Possible Trojan - Please Help

Discussion in 'malware problems & news' started by TheKid7, Oct 10, 2009.

Thread Status:
Not open for further replies.
  1. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I installed Returnil Virtual System 2010 Free on my Windows 7 RC PC a few days ago. I got an alert from Returnil's resident virus scanner (F-Prot) of a confirmed Trojan (C:\Windows\System32\Drivers\uti1odex.sys)(TrojanW32Bagle.IJ). I tried to upload the file to Virustotal, but I kept getting a message that I did not have Administrative Rights to upload the file.

    I did a scan with the AVIRA Rescue CD (latest virus signatures) and it reported nothing.

    I Restarted the PC and went back into Windows to make sure that Returnil had cleared everything. Then I Restarted to a Puppy Linux Live CD. I then uploaded the file to Virustotal using Puppy's Seamonkey web browser. Virustotal showed 21/41 being either a Trojan or a suspicious file.

    Now I am really irritated. The file has either vanished or mutated. I did a complete file search of the C:\ partition and there is nothing with the uti1odex.sys file name. I checked both the F-Prot and AVIRA (Resident AV) Logs and there is nothing. A web search turned up no file by that name.

    I have Prevx 3.0 on the PC (Free Mode). Not a peep.

    What do you make of this? Any recommended further steps.

    Thanks in Advance.
     
  2. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,950
    Location:
    U.S.A.
    TheKid7, there is no description available for Trojan-Downloader.Win32.Bagle.ij but perhaps by looking at other versions (links below the name), you might be able to find something.

    If that fails, follow this Wilders thread: If you are currently infected to get help in one of the sites listed there.
     
  3. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Hi, just wonfering how you managed to save and upload the file to Virustotal after you had rebooted. Did you save it in Z or offline ?

    It could be a FP, but with a 21/41 show maybe it's for real.

    Have you thought about using some ARK's to scan with ?

    Anything with an unknown .sys extension is potentially very dodgy.
     
  4. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    If a person wants to upload a file (for analysis) to an Antivirus vendor such as Symantec, is there a list somewhere of Antivirus vendor file upload links? I took a zipped sample of that suspect file. I had to boot into Puppy Linux to make the zip archive because I was being denied access to the file in Windows.

    I had the zipped file scanned again at Virustotal with an 18/41. I am assuming that the drop of three from 21/41 was because of it being in a zip format this time.
     
  5. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
  6. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
  7. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    It turns out that it was apparently a false positive. It is a "driver" file for AVZ Antiviral Toolkit which had been renamed from AVZ.sys. I assume that AVZ Antiviral Toolkit renames and installs the file when you do a scan. That is apparently why the "suspect" file re-appeared after being quarantined. I did a scan with AVZ after I did the first quarantine.
     
  8. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
    I have reported one such f/p associated with AVZ to PrevX, their software threw up warning in similar situation.

    Another one which does something similar, if only for .exe, is Dr. Web's CureIT! It seems to copy some randomly named .exe to Temp folder for execution.
     
Loading...
Thread Status:
Not open for further replies.