Univ.bat /a

[Duh_OZ]

McAfee starting flagging a file (c:\temp\fixwmi.cmd) as being infected,
but didn't give a malware name. Sent it to virustotal and just two
scanners (McAfee (of course) and Sybari) ID'ed it as being infected
with Univ.bat /a.

File (dated 01/17/05) looks OK to me, here's a cut & paste job:
======================
@echo on
cd /d c:\temp
if not exist %windir%\system32\wbem goto TryInstall
cd /d %windir%\system32\wbem
net stop winmgmt
winmgmt /kill
if exist Rep_bak rd Rep_bak /s /q
rename Repository Rep_bak
for %%i in (*.dll) do RegSvr32 -s %%i
for %%i in (*.exe) do call :FixSrv %%i
for %%i in (*.mof,*.mfl) do Mofcomp %%i
net start winmgmt
goto End

:FixSrv
if /I (%1) == (wbemcntl.exe) goto SkipSrv
if /I (%1) == (wbemtest.exe) goto SkipSrv
if /I (%1) == (mofcomp.exe) goto SkipSrv
%1 /RegServer

:SkipSrv
goto End

:TryInstall
if not exist wmicore.exe goto End
wmicore /s
net start winmgmt
:End
==============

Am I missing something?

 

[David H. Lipman]

From: "Duh_OZ" <[email protected]>

| McAfee starting flagging a file (c:\temp\fixwmi.cmd) as being infected,
| but didn't give a malware name. Sent it to virustotal and just two
| scanners (McAfee (of course) and Sybari) ID'ed it as being infected
| with Univ.bat /a.
|
| File (dated 01/17/05) looks OK to me, here's a cut & paste job:
| ======================
| @echo on
| cd /d c:\temp
| if not exist %windir%\system32\wbem goto TryInstall
| cd /d %windir%\system32\wbem
| net stop winmgmt
| winmgmt /kill
| if exist Rep_bak rd Rep_bak /s /q
| rename Repository Rep_bak
| for %%i in (*.dll) do RegSvr32 -s %%i
| for %%i in (*.exe) do call :FixSrv %%i
| for %%i in (*.mof,*.mfl) do Mofcomp %%i
| net start winmgmt
| goto End
|
| :FixSrv
| if /I (%1) == (wbemcntl.exe) goto SkipSrv
| if /I (%1) == (wbemtest.exe) goto SkipSrv
| if /I (%1) == (mofcomp.exe) goto SkipSrv
| %1 /RegServer
|
| :SkipSrv
| goto End
|
| :TryInstall
| if not exist wmicore.exe goto End
| wmicore /s
| net start winmgmt
| :End
| ==============
|
| Am I missing something?

The name is "Univ.bat/a". My McAfee v7.1, ENGINE v4400 and DAT v4517 also flags it as such.
http://vil.nai.com/vil/content/v_102211.htm

I don't know why it is flagging it as a virus and there is no real writeup on "Univ.bat/a".

A submission to Virus Total also indicated it to be "Univ.bat/a" by Sybari.
None of the other AV vendors did flag to be malware. I also tried Sophos and Trend
Sysclean.
http://www.virustotal.com

I submitted it to McAfee/AVERT Webimmune which also flags it as "Univ.bat/a".
https://www.webimmune.net/default.asp

I think that it is a False Positive declaration.

 

[Duh_OZ]

<snip>

I think that it is a False Positive declaration.

</snip>

==========
I'm guessing the same thing. I also have to check some other false
postives McAfee may be reporting just after logging in. I started
getting some virus warnings somewhere in the (Lavasoft)Ad-Aware folder.
Just a small box and it only shows about the first 20 bytes of the
folder name and doesn't give a virus name. Flags 2 of them. I'll try
booting in safe mode and see what happens. BTW systemwide scan (all
files) doesn't report any malware in the Ad-Aware folder, just after
logging on it does. Stranger and stranger.

 

[David H. Lipman]

From: "Duh_OZ" <[email protected]>


| I'm guessing the same thing. I also have to check some other false
| postives McAfee may be reporting just after logging in. I started
| getting some virus warnings somewhere in the (Lavasoft)Ad-Aware folder.
| Just a small box and it only shows about the first 20 bytes of the
| folder name and doesn't give a virus name. Flags 2 of them. I'll try
| booting in safe mode and see what happens. BTW systemwide scan (all
| files) doesn't report any malware in the Ad-Aware folder, just after
| logging on it does. Stranger and stranger.

Results from McAfee/AVERT --

A.V.E.R.T. Sample Analysis
Virus Research Analyst - Hong Kong: V. Nguyen
Identified: FALSE DETECTION
On File: batch file
Detection Name: Univ.bat/a
Found on Dat: 4519
Fixed on Dat: next available Dats

AVERT(tm) Labs, Hong Kong

Thank you for submitting your suspicious file.

Synopsis -

Our Senior Virus Research Engineers have examined the file in question and
no virus was found.

Solution -

Attached is an extra.dat with corrected detection. This correction will be
included in the next DAT update.

EXTRA.DAT
This should be used with any of the McAfee AV Scanners.
The file should be copied into the directory where the other DAT files
reside.

Using the find/search utility on your computer search
for the following file:

SCAN.DAT

Then copy the Extra.dat we have sent you to the same
folder where one of the above is located.
Once you have copied the file, reboot the system for the driver to be loaded

EXTRA.DAT
----------------
76 178 157 180 13 179 216 221 100 69 163 209 108 71 162 210
45 117 204 51 15 35 141 114 27 204 140 37 154 202 95 116
205 251 8 113 199 226 71 54 252 228 81 95 198 229 92 199
204 34 114 178 202 247 67 54 218 242 8 68 205 230 119 116
201 253 8 190 143 54 141 179 13 50 141 167 10
9614 256 13015 340 Univ.bat/a FA

 

[Duh_OZ]

Then copy the Extra.dat we have sent you to the same
folder where one of the above is located.
Once you have copied the file, reboot the system for the driver to be loaded

EXTRA.DAT
----------------
76 178 157 180 13 179 216 221 100 69 163 209 108 71 162 210
45 117 204 51 15 35 141 114 27 204 140 37 154 202 95 116
205 251 8 113 199 226 71 54 252 228 81 95 198 229 92 199
204 34 114 178 202 247 67 54 218 242 8 68 205 230 119 116
201 253 8 190 143 54 141 179 13 50 141 167 10
9614 256 13015 340 Univ.bat/a FA

======================
Thanks! Worked like a charm. I'll rename it on the next update and
see if the .dat(4520?) does indeed stop the false positive.

Will be posting a vshield/ad-aware.exe anomoly Friday (have to try a
few things first). In short, another false warning.

 

[David H. Lipman]

From: "Duh_OZ" <[email protected]>


| Thanks! Worked like a charm. I'll rename it on the next update and
| see if the .dat(4520?) does indeed stop the false positive.
|
| Will be posting a vshield/ad-aware.exe anomoly Friday (have to try a
| few things first). In short, another false warning.

YW !

There is no need to rename the file after it is incorporated into the regular DAT files.
After several DAT updates the EXTRA.DAT counter will decrement to zero and the contents will
be ignored.