Trojan-Spy.Win32.Agent.beaf

Discussion in 'Virus Information' started by OREALLY, Mar 17, 2010.

  1. OREALLY

    OREALLY Guest

    Kapersky finds 10 infected files in the HP Recovery Wizard. How can I
    disinfect them?

    Thanks,

    Oreally
     
    OREALLY, Mar 17, 2010
    #1
    1. Advertisements

  2. Submit the suspect files to virustotal.com or jotti.org or virscan.org
    to see if that helps you to determine whether or not this is a false
    positive declaration (which I suspect might be the case).
     
    FromTheRafters, Mar 17, 2010
    #2
    1. Advertisements

  3. From: "FromTheRafters" <erratic @nomail.afraid.org>


    | Submit the suspect files to virustotal.com or jotti.org or virscan.org
    | to see if that helps you to determine whether or not this is a false
    | positive declaration (which I suspect might be the case).



    Yes, it may be a "Kaspersky" False Positive.
     
    David H. Lipman, Mar 17, 2010
    #3
  4. OREALLY

    Oreally Guest

    Virus total finds 19% (8/42)........what do you guys think?

    Oreally
     
    Oreally, Mar 17, 2010
    #4
  5. My educated guess is that they are false positive declarations, and
    Kasperky's next update will probably make them not continue to be
    alerted to when scanned.

    IOW ignore them and they will go away.

    I can't actually confirm that this is the case, but there are
    conversations going on (used Google).
     
    FromTheRafters, Mar 17, 2010
    #5
  6. OREALLY

    Oreally Guest

    Thanks for your coherent reply!

    Just Curious.....if you set the security parameters for a folder or a file
    to "Deny" will that lock the folder or file and prevent any possible viruses
    from migrating?

    Thanks,

    Oreally
     
    Oreally, Mar 17, 2010
    #6
  7. Usually (though unfortunately not always), when the malware type is
    "trojan", you are *not* dealing with a virus.

    A trojan is a program that you think you want to execute because you are
    unaware that instead of or in addition to what you think it does, it
    also does something you would *not* want done (for instance, kill the
    box). If you had known about it in advance, you would not have executed
    it. The thing that it does (bad) is the "payload" (where the malware
    authors intent (kill the box) is realized).

    A virus is a self-replicating (and some say, infecting) program, and it
    can (copy) carry a payload with it . If you combine these two concepts -
    have the self-replicator also copy the trojan's payload the beast
    becomes a "virus" with a payload (the former trojan's payload). Payload
    activation can be timed (like a time bomb). The absence of a payload,
    does not disqualify a self-replicating infector from being a virus.

    As for viruses (or malware in general) being able overcome a "deny",
    no - but malware executing with sufficient privilege can read/write
    anywhere. Viruses don't *need* to exploit software vulnerabilities, but
    if they can escalate privilege by doing so, they will because it gives
    them greater scope.
     
    FromTheRafters, Mar 17, 2010
    #7
  8. From: "Oreally" <>

    | Virus total finds 19% (8/42)........what do you guys think?

    | Oreally

    Since you di NOT post the VT report, nothing.

    I have seen cases of of False Positives being wide spread amongst vendors.

    I'll tell 'ya what...

    Upload the file to UploadMalare.Com and I'll analyze this file and let you know what's up
    with it.
    http://www.uploadmalware.com/

    Reply back when you have uploaded it.
     
    David H. Lipman, Mar 17, 2010
    #8
  9. OREALLY

    Oreally Guest

    Thanks.....

    I've loaded 6 of the files.....(there were 10 total)

    Let me know,

    Oreally
     
    Oreally, Mar 17, 2010
    #9
  10. From: "Oreally" <>

    | Thanks.....

    | I've loaded 6 of the files.....(there were 10 total)

    | Let me know,

    | Oreally


    Got'em
     
    David H. Lipman, Mar 17, 2010
    #10
  11. From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>

    | From: "Oreally" <>

    || Thanks.....

    || I've loaded 6 of the files.....(there were 10 total)

    || Let me know,

    || Oreally


    | Got'em

    Three of the files are the same having the MD5 checksum of
    f98415e3c2d1b96a5f132769f067627c
     
    David H. Lipman, Mar 17, 2010
    #11
  12. OREALLY

    Oreally Guest

    Right......8 total are: Trojan-Spy.Win32.Agent.beaf
     
    Oreally, Mar 17, 2010
    #12
  13. From: "Oreally" <>

    | Right......8 total are: Trojan-Spy.Win32.Agent.beaf



    No, that's the detection. I'm saying that while the EXE names are different the files are
    the same thus the WOULD get the same detection.

    A string in the Visual Basic file is...

    F:\work\hp\systemwiz\SWR_Wizard\RunLinkReset\RunLinkReset.vbp'

    Which jives with "HP Recovery Wizard".
     
    David H. Lipman, Mar 17, 2010
    #13
  14. OREALLY

    Oreally Guest

    Ok....so what do I do? Are they false positives?
     
    Oreally, Mar 17, 2010
    #14
  15. From: "Oreally" <>

    | Ok....so what do I do? Are they false positives?



    So far I see NO malicous activity or signs of it.
     
    David H. Lipman, Mar 17, 2010
    #15
  16. OREALLY

    Oreally Guest

    That's encouraging.....

    I came across a 2005 forum where the user found exactly the same malware
    showing up in the same HP folder from a Kapersky scan! One wonders how they
    can recycle old false positives (if that's what they are) in a data base 5
    years later!

    Thanks for your help!

    Oreally
     
    Oreally, Mar 17, 2010
    #16
  17. From: "Oreally" <>

    | That's encouraging.....

    | I came across a 2005 forum where the user found exactly the same malware
    | showing up in the same HP folder from a Kapersky scan! One wonders how they
    | can recycle old false positives (if that's what they are) in a data base 5
    | years later!

    | Thanks for your help!

    | Oreally


    Files have been sent directly to Kaspersky. I am awaiting an anaswer (other than their
    automated response).
     
    David H. Lipman, Mar 17, 2010
    #17
  18. From: "Oreally" <>

    | That's encouraging.....

    | I came across a 2005 forum where the user found exactly the same malware
    | showing up in the same HP folder from a Kapersky scan! One wonders how they
    | can recycle old false positives (if that's what they are) in a data base 5
    | years later!

    | Thanks for your help!

    | Oreally



    I'm not sure about the DLL. It may be WebHancer, non-viral malware.
     
    David H. Lipman, Mar 17, 2010
    #18
  19. OREALLY

    Oreally Guest

    I sent the 3 suspicious malware to Symantec........they found them all
    clean.

    Hear anything from Kapersky?

    Oreally
     
    Oreally, Mar 19, 2010
    #19
  20. From: "Oreally" <>

    | I sent the 3 suspicious malware to Symantec........they found them all
    | clean.

    | Hear anything from Kapersky?

    { sigh }

    Nothing.
     
    David H. Lipman, Mar 19, 2010
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.