Malware or not ???

Hi there, just wondering if anyone could kindly help out:
Avast found the following in C:\WINNT\system\32\i
Win32:Downloader-BKN [trj]

It was initially found when I first installed Avast in May of this year, after coming from AVG and Avira. Moved it to the chest for a while, restored it later, neither had any effect as far as I could tell. Could not identify any damage to data. I have therefore not yet attempted to remove this “malware”, but would need to know what to do with it in the long run. (Never had any viruses in the past).
Virustotal-result below.
Uncertain how to proceed. Is this malware or a FP ?? Any further advice would be greatly appreciated.
Many thanks, Syndey

Antivirus Version Last Update Result
AhnLab-V3 2008.7.25.1 2008.07.25 -
AntiVir 7.8.1.12 2008.07.25 -
Authentium 5.1.0.4 2008.07.24 -
Avast 4.8.1195.0 2008.07.25 BV:Ftp-L
AVG 8.0.0.130 2008.07.25 -
BitDefender 7.2 2008.07.25 Generic.Botget.4F977CAC
CAT-QuickHeal 9.50 2008.07.24 -
ClamAV 0.93.1 2008.07.25 Trojan.Downloader.Small-1042
DrWeb 4.44.0.09170 2008.07.25 -
eSafe 7.0.17.0 2008.07.24 -
eTrust-Vet 31.6.5981 2008.07.25 BAT/FTPDownloader
Ewido 4.0 2008.07.25 -
F-Prot 4.4.4.56 2008.07.24 -
F-Secure 7.60.13501.0 2008.07.25 Trojan-Downloader.BAT.Ftp.ab
Fortinet 3.14.0.0 2008.07.25 BAT/Dloader.AB!worm
GData 2.0.7306.1023 2008.07.25 BV:Ftp-L
Ikarus T3.1.1.34.0 2008.07.25 Trojan-Downloader.BAT.Ftp.AB
Kaspersky 7.0.0.125 2008.07.25 -
McAfee 5346 2008.07.24 W32/Sdbot.worm!ftp
Microsoft 1.3704 2008.07.24 TrojanDownloader:BAT/Ftper.gen
NOD32v2 3298 2008.07.25 -
Norman 5.80.02 2008.07.24 Text/BotFTP.gen
Panda 9.0.0.4 2008.07.25 W32/Sdbot.ftp.worm
PCTools 4.4.2.0 2008.07.24 BAT.Botget.B
Prevx1 V2 2008.07.25 -
Rising 20.54.42.00 2008.07.25 -
Sophos 4.31.0 2008.07.25 Mal/BotFTP-A
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.25 Downloader
TheHacker 6.2.96.389 2008.07.25 W32/SdBot.worm
TrendMicro 8.700.0.1004 2008.07.25 BAT_FTPER.C
VBA32 3.12.8.1 2008.07.24 -
ViRobot 2008.7.25.1310 2008.07.25 BAT.Ftp.E
VirusBuster 4.5.11.0 2008.07.24 BAT.Botget.B
Webwasher-Gateway 6.6.2 2008.07.25 -

Additional information
File size: 70 bytes
MD5…: 47473f9195c3530f4b249b10e35c9214
SHA1…: e2646619ad8444a2db392086363b5aaa8c441b60
SHA256: daa63fc5c7a7af1f08779a50a4dba5f9da62c340e283284fe8500e40b74d549a
SHA512: b656f4ac5e7f3872216235e6d4c10e9e0b3f418751a4e3e686356ba54aba4bc5
fcd64bb48a1e9963d1dcffb37b7fc31767d039ae7b17929f4e7a5e314815bead
PEiD…: -
PEInfo: -

I think the VT results are pretty clear the avast detection was good and it is malware, which should have remained in the chest for a few weeks prior to being check scanned ‘inside’ the chest and if still detected, deleted. One thing for sure it is no FP.

Is this path correct, C:\WINNT\system\32\i ?

