Trojan? Or a false alarm?

[thx1138xxix]

Hi all,

I'm new here, so I hope I'm posting this in the appropriate forum.

This is a little long, so please bear with me..

I've been a Norton Anti-virus user for about two years, ever since I
bought my new computer. Also, I'm very cautious when it comes to
viruses. I never use my computer's e-mail program, instead I opt for
web-based e-mail clients like Yahoo, Hotmail and G-mail. Even so, I
never open e-mails if they look suspicious or have attachments.

I also never run programs that I get from sources I don't trust. I
practice safe web-browsing and have always had a firewall and
anti-virus program running. And I run virus and security checks ALL the
time.

That being said, my Norton subscription ended two days ago. So, after
hearing many good things about Avast!.. I thought I'd try it. I
uninstalled Norton and installed Avast!. It ran it's first scan.. and
all was clean. I ran another scan a little later.. again, everything
was clean.

Now.. today I decided to try a "thorough" scan rather than the
"standard" scan that I did the first two times. Well, this time I got a
virus warning.. and of all places on my D: drive!

It said the file that was infected was "wksv7std.sbs" located at

D:\i386\Apps\App12654\workssuite\msworks\pfiles\msworks

It said that it was a Malware type Trojan called Win32:SdBot-3324
[Trj]. Avast!'s recommended advice was to move this file to the virus
chest.. which is what I did.

Now, my D: drive is just a "recovery partition" used by my computer. I
never write anything to it because I'm simply not able to. When I click
on that drive it tells me that this area of my drive contains files
used for system recovery. And that I should not delete or alter files
in there. And that any change could prevent any recovery later on.

Now, I'm no expert when it comes to viruses.. but I just have this
feeling that Avast! was just being overly sensitive. I've used other
virus programs in the past, and at times they would detect viruses in
completely innocent files.

How is it possible for a 47.1 MB trojan to get on my D: drive? A drive
that is basically locked and used only for recovery? Plus.. I'm a
dial-up user and I never leave my computer running unattended. I would
definitely know if a 47.1 MB file was somehow uploaded to my computer.

Plus.. isn't wksv7std.sbs a file that deals with clipart? It all just
doesn't make sense.

Anyhow.. that's my situtation. Now my questions..

If the file is truly a trojan (which I doubt it is), how would I know
for sure? Also, if it is a trojan.. has Avast! cured the problem by
locking it away in the virus chest?

But.. if it is ~not~ a trojan, can I put the file back where it belongs
by clicking "restore" in the virus chest menu without it messing up my
recovery partition?

I'm sorry, I know this is a little long-winded. But any advice would be
TRULY appreciated!

--steve

 

[Sanjaya]

[snip]

It said the file that was infected was "wksv7std.sbs" located at

D:\i386\Apps\App12654\workssuite\msworks\pfiles\msworks

It said that it was a Malware type Trojan called Win32:SdBot-3324
[Trj]. Avast!'s recommended advice was to move this file to the virus
chest.. which is what I did.

Avast used to tell me Panda Software's Activescan was a trojan.
It also indicated auto-updater files for various things like MS Works,
Yahoo Messenger and others were trojans.

I finally got rid of Avast because of that.

 

[David Fairbrother]

Is it possible to move the file back to its original location?
might be an idea - and switch back to Norton.

[snip]

It said the file that was infected was "wksv7std.sbs" located at

D:\i386\Apps\App12654\workssuite\msworks\pfiles\msworks

It said that it was a Malware type Trojan called Win32:SdBot-3324
[Trj]. Avast!'s recommended advice was to move this file to the virus
chest.. which is what I did.

Avast used to tell me Panda Software's Activescan was a trojan.
It also indicated auto-updater files for various things like MS Works,
Yahoo Messenger and others were trojans.

I finally got rid of Avast because of that.

 

[David H. Lipman]

