Tool.Win32.Reboot, anyone know this virus?

Discussion in 'malware problems & news' started by Jeremy2, Dec 2, 2004.

Thread Status:
Not open for further replies.
  1. Jeremy2

    Jeremy2 Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    72
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Can you please send the file to Eset: samples@nod32.com and place a link to this thread. If you do not hear from Eset within 3 days (allows for weekends), please advise us...

    You could also check out the flagged file here: http://virusscan.jotti.dhs.org/

    Let us know how you go…

    Cheers :D
     
  3. Jeremy2

    Jeremy2 Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    72
    I run the online file check, and only KAV reports that it's infected.
    Also, I sent the sample to ESET.


    Service load:
    0% 100%
    File: CCC.exe
    Status:
    INFECTED/MALWARE (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain in the ass -, results will not be stored in the database.)
    Packers detected:
    None

    AntiVir
    No viruses found (0.14 seconds taken)

    Avast
    No viruses found (1.51 seconds taken)

    BitDefender
    No viruses found (0.34 seconds taken)

    ClamAV
    No viruses found (0.42 seconds taken)

    Dr.Web
    No viruses found (0.50 seconds taken)

    F-Prot Antivirus
    No viruses found (0.20 seconds taken)

    Kaspersky Anti-Virus
    not-a-virus:Tool.Win32.Reboot (1.29 seconds taken)

    mks_vir
    No viruses found (0.83 seconds taken)

    NOD32
    No viruses found (1.07 seconds taken)

    Norman Virus Control
    No viruses found (0.43 seconds taken)
     
  4. Jeremy2

    Jeremy2 Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    72
    Re: Tool.Win32.Reboot, anyone know this virus? Upated

    OK here is the update:

    I didn't get any reply from ESET, I've sent 2 emails.
    However, I got a fast reply from Ewido, and this is what they say:

    Thanks for the file, we will add soon this file, which is not really a
    trojan and not harmful, to our database because a hacker can also use this
    tool. It start a force reboot of windows without warning boxes.

    With best regards,

    Your ewido networks Support-Team
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Re: Tool.Win32.Reboot, anyone know this virus? Upated

    Thanks for reporting back J2

    Cheers :D
     
  6. wyrmrider

    wyrmrider Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    59
    Location:
    california
    I was running KAV via e-scan
    found three instences
    one in the Iomega zip cd copy
    and two in win98 cab files in c:/win98 (mirror of cd)

    regular KAV scan did not flag

    must be heuristics??

    wyrmrider
     
  7. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    usually you need the extended bases ( updates_ext or _x ) to get detection of this with kav
     
  8. Jeremy2

    Jeremy2 Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    72
    No It's not heuristic. I got the alert when I used the supersecure database (update_x), instead of the normal one(update).
     
  9. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
  10. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Yes, I receive the same message since one of the programs I used called Savings Bond Wizard has this file in his zipped downloaded file. I think that KAV should "warn" about this file instead of flagging it, since it stops all processing. Currently, I Exclude this file from KAV's scan. Of course, if a real trojan is using this file, then my scan will not catch it. Sometimes, I wonder about the logic that software developers use when they make decisions. Do they really think these things through? All they need to do is report on it if it occurs since it is a valid program. Sort of the way TDS-3 warns about double suffixes.

    Rich
     
  11. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    The presence of the file on your system does not mean you were hacked as it is used in a number of legitimate programs, that is the reason I said what I said in post 3 of the other thread. Detections like this are the reason that Kaspersky only recommends using the super secure database for system engineers and network admins as they are much more likely to have the resources and knowledge to monitor the applications using such a vulnerability correctly. As you have admitted you solved the problem by excluding the file which then leaves your system vulnerable to being hacked and thus justifying Kaspersky's position. However the likelyhood of a hacker finding that file and leaving it in the directory where it is excluded and using it reboot your system to start a malicious process is still extremely small and that would also mean that whatever file/process was to be executed would then have to elude detection of your AV and firewall so your system is still quite safe as all the file would do is allow someone to reboot your system not infect it, however they intend to infect your system would still have to work as any other virus/trojan/worm would.
     
Loading...
Thread Status:
Not open for further replies.