How did AntiVir find this?

Discussion in 'other anti-virus software' started by delerious, Oct 22, 2006.

Thread Status:
Not open for further replies.
  1. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    I did a scan with AntiVir on my laptop tonight, and it popped up an alert for C:\WINDOWS\system32:hvaa.dll. Before I told it to quarantine it, I did a search in C:\WINDOWS for hvaa.dll, and couldn't find anything. Another strange thing is the colon between "system32" and "hvaa.dll". Directory names and filenames in Windows cannot have colons in them, so I'm wondering what exactly did AntiVir find?

    AntiVir also says that it is the Trojan horse TR/Dldr.Small.ats. I can't find any information on that... any idea on what it may have done to my system?
     
  2. disinter1

    disinter1 Guest

    It might be a fasle positive, but for now just quarantine as you said already.
     
  3. pilotart

    pilotart Registered Member

    Joined:
    Feb 14, 2006
    Posts:
    377
    You can quickly submit it to AVIRA from your Quarantine by highlighting and clicking the send icon,
    next to the wastebasket icon (must have entered Email info on Configuration 'expert' page).

    For a detailed response of findings, use:
    http://www.avira.com/en/support/submit_suspicious_files.html
    enter Email, comment and browse to file location.
     
  4. FRug

    FRug Registered Member

    Joined:
    Feb 7, 2006
    Posts:
    309
  5. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    "How did AntiVir find this?"

    Cause its the best.:rolleyes:
     
  6. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Every serious antivirus program scans ADS (NTFS data streams) these days, it's getting quite common that malware hides in there. As demonstrated here, the normal user cannot easily find these files.
    That said, this is most likely no false positive, a DLL attached to the SYSTEM32 directory... Very suspicious!

    I usually use FAR or 4NT to play around with NTFS streams.
     
  7. DaveD

    DaveD Guest

    Not much info on "hvaa.dll" in Google. But searching Google for "fvaa.dll" brings up a similar Trojan Downloader. This must be quite new.
     
  8. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    Wow, I'm glad I started this thread. I had never heard of "alternate data streams" before.
     
  9. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
  10. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    I dont want to hijack your thread delerious ,but can someone explain whether the ntfs data stream scanning is relevant on 98 machines?.Im thinking of fat32 file system on my 98 and ntfs on xp.Is this the same ntfs that we are talking about or something completly different ?
    tia
    ellison
     
  11. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    ellison64: Win98 does not support NTFS, so it does not have the Alternate Data Stream problem.
     
  12. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Thanks...i wasnt sure whether it was the same thing.
    ellison
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Why don,t u uload the dile to virus total/ jotti and post the results here.
    It will be interesting to see.
     
  14. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    A couple questions about these NTFS streams:

    - if I download a file, can it have streams attached to it?

    - if I unzip a file from an archive, can it have streams attached to it?
     
  15. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Downloads cannot contain NTFS streams (it is specific to the NTFS file system), archive can contain streams (at least RAR supports them).
     
  16. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    All files downloaded from the internet will have a 'Zone Identifier' ADS tagged on, because the system puts them there; but the ADS is added upon download.

    The old versions of ADS Spy used to find these Zone Identifiers, but the recent version seems to be configured to ignore them.

    It is the ZI ADSs that causes Windows to pop-up a warning box when you attempt to open such a file for the first time.
     
Loading...
Thread Status:
Not open for further replies.