From: <[email protected]>

| Hi all,
|
| I'm new here, so I hope I'm posting this in the appropriate forum.
|
| This is a little long, so please bear with me..
|
| I've been a Norton Anti-virus user for about two years, ever since I
| bought my new computer. Also, I'm very cautious when it comes to
| viruses. I never use my computer's e-mail program, instead I opt for
| web-based e-mail clients like Yahoo, Hotmail and G-mail. Even so, I
| never open e-mails if they look suspicious or have attachments.
|
| I also never run programs that I get from sources I don't trust. I
| practice safe web-browsing and have always had a firewall and
| anti-virus program running. And I run virus and security checks ALL the
| time.
|
| That being said, my Norton subscription ended two days ago. So, after
| hearing many good things about Avast!.. I thought I'd try it. I
| uninstalled Norton and installed Avast!. It ran it's first scan.. and
| all was clean. I ran another scan a little later.. again, everything
| was clean.
|
| Now.. today I decided to try a "thorough" scan rather than the
| "standard" scan that I did the first two times. Well, this time I got a
| virus warning.. and of all places on my D: drive!
|
| It said the file that was infected was "wksv7std.sbs" located at
|
| D:\i386\Apps\App12654\workssuite\msworks\pfiles\msworks
|
| It said that it was a Malware type Trojan called Win32:SdBot-3324
| [Trj]. Avast!'s recommended advice was to move this file to the virus
| chest.. which is what I did.
|
| Now, my D: drive is just a "recovery partition" used by my computer. I
| never write anything to it because I'm simply not able to. When I click
| on that drive it tells me that this area of my drive contains files
| used for system recovery. And that I should not delete or alter files
| in there. And that any change could prevent any recovery later on.
|
| Now, I'm no expert when it comes to viruses.. but I just have this
| feeling that Avast! was just being overly sensitive. I've used other
| virus programs in the past, and at times they would detect viruses in
| completely innocent files.
|
| How is it possible for a 47.1 MB trojan to get on my D: drive? A drive
| that is basically locked and used only for recovery? Plus.. I'm a
| dial-up user and I never leave my computer running unattended. I would
| definitely know if a 47.1 MB file was somehow uploaded to my computer.
|
| Plus.. isn't wksv7std.sbs a file that deals with clipart? It all just
| doesn't make sense.
|
| Anyhow.. that's my situtation. Now my questions..
|
| If the file is truly a trojan (which I doubt it is), how would I know
| for sure? Also, if it is a trojan.. has Avast! cured the problem by
| locking it away in the virus chest?
|
| But.. if it is ~not~ a trojan, can I put the file back where it belongs
| by clicking "restore" in the virus chest menu without it messing up my
| recovery partition?
|
| I'm sorry, I know this is a little long-winded. But any advice would be
| TRULY appreciated!
|
| --steve

Chances are it is a False Positive declaration. Additionally, the i386 folder is a
Microsoft distribution/installation folder for the NT Based OS. I doubt you'll need to
replace it.

If you do have a copy, submit it to Avast as a possible False Positive.

mailto:[email protected]?subject=Possible%20False%20Positive

 

[thx1138xxix]

Hi all,

I'd like to thank everyone for the replies!

As I said, I used to have Norton.. and it never recognized the file as
a trojan. The reason I switched to Avast was because Norton was a bit
of a resource hog and I didn't care to spend $30 a year for updates.

This file was on my D: drive, a partition that's locked to me. I can't
write to it at all..it's only used for recovery. As far as I know, the
files on that partition were put there when I bought the computer new
from Gateway. So how could it be a trojan or virus? It's just a weird
place for a trojan to be.

Also.. the warning ~only~ comes up when I do a "thorough" scan.. Avast
ignores it when I do a "standard" scan.

It simply has to be a false positive.

Chances are it is a False Positive declaration. Additionally, the i386 folder is a
Microsoft distribution/installation folder for the NT Based OS. I doubt you'll need to
replace it.

If you do have a copy, submit it to Avast as a possible False Positive.

mailto:[email protected]?subject=Possible%20False%20Positive

I would like to submit to Avast as a possible false positive, but the
file is 47.1MB and I'm on a dial-up connection. It would take me
forever to upload. I even tried compacting the file.. and it's still
huge.

 

[David H. Lipman]

From: <[email protected]>

|
| I would like to submit to Avast as a possible false positive, but the
| file is 47.1MB and I'm on a dial-up connection. It would take me
| forever to upload. I even tried compacting the file.. and it's still
| huge.

Forget about it ! { LOL }

 

[edgewalker]

Hi all,
Hi.

[snip]


It said the file that was infected was "wksv7std.sbs" located at

D:\i386\Apps\App12654\workssuite\msworks\pfiles\msworks

It said that it was a Malware type Trojan called Win32:SdBot-3324
[Trj]. Avast!'s recommended advice was to move this file to the virus
chest.. which is what I did.

Not the choice I would have made, but the program should be able to
restore it back to the original location.

[snip]

Now, I'm no expert when it comes to viruses.. but I just have this
feeling that Avast! was just being overly sensitive. I've used other
virus programs in the past, and at times they would detect viruses in
completely innocent files.

High probability that this is the case here.

How is it possible for a 47.1 MB trojan to get on my D: drive?

A trojan function could be added to a previously legitimate 47MB
file. Some malware can do more than the current user's permission
set allows.

A drive
that is basically locked and used only for recovery? Plus.. I'm a
dial-up user and I never leave my computer running unattended. I would
definitely know if a 47.1 MB file was somehow uploaded to my computer.

If malware attaches itself to a code area in much the same manner as a virus
does (infection) yet does not replicate, it is a properly called a trojan. Such
a program can itself be very small, yet when added to a large host program
the "trojan" is large (program + malicious added function).

[snip]

If the file is truly a trojan (which I doubt it is), how would I know
for sure?

You could be 'more' sure by submitting it to several other scans by
several other vendors.

Also, if it is a trojan.. has Avast! cured the problem by
locking it away in the virus chest?

I assume Avast! would make it non-executable somehow.

But.. if it is ~not~ a trojan, can I put the file back where it belongs
by clicking "restore" in the virus chest menu without it messing up my
recovery partition?

