Win32:Agent-SWR (Possible Mistake?)

I have a number of system repair tools for fixing infected PCs. One is a partial PE that is typically run from a bootable CD. I have the disk content backed up to several places on my PC. In my most recent scan, Avast detected almost all the system files from within those locations to be Win32:Agent-SWR as shown below:

Sign of “Win32:Agent-SWR [Drp]” has been found in “C:\Documents and Settings\Brad\Desktop\Brad Tool Set 072808\MRI 4-7\I386\SYSTEM32\AUTOCHK.EXE” file.

Sign of “Win32:Agent-SWR [Drp]” has been found in “C:\Documents and Settings\Brad\Desktop\Brad Tool Set 072808\MRI 4-7\I386\SYSTEM32\AUTOFMT.EXE” file.

Sign of “Win32:Agent-SWR [Drp]” has been found in “C:\Documents and Settings\Brad\Desktop\Brad Tool Set 072808\MRI 4-7\I386\SYSTEM32\CSRSS.EXE” file.

Sign of “Win32:Agent-SWR [Drp]” has been found in “C:\Documents and Settings\Brad\Desktop\Brad Tool Set 072808\MRI 4-7\I386\SYSTEM32\NTKRNLMP.EXE” file.

Sign of “Win32:Agent-SWR [Drp]” has been found in “C:\Documents and Settings\Brad\Desktop\Brad Tool Set 072808\MRI 4-7\I386\SYSTEM32\NTOSKRNL.EXE” file.

Sign of “Win32:Agent-SWR [Drp]” has been found in “C:\Documents and Settings\Brad\Desktop\Brad Tool Set 072808\MRI 4-7\I386\SYSTEM32\SMSS.EXE” file.

Now, it found the same exact ‘viruses’ in all the other locations this tool was backed up in (I won’t bloat the post by putting them all in from the log) however, it did not find “Win32:Agent-SWR [Drp]” anywhere else on the PC as you would suspect if this were a true win32.agent

It also found some virus and AV removal tools and identified them as viruses:

Sign of “Win32:SQLSlammer” has been found in “C:\Documents and Settings\Brad\Desktop\old flash 1\Brad Tool Set 020407\MRI 4-7\Virus\Individual Removal Tools\Symantec Removal Tools\FixSQLex.exe[UPX]” file

for a copy of the symantec removal tool and:

Sign of “Win32:Trojan-gen {Other}” has been found in “E:\Tech Tools\new tools\VundoFix.exe” file. for my vundofix tool from atribune.

It is my suspicion that these are all misidentified ‘legit’ files, but I wanted to check here first before I restored them all

any thoughts?

thanks in advance

The problem with some tools is the AV can’t determine the purpose, good or evil.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.

As for vundofix there was an FP on this but it was on an old version and supposed to be fixed.
I have version 7.0.0.6 and there is no detection on that version.

You could also create a folder for your tools and exclude that folder from scans.

Wow, thanks for the great info and the fast reply.

It looks like those files really are infected. More disturbing is the actual CD also has those viruses on it and it is a PE repair CD used by a large national computer repair/service company which I used to work for. I have about a dozen different versions of that disk and ALL of them have it. I think I will check the newest one out see if it is present…

On a different note, could that virus (as it is listed as a dropper) infect the PC’s of the people getting serviced?

The results of the lookup are posted below:

