"Win32/Parite.B virus" just appeared

Hi

sometime in the last couple of updates NOD32 has started detecting some files i have had on my PC for a long time as Win32/Parite.B virus.

the last time this file was added in a signature update was with 3306, and i ran a system scan on this day with 3306 signatures and nothing was detected. More recently I ran a scan with SuperAntiSpyware, which didn't find anything of interest but also didn't trigger an alert from NOD32 when it accessed these files.

Waiting on my PC this morning were 3 Win/Parite.B warnings for 3 different files, detected by the Real-time scanner. They are in My Documents, which I am in and out of all the time so the Real-time scanner should have seen them before now.

the dates i downloaded these files goes back as far as jan 2007. i've uploaded them to VT and almost all of the AVs detect the same threat.

if detection was added in 3306, i don't see why the on-demand scanner didn't pick anything up, and why now all of a sudden the Real-time scanner has found them. Has something changed in the Real-time scanner that means it can now detect the packing?

thanks, lee

 

I have seen similar things , so it must be the fact that there is a difference between all the modules . For. e.g. - web module detects some things the other won't and vice versa . The same applies for the on-demand scanning and for the real-time protection

 

Just because a signature was added, doesn't mean that it never gets updated. AV vendors update their existing signatures all the time. If many products detect the file, chances are you've been unknowingly infected all this while.

 

thanks for your reply, HiTech_boy

the file in question was mp3gain, which i downloaded (i think) from SourceForge.net a year or so ago, which is a reputable site. I have downloaded a new copy, same version, today and it isn't detected by NOD32 or any other AV at VT.

Does this mean this .exe has been 'injected' with malware, probably quite recently as it wasn't picked up in previous scans? The File info shown at VT is different in the 2 files, more sections, bigger file size, but i don't know enough to interpret the info.

i think i'll send a sysinspector log to support to see if they can find anything worrying.

thanks

 

You are welcome .

Parite.B is a virus , infecting executable files. So , it could be that it has recently been infected by the threat.

Here is some more information about it:
http://www.eset.com/threat-center/pedia/virusy/win/win32/pariteb.htm
You could google it for even more

In the mean time you can start full on-demand scan , just in case.

 

Is it known how one gets infected by this virus?
Wouldn't it infect ALL executables instead of just a few?

 

just some more info...

checking the threat log it shows this:

21/08/2008 08:22:47 Real-time file system protection file C:\Documents and Settings\who\My Documents\mp3gain-win-1_2_5.exe Win32/Parite.B virus NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\Program Files\uTorrent\uTorrent.exe.

So it looks, to me, that the files were modified via Utorrent (which i use for legal activites - nothing untoward! )

Utorrent was running overnight and NOD32 stopped these actions and was waiting for my Action (delete) when i checked this morning.

 

Much clearer now .

P.S. Now we have an idea about your legal activities

 

i only use it for downloading podcast collections, the same podcasts that are available on bbc, etc, but they get replaced with the latest one each week, so this is a handy way of getting the backlog...

anyway, just so i know - just having Utorrent open can leave you susceptible to malware, even if the thing you are downloading does not contain malware?

 

Hi Lee,
is it still detected by the other scanners? I assume it could be that it was detected with update 3306 which cleaned out the virus from the file and thus it has not been detected since then.

 

Hi Marcos,
If i let NOD32 clean the file and upload to VT then it is not detected by any scanner.

I've actually deleted the files, i didn't need them, they were just installers left over from programs i tried out last year.

I'm not so worried now i know how they got infected - when i ran the NOD32 scan when i had 3306 signatures the files weren't infected, they only became infected - or tried to become infected, NOD32 stopped them - overnight when i left Utorrent running.

It's made me more wary of downloading vis P2P this incident, so lessons learned there.

thanks, lee