"Win32/Parite.B virus" just appeared

Discussion in 'ESET NOD32 Antivirus' started by rothko, Aug 21, 2008.

Thread Status:
Not open for further replies.
  1. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    Hi

    sometime in the last couple of updates NOD32 has started detecting some files i have had on my PC for a long time as Win32/Parite.B virus.

    the last time this file was added in a signature update was with 3306, and i ran a system scan on this day with 3306 signatures and nothing was detected. More recently I ran a scan with SuperAntiSpyware, which didn't find anything of interest but also didn't trigger an alert from NOD32 when it accessed these files.

    Waiting on my PC this morning were 3 Win/Parite.B warnings for 3 different files, detected by the Real-time scanner. They are in My Documents, which I am in and out of all the time so the Real-time scanner should have seen them before now.

    the dates i downloaded these files goes back as far as jan 2007. i've uploaded them to VT and almost all of the AVs detect the same threat.

    if detection was added in 3306, i don't see why the on-demand scanner didn't pick anything up, and why now all of a sudden the Real-time scanner has found them. Has something changed in the Real-time scanner that means it can now detect the packing?

    thanks, lee
     
  2. ASpace

    ASpace Guest


    I have seen similar things , so it must be the fact that there is a difference between all the modules . For. e.g. - web module detects some things the other won't and vice versa . The same applies for the on-demand scanning and for the real-time protection
     
  3. saberfox

    saberfox Former Poster

    Joined:
    Jul 23, 2008
    Posts:
    84
    Just because a signature was added, doesn't mean that it never gets updated. AV vendors update their existing signatures all the time. If many products detect the file, chances are you've been unknowingly infected all this while.
     
  4. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    thanks for your reply, HiTech_boy

    the file in question was mp3gain, which i downloaded (i think) from SourceForge.net a year or so ago, which is a reputable site. I have downloaded a new copy, same version, today and it isn't detected by NOD32 or any other AV at VT.

    Does this mean this .exe has been 'injected' with malware, probably quite recently as it wasn't picked up in previous scans? The File info shown at VT is different in the 2 files, more sections, bigger file size, but i don't know enough to interpret the info.

    i think i'll send a sysinspector log to support to see if they can find anything worrying.

    thanks
     
  5. ASpace

    ASpace Guest

    You are welcome .

    Parite.B is a virus , infecting executable files. So , it could be that it has recently been infected by the threat.

    Here is some more information about it:
    http://www.eset.com/threat-center/pedia/virusy/win/win32/pariteb.htm
    You could google it for even more

    In the mean time you can start full on-demand scan , just in case.
     
  6. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Is it known how one gets infected by this virus?
    Wouldn't it infect ALL executables instead of just a few?
     
  7. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    just some more info...

    checking the threat log it shows this:

    21/08/2008 08:22:47 Real-time file system protection file C:\Documents and Settings\who\My Documents\mp3gain-win-1_2_5.exe Win32/Parite.B virus NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\Program Files\uTorrent\uTorrent.exe.

    So it looks, to me, that the files were modified via Utorrent (which i use for legal activites - nothing untoward! :D )

    Utorrent was running overnight and NOD32 stopped these actions and was waiting for my Action (delete) when i checked this morning.
     
  8. ASpace

    ASpace Guest

    Much clearer now . :thumb:

    P.S. Now we have an idea about your legal activities :D :D
     
  9. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    i only use it for downloading podcast collections, the same podcasts that are available on bbc, etc, but they get replaced with the latest one each week, so this is a handy way of getting the backlog...

    anyway, just so i know - just having Utorrent open can leave you susceptible to malware, even if the thing you are downloading does not contain malware?
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hi Lee,
    is it still detected by the other scanners? I assume it could be that it was detected with update 3306 which cleaned out the virus from the file and thus it has not been detected since then.
     
  11. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    Hi Marcos,
    If i let NOD32 clean the file and upload to VT then it is not detected by any scanner.

    I've actually deleted the files, i didn't need them, they were just installers left over from programs i tried out last year.

    I'm not so worried now i know how they got infected - when i ran the NOD32 scan when i had 3306 signatures the files weren't infected, they only became infected - or tried to become infected, NOD32 stopped them - overnight when i left Utorrent running.

    It's made me more wary of downloading vis P2P this incident, so lessons learned there.

    thanks, lee
     
Thread Status:
Not open for further replies.