The C:\WINNT\system\32\i seems strange to start with C:\WINNT\system32\ is more likely and if correct would imply that it is designed to confuse so a user doesn’t remove it.

What is your OS ?

Hi David, thanks for getting back to me.
Win 2000.
This path is correct (had mistakenly added a backslash before - sorry !!!):
C:\WINNT\system32\i
The file properties show it has been in place pretty much ever since I had the computer.
I had the file in the chest for nearly 2 months, but it still is identified as being infected.
I sent it to the Avast support two times, never received a reply.
Also sent the file to the Avira support (including the VT results), but they insist it is clean.
So really don’t know who and what to believe and what to do ???
Thanks again,
Sydney.

I won’t judge that this file is clean… really, too many ‘important’ antivirus are detecting it as being infected. Do you need that file, I mean, why did you restore it?

Walks like a duck, talks like a duck, smells like a duck. Oh yeah, that’s because it’s a duck.

On first execution,Trojan-Downloader.BAT.Ftp.ab creates a file in the following location: C:\WINDOWS\SYSTEM32\I.

http://www.microworldtechnologies.com/virus_info/virusalertd.asp?vid=920

Hi Tech, no I personally do not “need” that file at all. But I thought Windows did - otherwise: why should it have been there ever since Windows had been installed ??
So you think it’s o.k. to just delete the whole file ?? (i.e. move it to the chest again & delete it from there) rather than trying to fix it ?
Also, how come various antiviral programs detect different “bugs” (a worm/a trojan/etc) ?
Thanks,
Syd.

Mal/BotFTP-A is a malicious FTP script typically created by IRC backdoor worms of the Sdbot family.

http://www.sophos.com/security/analyses/viruses-and-spyware/malbotftpa.html

It downloads more malware, so some AV’s call it a Trojan downloader.

C:\WINDOWS\SYSTEM32\I

On clean installations there is no such file in the system32 directory. This is malware.

http://forum.kaspersky.com/lofiversion/index.php/t11781.html

That is better, though it is also unusual for single character folder names (or is that the file name with no file type, which is also suspect), is there anything else in that folder ?

File properties aren’t entirely reliable as a) it depends on if this value is creation or the last modified date. Signatures are constantly added and updated so it isn’t unusual to see a file that wasn’t previously detected now detected. This is why it is important to send to the chest (rather than delete) and confirm the detection at VT and in this case it confirms a good detection.

You will not normally receive a reply unless they need more information, they will analyse the submitted sample and if it was an FP would correct the VPS so it would no longer be detected. Obviously if it is still considered infected then there would be no change to the VPS

They would obvious still say it is clean as they still don’t detect it, but in the face of the VT results, I’m afraid I couldn’t accept that assurance.

I still don’t know the file name that was detected, you gave a folder location and a malware name but no file name, so there is no way to know what the file is associated with using google, etc. and give any advice/assurance ?

Wow, Frank, David, thanks a lot for the infos, it all makes more sense now. You guys are great !
@ Dave: that’s all I’ve got: “Original location: C:\WINNT\system32”. “Name: i”.
I think Frank’s duck is a duck :slight_smile: (Please see links in his 2 posts).
So: where to from here ? Move to chest & delete from there or deal with it some other way ??
Thanks so much again !
Syd.

Essentially since you have had it in the chest previously for some time and repeat scans still show infected, you should be able to safely delete it without sending to the chest.

Have you got any anti-spyware tools installed, if so what ?
If not those that Spiritsongs posted would be a good addition to your overall security.

Hi, I wish posts would not just disappear from this thread…
I have been using Ad-Aware and Spybot on a regular basis, but nothing was ever found, apart from a few tracking cookies.
I have read Spiritsong’s reply (which has now disappeared) and have in the meantime downloaded & run both: SuperAntiSpyware & Malwarebytes.
SAS just detected more tracking cookies (which I have deleted). Malwareb. did not find anything.
I cannot remember exactly what else Spiritsongs said, other than getting expert help…
So, David, you think it would be o.k. to just go into Windows Explorer and send the the “i-file” to the rubbish-bin (rather than to the chest again) ?

