Suspected false-positive in WinXP partition pagefile.sys

Avast Business Avast Business for Linux
1 
2009-02-18 00:00:18     Found virus 'Win32:Adloader-AC [Trj]' in file '/mnt/c_drive/pagefile.sys'.

avast4workstation-1.3.0-1.i586.rpm
VDB 90216-1, 02-16-2009
Fedora 8, kernel-2.6.26.8-57.fc8.i686 (+ WinXP MCE SP2)

Thanks,
V

2

Why do you think this is a false positive? Was any action taken (send to chest/delete/ ignore)?
If it has been sent to the chest, you may be able to email it to Avast.
I’m not sure if pagefile items can actually be sent to the chest, be interesting to know.

3

More info about this nature of detection here: http://forum.avast.com/index.php?topic=38998.0
May be a false positive. As DavidR mentioned, the pagefile is something of a fluid beast.
There is a registry setting that can be applied to delete it at every Windows shutdown, should you be concerned. (Got this setting from MS. The KB article indicated that in rare circumstances, malware could hide itself in the pagefile. It makes shutdown take a minute or so longer.)

4

No, certainly no action was taken: this is a 682 MB Win XP swapfile (pagefile.sys). Nor do I think that I can e-mail it to anyone. Will check out that other thread - thanks for the link (I searched, but did not see that thread).

V

5

Oo, so it would have tried to quarantine the entire file? That would have been interesting. Probably impossible, given the default size of the chest.
The search term I used was just the name of the detection, originally on Google, then on the Avast forum.

6

Most certainly a false positive of the Linux version. But it could be that your Windows load something (malware or unencrypted signatures) into memory… I’ll add an exclusion to Linux and scan withing Windows again.

7

Infection in swapfile - might be sideeffect of infected windows partition (signature found in some swapped-out page), or false positive.
depends on the nature of detection.

Namely, Adloader-AC [trj] detection is signature based, and thus, probably, the signature was really present in the pagefile, and there’s possibility that the system which wrote the pagefile might be infected.

The signature is unique enough to cause FP-collisions accidentally :slight_smile:

regards,
pc

8

Have a look for “by Zufyxe” string in the file, that’s the location of Adloader-AC [trj] infection.
pc

9

Yeah, I thought that it might be a case of the virus signature being present in the WinXP swapfile:

~]$ grep 'by Zufyxe' /mnt/c_drive/pagefile.sys
Binary file /mnt/c_drive/pagefile.sys matches
[Vince@localhost Wed Feb 18 09:55:24 ~]$ grep --binary-files=text 'by Zufyxe' /mnt/c_drive/pagefile.sys |less
[...]
SMA M.8 Core. by Zufyxe
[...]

Thanks Guys,
V