.2005 no virus found
eTrust-Iris 7.1.194.0 12.01.2005 no virus found
eTrust-Vet 11.9.1.0 12.01.2005 no virus found
Fortinet 2.48.0.0 12.01.2005 no virus found
F-Prot 3.16c 12.01.2005 no virus found
Ikarus 0.2.59.0 12.01.2005 IRC-Worm.Momma.E
Kaspersky 4.0.2.24 12.02.2005 no virus found
McAfee 4641 12.01.2005 no virus found
NOD32v2 1.1310 12.01.2005 no virus found
Norman 5.70.10 12.01.2005 no virus found
Panda 8.02.00 12.01.2005 no virus found
Sophos 4.00.0 12.01.2005 no virus found
Symantec 8.0 12.01.2005 no virus found
TheHacker 5.9.1.047 12.01.2005 no virus found
VBA32 3.10.5 12.01.2005 Backdoor.IRC.Flood.dropper



VirusTotal is a free service offered by Hispasec Sistemas. There are no
guarantees about the availability and continuity of this service. Although
the detection rate afforded by the use of multiple antivirus engines is far
superior to that offered by just one product, these results DO NOT guarantee
the harmlessness of a file. Currently, there is not any solution that offers
a 100% effectiveness rate for detecting viruses and malware.

 

[David H. Lipman]

From: "Joe G" <[email protected]>

| OK, I just redownloaded the file from the US Government and tested it before
| unzipping it and guess what we found? LOL
|
| This is a report processed by VirusTotal on 12/02/2005 at 01:32:19 (CET)
| after scanning the file "sbwcrv.exe" file.
| Antivirus Version Update Result
| AVG 718 11.29.2005 BackDoor.Generic.WIM
| Ikarus 0.2.59.0 12.01.2005 IRC-Worm.Momma.E
| VBA32 3.10.5 12.01.2005 Backdoor.IRC.Flood.dropper

Fascininating. I get the same results as I too use the US Treasury Savings Bond Wizard.

I am still inclined to think this is a False Positive.
I suggest we both send a message to...

AVG -- (e-mail address removed)
Ikarus -- (e-mail address removed)
VBA32 -- (e-mail address removed)

 

[Joe G]

I have already sent it to AVG and they have asked for the file archived and
password protected which I have sent to them a few minutes ago.

Joe

 

[Joe G]

I have already sent it to AVG and they have asked for the file archived and
password protected which I have sent to them a few minutes ago.

Joe

Just got this back from AVG

"
Dear Joe,

Thank you for your email.

The file that you sent us is not detected by AVG as BackDoor.Generic.WIM
anymore.

Unfortunately there is old version of AVG in "Virustotal" webpage. Please
update AVG on your computer and it will probably not detect this file as
virus.

The latest version of AVG is: 7.1.362 (program version) and 267.13.0/199
(virus database).

Thanks for sending the file.

Best regards,

Jitka Vondrakova

AVG Technical Support

"

 

[Mr. Nobody]

Followed this conversation with interest. I had the exact same incident
happen to me, except it occured on the 29th of Nov. I let AVG do its thing
to the savings bond program and have seen no adverse effects. I had just
come back from Minnesota for one week. I knew my son had been on my
computer while I was gone so I thought he had wandered into somewhere he
should not have gone. Guess I owe him an apology.

Thanks for the posts.

Mr Nobody