Antivirus Version Last Update Result
AhnLab-V3 2008.8.15.0 2008.08.15 Win32/Alman.C
AntiVir 7.8.1.19 2008.08.16 W32/Alman.BB
Authentium 5.1.0.4 2008.08.17 W32/Alman.C
Avast 4.8.1195.0 2008.08.17 Win32:Agent-SWR
AVG 8.0.0.161 2008.08.17 Win32/Alman
BitDefender 7.2 2008.08.17 -
CAT-QuickHeal 9.50 2008.08.16 W32.Almanahe.B
ClamAV 0.93.1 2008.08.16 W32.Alman-2
DrWeb 4.44.0.09170 2008.08.17 Win32.Alman
eSafe 7.0.17.0 2008.08.17 -
eTrust-Vet 31.6.6035 2008.08.15 Win32/Almanahe.F!x386
Ewido 4.0 2008.08.17 -
F-Prot 4.4.4.56 2008.08.17 W32/Alman.C
F-Secure 7.60.13501.0 2008.08.17 Virus.Win32.Alman.b
Fortinet 3.14.0.0 2008.08.17 W32/Alman.B
GData 2.0.7306.1023 2008.08.17 Virus.Win32.Alman.b
Ikarus T3.1.1.34.0 2008.08.17 Virus.Win32.Alman.b
K7AntiVirus 7.10.417 2008.08.15 -
Kaspersky 7.0.0.125 2008.08.17 Virus.Win32.Alman.b
McAfee 5362 2008.08.15 W32/Almanahe.c
Microsoft 1.3807 2008.08.17 Virus:Win32/Almanahe.B
NOD32v2 3362 2008.08.17 Win32/Alman.NAB
Norman 5.80.02 2008.08.15 W32/Alman.B
Panda 9.0.0.4 2008.08.17 Trj/Asprox.E
PCTools 4.4.2.0 2008.08.17 Win32.Alman.B
Prevx1 V2 2008.08.17 -
Rising 20.57.62.00 2008.08.17 Worm.Magistr.g
Sophos 4.32.0 2008.08.17 W32/Alman-C
Sunbelt 3.1.1546.1 2008.08.15 -
Symantec 10 2008.08.17 W32.Almanahe.B!inf
TheHacker 6.3.0.3.052 2008.08.17 W32/Almanahe.C
TrendMicro 8.700.0.1004 2008.08.16 PE_CORELINK.C-1
VBA32 3.12.8.3 2008.08.17 Trojan-Downloader.Win32.Agent.erl
ViRobot 2008.8.16.1338 2008.08.16 Win32.Alman.B
VirusBuster 4.5.11.0 2008.08.17 Win32.Alman.B
Webwasher-Gateway 6.6.2 2008.08.17 Win32.Alman.BB

Additional information
File size: 625152 bytes
MD5…: 5c8d8d9350baa0b1c5debc081ed4a172
SHA1…: eb5494238a3fcf089d6751946b0356927a69c37a
SHA256: 7519d077b2be1bdff47a94d62a58f9303203379a6263e691abf5e473bda3b144
SHA512: 9861885619f31063c6cb3f11e67d240aef9b700c8492a7dccc221bec887d5cf6
a418b299f38f5393146de678fc621306fee738770473d7ab7087eb1f1312f6a2
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10011dc
timedatestamp…: 0x41107bf3 (Wed Aug 04 06:02:27 2004)
machinetype…: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5b746 0x5b800 6.14 4603d3b832f5f387f02a7ea612c74f9e
.data 0x5d000 0x53c0 0x5200 3.54 d40bcb0070a5c8b51f6708d6e188b5a8
.rsrc 0x63000 0x2cce8 0x2ce00 3.44 b3c866b6cbb21d3c4cc6151f3075b40a
.reloc 0x90000 0xac40 0xae00 7.67 f8ab957f047aff196f6321341c78ad42

( 1 imports )

ntdll.dll: wcslen, _wcsicmp, wcsstr, NtClose, NtQueryValueKey, NtOpenKey, RtlInitUnicodeString, NtQuerySymbolicLinkObject, NtOpenSymbolicLinkObject, RtlPrefixUnicodeString, RtlEqualUnicodeString, NtQueryDirectoryObject, NtOpenDirectoryObject, NtTerminateProcess, RtlUnhandledExceptionFilter, RtlUnwind, NtQueryVirtualMemory, DbgBreakPoint, RtlAllocateHeap, RtlUnicodeStringToAnsiString, RtlNormalizeProcessParams, NtDelayExecution, isprint, swprintf, _allmul, _alldiv, NtReadFile, NtDeviceIoControlFile, _chkstk, NtFsControlFile, NtOpenFile, NtQueryInformationFile, NtWriteFile, memmove, NtQueryVolumeInformationFile, RtlOemToUnicodeN, RtlMultiByteToUnicodeN, RtlUnicodeToOemN, RtlUnicodeToMultiByteN, sprintf, _wcsupr, _wcslwr, wcscmp, wcsspn, atol, RtlFreeUnicodeString, RtlDosPathNameToNtPathName_U, NtShutdownSystem, NtAdjustPrivilegesToken, NtOpenProcessToken, NtQuerySystemTime, NtQuerySystemInformation, NtSetInformationFile, NtCreateFile, RtlValidRelativeSecurityDescriptor, RtlExpandEnvironmentStrings_U, NtSetThreadExecutionState, _aulldiv, RtlFreeHeap, RtlSizeHeap, qsort, NtDisplayString, NtWaitForMultipleObjects, NtCreateEvent, RtlFormatMessage, RtlAnsiStringToUnicodeString, RtlInitAnsiString, RtlFindMessage, wcscpy, wcsncmp, RtlQueryRegistryValues, RtlWriteRegistryValue, RtlSubAuthoritySid, RtlInitializeSid, RtlLengthRequiredSid, RtlAddAce, RtlCopySid, RtlLengthSid, RtlQueryInformationAcl, RtlCreateAcl, RtlAddAccessAllowedAce, RtlLengthSecurityDescriptor, RtlValidSecurityDescriptor, RtlNewSecurityObject, RtlSetDaclSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlCreateSecurityDescriptor, RtlTimeToTimeFields, RtlSystemTimeToLocalTime, _allrem, RtlDecompressBuffer, RtlUpcaseUnicodeString, RtlRaiseStatus, NtTerminateThread, NtSetEvent, NtWaitForSingleObject, NtQueryInformationThread, RtlCreateUserThread, RtlComputeCrc32, DbgPrint, RtlDeleteElementGenericTable, RtlFindSetBits, RtlClearBits, RtlInitializeBitMap, RtlLookupElementGenericTable, RtlNumberOfSetBits, RtlEnumerateGenericTableWithoutSplaying, RtlSetBits, RtlInsertElementGenericTable, RtlInitializeGenericTable, NtQueryPerformanceCounter

