Downloader.VB.AXO

[Dennis]

On Saturday an AVG Free scan turned up the Downloader.VB.AXO trojan
horse in C:\Program Files\music_now\inetchk.exe. As far as I know, this
folder and file have been on my PC since I got it last August (it came
pre-installed with other HP software).

Googling turns up a few posts indicating this might be a false positive
from AVG.

Any thoughts?

 

[David H. Lipman]

From: "Dennis" <[email protected]>

| On Saturday an AVG Free scan turned up the Downloader.VB.AXO trojan
| horse in C:\Program Files\music_now\inetchk.exe. As far as I know, this
| folder and file have been on my PC since I got it last August (it came
| pre-installed with other HP software).
|
| Googling turns up a few posts indicating this might be a false positive
| from AVG.
|
| Any thoughts?
|


Please submit a sample of "inetchk.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

 

[Dennis]

When you get the report, please post back the exact results.

grisoft suggested I post a sample to http://virusscan.jotti.org/. Here
are their results...

File: inetchk.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 09b51f86b604affee200ee78c5c31290
Packers detected: -
Bit9 reports: No threat detected (more info)

Scanner results
Scan taken on 11 Feb 2008 21:46:11 (GMT)
A-Squared Found nothing
AntiVir Found TR/Click.HD
ArcaVir Found nothing
Avast Found Win32:Neptunia-KH
AVG Antivirus Found Downloader.VB.AXO
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.Click.2093
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Trojan.Click.2093
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found Trojan.CL.Agent.IJS
VBA32 Found Trojan.Click.2093

It looks like they can't agree as to what it is, if anything.

Thanks.

 

[David H. Lipman]

|
| It looks like they can't agree as to what it is, if anything.
|
| Thanks.
|

Jotti's is a good alternative to Virus Total.
I rate Virus Total higher with NO offense meant towards Jordi.

There is no real naming convention in naming malware. Very few anti virus companies name
the same infector the same way and often when they do, the version is often different
amongst the various vendors. A good example would be a ZLob Trojan. Several vendors may
call it a ZLob Trojan but will show the version differently.

That is why the US Gov't. commissioned MITRE to come up with the Common Malware Enumeration
(CME) list which cross references with high infection rates. Often vendors will append
CME-xxx to the name of the infector. Inspect the below URL and you'll see just how
differently the various vendors name the SAME infector.
http://cme.mitre.org/data/list.html

Anyway, based upon the high "hit" rate, I'd say this is NOT a False Positive.

Remove the Trojan by moving into the Virus Vault.

 

[Dennis]

Anyway, based upon the high "hit" rate, I'd say this is NOT a False Positive.

I suspect the PC came with this. I wonder if grisoft just recently
updated their definitions to find this. I haven't downloaded anything in
the past 10 days that I can remember and the PC was clean the Saturday
before.

Remove the Trojan by moving into the Virus Vault.

Done.

***

I haven't been able to find a description of this one so I don't know
what it is supposed to do. I'd like to know what to look for if anything
funny starts happening.

Thanks,

 

[David H. Lipman]

From: "Dennis" <[email protected]>

| On Mon, 11 Feb 2008 23:03:02 GMT, "David H. Lipman"
|
| I suspect the PC came with this. I wonder if grisoft just recently
| updated their definitions to find this. I haven't downloaded anything in
| the past 10 days that I can remember and the PC was clean the Saturday
| before.
||
| Done.
|
| ***
|
| I haven't been able to find a description of this one so I don't know
| what it is supposed to do. I'd like to know what to look for if anything
| funny starts happening.
|
| Thanks,
|

To find that information, use the information obtained from Jotti.

Based upon the infector name and the anti virus vendor, check the vendor's respective virus
libraries/encyclopedias.

BTW: The reason I stated to move this into the Virus Vault is becuase if this is
ebventually deemed to be a False Positive then it can be restored.

 

[Dennis]

Based upon the infector name and the anti virus vendor, check the vendor's respective virus
libraries/encyclopedias.

I just tried that. AVG doesn't have a listing for this trojan (maybe
it's too new). The only other vendor I could find with an encyclopedia
was Avira, and they didn't have their infector name either. Maybe I'll
try looking more tomorrow.

Thanks,

 

[Dennis]

Anyway, based upon the high "hit" rate, I'd say this is NOT a False Positive.

I sent inetchk.exe (zipped and password protected) to grisoft. They just
got back to me and said it was a false positive.

Thanks for your help...

 

[David H. Lipman]

From: "Dennis" <[email protected]>

| On Mon, 11 Feb 2008 23:03:02 GMT, "David H. Lipman"
|
| I sent inetchk.exe (zipped and password protected) to grisoft. They just
| got back to me and said it was a false positive.
|
| Thanks for your help...
|

Arghhhhhhhh !

Thank for the update.