[false positive] Autorun-G [Wrm]

so i got this report this morning:
avast! [CNCMACHINE1]: File “E:\autorun.inf” is infected by “BV:AutoRun-G [Wrm]” virus.
“Resident protection (Standard Shield)” task used Version of current VPS file is 090916-0, 09/16/2009

after inserting a factory stamped windows xp cd.

brilliant guys, if a file is called ‘autorun.inf’ lets just tag it as a virus anyway.

perfect.

please go back to assigning virus labels based on FILE CONTENT and not just the FILE NAME.

Very funny ;D
The scanner certainly doesn’t detect viruses according to file names (such a functionality isn’t even present in the scanning core).

Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.

* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder…it will help protect your drives from future infection.

yes, but how does a factory stamped windows xp cd, autorun.inf, become infected?

here’s its contents:

[AutoRun]
open=setup.exe
icon=setup.exe,0

and here’s its details:
size on disk: 2,048 bytes
size: 110 bytes
created Tuesday, February 28, 2006, 8:00:00 AM

thanks for the link to the flash cleaner, that looks like a really useful program, i’ll add that to my bag of tricks

If it doesn’t work, you can try Dr. Web CureIt.

Interesting, the part of file you write has 43 B and size is 110 B, what is the rest of file?

Milos

When I look to files, which Avast! detect as “BV:AutoRun-G [Wrm]”, it contains some references to .exe files stored in “RECYCLER”.

interesting… i wonder if this user has/had a SETUP.EXE in the recycle bin…

(the rest of the INF file is just empty space)

could this be how it was detected:
“if ‘autorun.inf’ points to recycle*\setup.exe, call it a virus”

regardless if setup.exe is a virus (living in recycle bin), but simply in existence?

Can you please send that file, we detect, in password protected archive i.e. zip with password i.e. infected to virus@avast.com and to subject write “False positive” and to body insert link to this forum topic.

could this be how it was detected: "if 'autorun.inf' points to *recycle*\*\setup.exe, call it a virus"

regardless if setup.exe is a virus (living in recycle bin), but simply in existence?


Yes, it could be – running some files from recycle bin is strange, isn’t it?

Milos

Yes, it could be -- running some files from recycle bin is strange, isn't it? Milos

of course it is, but doesn’t mean it’s a virus :slight_smile:
(and this INF file is just calling setup.exe without a path anyway)

There must be something else, not only the 3 lines (and some “empty space”) you posted in reply #3. Did you send us that file?

Milos