No problem, glad I could help.

It really is hard to say what might be on your PE CD, if they are the same names as those given, I can’t see why files like NTOSKRNL.EXE and SMSS.EXE, would need to be on the CD.

It is a bit of a surprise to have so many detections for what you say are tools without 1 detection saying it is a tool (as frequently happens in the case of tools), but many tools are detected as malicious.

A dropper is often called a downloader as I believe it is pretty much the same, so it could be possible, assuming the detections are correct and don’t forget there were other malware names in the VT results (there is no standardisation in malware naming). Though it is possible it would depend on what the malware was as it is entirely possible to have a virus on your system as it is inert without a run command (registry, etc.). However if that file replaced a system file that would be run on startup then it is not inert but active on boot.

Now if you uploaded multiple files in an archive file then I don’t know how VT would handle that as there is only a means of reporting 1 malware name for the scan for each of the scanners. So technically one file could be malware and the others OK and only the info on one would be reported. Unfortunately you would have to upload one at a time to get a detailed result for each individual file.

A google search on one of the other malware names for the win32.alman family http://www.google.co.uk/search?q=Win32.Alman returns many hits some indication this is a file infecter. Now It would depend on the source machine that the PE D was made from as it could be possible the source files were infected.

It may be worth sending the samples to avast for further analysis.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.

Welcome to the forums.

needless to say this requires immediate attention

get the sample off to avast asap

just googleing the malware name sends up some red flags

for example

DR WEb Cure It
System recovery information

  1. Disconnect infected computer from local network and/or from Internet and turn off System Recovery service.
  2. Download free cure utility Dr.Web CureIt! from uninfected computer. Then copy it to external medium.
  3. Restart infected computer in Safe Mode (F8 at Windows startup) and scan infected computer with >Dr.Web CureIt!. Apply “Cure” to all detected objects.

Id try scans with Malwarebytes Rogue Remover and MBAM
Posted 2007at malwarebytes forum
http://www.malwarebytes.org/forums/index.php?showtopic=5786&hl=Virus.Win32.Alman.b

post back

Well, I ran MBAM and it’s clean, even on thorough scan and I ran AVZ4 script checking which was good as well. It would be catastrophic (sp?) if these were the real system files, but they are just onload system files that run on booting from that CD (i.e. the preinstalled environment portion). Avast has no trouble locking them down and removing them. The PC looks good via combofix, deckards, avz, avast boot scan, sd fix, gmer, basically the whole 9 yards.

That is what brings me back to the FP question. It would be almost criminal for an organization as large as the one that uses the “MRI” boot disk to have a virus embedded in well over one year’s worth of releases and version updates. This is an organization that has agents working on roughly 4 people’s PCs per day.

I will send in some samples and you guys can have a closer look,

Thanks again for the help :slight_smile:

You’re welcome.

It most certainly is strange if the PE CDs come from a reputable source, but it is hard to go against such a set of results as the VirusTotal ones. When this number of scanners make a detection it usually comes to the attention of the company pretty quickly.

It certainly requires further investigation.

Samples have been submitted :slight_smile:

Thanks for helping improving detection.

Since I am new here, this may be a really stupid question, but will the results of the samples I shared be posted here?

just curiously, not a necessity :wink:

You don’t normally get a reply unless they need more information and it would be unlikely (though not unheard of) for results to be published in the topic (especially if you didn’t give a link).

The thing to do now is to periodically scan the files in the chest and when they are no longer detected the detection would be considered an FP and you could post that fact. We that have been responding are only avast users like yourself.