I got a CD from a friend who says he just copied his whole directory over to give me a file..... inside the directory was "service pack1.exe" He said he originally downloaded it from Microsoft's page?

I can copy and do as I will to any of the other files on the disk he gave me..
However this one file which is 137,161kb in size is found to have a virus?
I cannot quaranteen it to send for analysis.
I get an error that says "error quaranteening"

Now I can't even copy the file to my hardrive "after a reboot even" and after turning NOD off because it says the file cannot be copied because it is either read only or is in use?
Well the other files are read only too.. "they are on a CD" but I can copy them just fine?

Has NOD locked up this file so I cannot copy it now... even though I turn NOD off?
I have done a full scan of my system after playing with this and I am clean.. settings turned up full blast.

The worm name is not found anywhere else on the net except in NOD related sites?
Is this worm legit?.. and if so why can't I find it?... has the name been changed by NOD to protect the guilty?
Or is NOD the only VS on the planet that sees this?

The virus name is...
Time Module Object Name Threat Action User Information
10/31/2005 20:23:00 PM AMON file F:\service pack1.exe Win32/MScr.V worm Error quarantining the object - WINDSTRINGS\Alan Event occurred at an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.

Any great revelations would be appreciated... I"m just curious whats up..
I"ve never had such a thing happen with NOD?

Hi windstrings:

How about taking a look here (http://www.viruslist.com/en/viruses/encyclopedia?virusid=24201).

Most likely the file is too large to send for analysis. ;)

I figured out how to copy... NOD was locking it up.. In AMON settings there is a setting to "prohibit access".. once I excluded it, I was able to copy and quaranteen it.

Only problem now.. I guess I can't send in a file 127 mb?
So just how do we get it tested?

I didn't get too far on that page... I clicked on the link for "Win32/MScr.V worm" and on the page it brought me too... I went everywhere and did a search for "Win32/MScr.V worm" with no results.

I must admit.. pretty impressive..... I zipped the affected file.... removed the extension of .zip and then rezipped it again.... upon scanning NOD still found the worm!

I"m just not convinced its a worm.

It's a Filesharing worm. Overwrites the start of executables and puts the worm code at the start - then later drops the original executable and runs it.
There are lots of different versions, but if i remember right they were all developed in Delphi and packed by UPX. Some of them are also repacked by Yoda Crypt. Just take a look into the fileheader. Make a screenshot of the first bytes from this file here (with a hexeditor).

{QUOTE-> Just take a look into the fileheader. Make a screenshot of the first bytes from this file here (with a hexeditor). <-QUOTE}If you need a free hexeditor there are a few available here (http://lists.thedatalist.com/pages/Hex_Editors.htm)

Thanks.. Ill check that out.. If I find something wierd it will be obvious the person who gave it to me has been exposed to corruption.
Whats funny is he has no AV protection professing he has never needed it and his system works fine?
I would actually like to find something wrong with this file and be able to show him proving his need for AV... well see.

I have the original WinXP SP1 executable on my computer, xpsp1_en_x86.exe, checks OK with NOD32. Windows Explorer says it is 137,149 kB (140,440,152 bytes).

The WinXP SP1a download currently available from Microsoft (xpsp1a_en_x86.exe) is 128,097 kB, according to their download page.

http://www.microsoft.com/downloads/details.aspx?FamilyID=83e4e879-fa3a-48bf-ade5-023443e29d78&DisplayLang=en

{QUOTE-> It's a Filesharing worm. Overwrites the start of executables and puts the worm code at the start - then later drops the original executable and runs it.
There are lots of different versions, but if i remember right they were all developed in Delphi and packed by UPX. Some of them are also repacked by Yoda Crypt. Just take a look into the fileheader. Make a screenshot of the first bytes from this file here (with a hexeditor). <-QUOTE}

Well I've never used a hex editor.. if I change the extension "exe" to doc and try to open it in word.. then DMON catches it... I'm not sure I should be playing with this with my AV disabled?.. yet if I dont' disable it.... I cant do anything with it because amon prevents access?

any suggestions...
Maybe you can suggest which hexeditor thats simple.. I downloaded and installed "AEdiX v3.05" but its too complex ... I dont understand how to use it and it doesn't even want to open "exe" files?

Sorry but hex editing is an area I've never yet delved into.

Try UltraEdit (http://www.ultraedit.com).

Ok.. I managed to get it opened with my original text editor as well as the trial version you suggested....

I just don't see anything intelligent that I can discern as being a problem...
I will copy the first bit... but as you know .. 137 meg is a lot of txt and I just don't see anything in all of it I can make sense of.
All that will copy and paste are the first 3 letters...
MZP

Make screenshot and post this - that helps more

Service pack1.exe screenshot#1

Ok.. I"ve made screenshots of the first 5 pages... there appear to be hundreds more to get to the end!.....

I hope this helps....

thanks for your suggestions...

Service pack1.exe screenshot#2

Service pack1.exe screenshot#3

Service pack1.exe screenshot#4

And last but not the least most exciting!!!
Service pack1.exe screenshot#5!