I would hope so. This is why I would not have made your choice to
allow Avast! (or any other AV scanner) to quarantine what was
clearly not an immediate threat that is to say since it was a manual
scan, you were not in the process of trying to execute said malware.

IIRC clipart uses WMF files which can be trojans as they are really
executable files with the executability feature (somewhat) deprecated.

 

[thx1138xxix]

Hello

Thank you for the informative reply, I really appreciate it!

Not the choice I would have made, but the program should be able to
restore it back to the original location.

My excuse is that I panicked. I've had this computer for almost two
years and Norton never found a virus or trojan. So when I saw that.. I
acted without really thinking.

And you are correct, the program did seem to put the file back where it
belonged. As I mentioned, the D: partition is locked and I can't
manually view what's in there.. but I ran another virus scan and Avast
found it (as a trojan again) back in it's original location.

A trojan function could be added to a previously legitimate 47MB
file. Some malware can do more than the current user's permission
set allows.

So it ~could~ get into a locked partition? While asking around, someone
told me that to the best of his knowledge there are no viruses that
infect locked recovery partitions. It's just strange.. from what I can
tell, my computer never accesses the D: partition. But as I said
earlier, I'm no expert by any means.. it just seems an odd place for a
trojan.

Also.. ~if~ by chance it's truly a trojan.. why is it in an .SBS file?
What is an .SBS file anyhow? I tried Googling for more information and
I can't seem to find any virus or trojan associated with an .SBS file.

You could be 'more' sure by submitting it to several other scans by
several other vendors.

Which is what I will try. I was going to try an online scan.. but none
I know of will scan a 47.1MB file.

--steve

 

[David H. Lipman]

From: <[email protected]>


|
| Which is what I will try. I was going to try an online scan.. but none
| I know of will scan a 47.1MB file.
|
| --steve

Here 'ya go. Four AV scanners; McAfee, Sophos, Kaspersky and Trend Micro.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[thx1138xxix]

From: <[email protected]>

|
| Which is what I will try. I was going to try an online scan.. but none
| I know of will scan a 47.1MB file.
|
| --steve

Here 'ya go. Four AV scanners; McAfee, Sophos, Kaspersky and Trend Micro.

* * * Please report back your results * * *

Hi,

Well I just tried another virus checker, one of my old favorite virus
scanners.. Antidote Super Lite version at
http://www.vintage-solutions.com/English/Antivirus/Super/index.html

I used to use it on my old Windows 98 machine. The thing I liked most
about it was that there's no complicated installation. You just run
it.. pick the file, directory or drive.. and it scans it.

Anyhow.. "wksv7std.sbs" came up clean. The strange thing was that most
of the .exe files on the D: recovery partition were tagged as
'corrupted'. Not infected with a virus or a trojan because the summary
said the files were okay.. just corrupted. Avast doesn't seem to think
they're corrupted.

It's so confusing.

--steve

 

[edgewalker]

Hello

Thank you for the informative reply, I really appreciate it!





My excuse is that I panicked. I've had this computer for almost two
years and Norton never found a virus or trojan. So when I saw that.. I
acted without really thinking.

And you are correct, the program did seem to put the file back where it
belonged. As I mentioned, the D: partition is locked and I can't
manually view what's in there.. but I ran another virus scan and Avast
found it (as a trojan again) back in it's original location.





So it ~could~ get into a locked partition?

If the malware had the ability to escalate from the permission set of the user to
say the 'system' set, then I assume yes. I don't think a malware would attempt
to do so on the off chance that it ends up on a machine with such a setup though.

While asking around, someone
told me that to the best of his knowledge there are no viruses that
infect locked recovery partitions.

Because the chance is fairly low that a virus would need to do this, it is
unlikely that one would be coded to do so. There are other types of
malware besides viruses, such as a targeted attack against a specific
machine, where it might be advantageous to attempt to access such
a partition.

Still - it is very unlikely you are encountering this.

It's just strange.. from what I can
tell, my computer never accesses the D: partition. But as I said
earlier, I'm no expert by any means.. it just seems an odd place for a
trojan.
Indeed!

Also.. ~if~ by chance it's truly a trojan.. why is it in an .SBS file?
What is an .SBS file anyhow? I tried Googling for more information and
I can't seem to find any virus or trojan associated with an .SBS file.

I usually go here to find info on extension associations:

http://filext.com/detaillist.php?extdetail=sbs&Search=Search

Didn't find anything that looks like what you have though.

Which is what I will try. I was going to try an online scan.. but none
I know of will scan a 47.1MB file.

Personally, I would be content at this point in assuming it is a false positive.

 

[thx1138xxix]

I usually go here to find info on extension associations:
http://filext.com/detaillist.php?extdetail=sbs&Search=Search

I've been looking for a site just like this, thank you!

Personally, I would be content at this point in assuming it is a false positive.

At this point so am I. Whew.. that's a relief Thank you SO very
much for taking the time to help me with this problem!

Have a good day,

--steve

 

[edgewalker]

I've been looking for a site just like this, thank you!

You're welcome.

At this point so am I. Whew.. that's a relief Thank you SO very
much for taking the time to help me with this problem!

Have a good day,

You too.