The “i-file” is malware, as I think has been demonstrated beyond reasonable doubt. Perhaps some “expert help” might be what you need after all… :-\

Frank, yeah, I entirely agree and you have proven beyond doubt that it is malware. In his post (now not showing any more), “Spiritsong” suggested to run the both applications (SAS & Malwarebytes), implying that they might get rid of the problem altogether - so that’s just what I did. Except neither fixed the problem…
“Spiritsong” also suggested using another forum for “expert help” (? which), whereas DavidR seems to be saying to simply delete the i-File…

Spiritsongs turns up occasionally, recommends SUPERAntiSpyware, recommends that the poster seeks “expert advice” on another forum, and then goes away again for a week or two.

Personally I feel this might be a remnant of a previous infection and the idea of running the other programs (which are specialist anti-spyware/trojan programs) is a belt and braces approach to confirm there is nothing else lurking.

They look for entries in the registry as well for malicious entries (where avast doesn’t do that in its scans), for something to run there will normally be an associated registry entry.

I see no point in sending the i file to the chest when that has been done before so since we are all agreed that after investigation, this is malware then delete it.

Same sentiment on Spiritsongs seek ‘expert advice’ as FWF you should be fine where you are.

:slight_smile: Hi :

Some malware is very “complex” and the “regular” antivirus and antispyware
programs MAY ONLY “detect” a “portion” of the malware . Best to get
Volunteer Expert help in a “HijackThis” forum which will run several
analytical tools/programs and since you now mention you have Spybot,
I recommend the One at http://forums.spybot.info particularly THEIR
“Malware Removal” sub-forum .

The “Disappearing Post” mentioned the “Malware Removal - HijackThis Logs”
sub-forum at www.malwarebytes.org/forums/ . For informational purposes, I
had mentioned http://en.wikipedia.org/wiki/Trojan_horse_(computing) .

Why do you only come here to put us down by recommending that people go to another forum? It’s doubly insulting when replies to the post have clearly identified the problem, and it undermines the posters confidence in answers given. I don’t know about other forum member, but this behaviour really pisses me off.

And why do you recommend SUPERAntiSpyware every time you see the word ‘Trojan’ or ‘worm’ in a post? Have you got some special interest in that product?

Hi, just briefly wanting to thank you SO MUCH for the time, patience & energy you sacrificed by helping me sort this out !!
I’ve deleted the file & everything is sweet. At the same time I feel very lucky to have had your support !
And I am grateful for your explanations +++
Frank, you were spot-on, and your early links have been a real eye-opener.
David, I love the way you communicate and bring your point across.
Hopefully, this won’t happen again (yes, David, heaven knows how long this “thing” or its remnants have been sitting there…), but if it does I’ll know where to turn “without having to panic” (@Frank!)… :slight_smile:
Cheers. Syd.

You’re welcome, happy to help.

:slight_smile: Hi Frank ( and Others !? ) :

I “put you down” because you are frequently recommending simplistic
“Solutions” to a possibly “complex” Situation . Some experienced, trained,
certified, Volunteer “Malware-Fighters” recommend a reformat & reinstallation
of a computer that has a Backdoor trojan because that is the “safe” way to
“treat” that . Seems wise to exercise caution by going the “Extra Step” by
having someone with more knowledge than you use “tools” such as
ComboFix and others to determine IF there is something still hidden on the
computer . OF course, most Novices prefer the simplistic Approach either
through ignorance or unwilling to take the “Extra Step” to ensure the
Integrity of their computers. I agree with the “Approach” of CERTIFIED
“Malware-Fighter” “Mr Charlie” in WHAT he recommends at
http://forums.maddoktor2.com/index.php?showtopic=9590 .