Win32:VB-IE [Wrm detection always

Avast detects and warns about this Win32:VB-IE [Wrm] virus in EVERY program file (.EXE or even PDF) taken from K-lite.
Is it a real virus ? I have a windows XP IE 6.0.
I place it on quarentine and delete but I lose de file. Is there any other thing I may do?
Thanks for any help.

Well free codecs have been a known source of infection whilst I don’t know K-lite whether you downloaded it from their site or a third party site offering free codecs.

Edit: - Update This SiteAdvisor check doesn’t make good reading if you got your codecs from here k-litecodecpack.com, http://www.siteadvisor.com/sites/k-litecodecpack.com. You can repeat this check with whatever site you downloaded from, but I would say it is suspect until confirmed otherwise.

Deletion isn’t really a good first or early option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see (Mini Sticky) False Positives, how to report and what to do to exclude them until the problem is corrected.

Thanks DavidR
In fact aren’t codecs but simple finance softwares or text PDF files what I downloaded. I’ll do as you said.

OK, what is k-lite as I have never heard of it and most of the google hits refer to codec sets.

The pdfs shouldn’t (in theory) be a problem as far as I’m aware the only exploits relate to the full adobe program and not the reader. Though that wouldn’t stop anyone trying it on.

Let us know the outcome of the multi-engine scans.

Welcome to the forums.

K-lite is a P2P software like E-mule, Limewire shareaza or Kazaa…

STATUS: FINISHEDComplete scanning result of “Finance_-_The_Financial_Analyst_s”, received in VirusTotal at 01.12.2007, 17:29:39 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.21 01.09.2007 Worm/VB.DW
Authentium 4.93.8 01.12.2007 W32/VB.NQ
Avast 4.7.892.0 12.30.2006 Win32:VB-IE
AVG 386 01.12.2007 Worm/VB.SO
BitDefender 7.2 01.12.2007 Win32.Worm.VB.DW
CAT-QuickHeal 9.00 01.12.2007 Worm.VB.dw
ClamAV devel-20060426 01.12.2007 Trojan.VB-105
DrWeb 4.33 01.12.2007 Trojan.MulDrop.3290
eSafe 7.0.14.0 01.10.2007 Win32.VB.dw
eTrust-InoculateIT 23.73.112 01.12.2007 Win32/Alcan.5tn!Worm
eTrust-Vet 30.3.3324 01.12.2007 Win32/Alcan.I!ZIP
Ewido 4.0 01.12.2007 Worm.VB.dw
Fortinet 2.82.0.0 01.12.2007 W32/VB.DW!p2p
F-Prot 3.16f 01.12.2007 W32/VB.NQ
F-Prot4 4.2.1.29 01.12.2007 W32/VB.NQ
Ikarus T3.1.0.27 01.09.2007 P2P-Worm.Win32.VB.dw
Kaspersky 4.0.2.24 01.12.2007 P2P-Worm.Win32.VB.dw
McAfee 4937 01.11.2007 W32/Generic.m
Microsoft 1.1904 01.12.2007 Worm:Win32/Alcan.D
NOD32v2 1974 01.12.2007 Win32/TrojanDropper.VB.NAI
Norman 5.80.02 01.12.2007 W32/Solo.A
Panda 9.0.0.4 01.12.2007 Trj/Gaodrop.A
Prevx1 V2 01.12.2007 Malicious
Sophos 4.13.0 01.11.2007 W32/VB-YY
Sunbelt 2.2.907.0 01.12.2007 W32.Alcra.F
TheHacker 6.0.3.147 01.11.2007 W32/VB.dw
1.83 01.11.2007 Worm.P2P.VB

I took it out of quarentine and used AV total.Well, looks like an unanimous opinion…(laughs) This surely must be a virus. But after this, I used Avast scan on the file and it didn’t detect the virus. I do not understand!

I don’t understand either, but one thing for sure I wouldn’t use it, especially when there are plenty of other p2p apps out there.

You could also rescan the file in the chest, a copy should be retained in there.

Seems to be ;D

How are you scanning the file? Which is the file extension? Are your avast updated?

Tech
Some are zipped pdf and some are simply zipped. Avast did not detect them when scanning their folder .
It only detects when scanning directly the file. My Avast is updated

How are you starting the scanning? Right clicking the folder? Using the Simple User Interface (the skin)?

What is directly? Again, right clicking the folder or Using the Simple User Interface (the skin)?

Archive (zip, etc.) files are by their nature are inert, you need to extract the files and then you have to run them to be a threat. Long before that happens avast’s Standard Shield should have scanned them and before an executable is run that is scanned.

The different scanners (providers) have different settings and defaults, web shield does scan archives so can detect them coming down from the internet, if you use ashQuick.exe to scan downloads that is the most comprehensive scan and has many different unpackers available. This is the one that is also used in probably what you are calling a direct scan, the right click context scan.

I can copy a zip sample from my exclusions folder and standard shield doesn’t bat an eyelid, an ashQuick.exe scan goes berserk, if I extract the contents to a folder standard shield goes berserk. So on the Normal sensitivity standard shield ignores inert files as in that state they can’t do any harm, extract them and it will alert.

Franco, David shows the reasons of my questions 8)

By directly I meant scanning the file not all its folder. What bothered me and I question is if it is a false positive because it’s weird to have so many downloaded files with the same virus.

If you have more from the same site (see below) then they are also likely to be infected and the only way to confirm that is by examination as you did previously.

Personally with the previous check you made confirming the detection, I wouldn’t touch that site with a large stick.

Can you provide examples of these other files, file name and location, etc. ?

Look Franco, you’re not understanding that directly scanning of the file could be achieved by two ways (at least):

  1. Using the Explorer Extension (ashquick.exe) that will scan inside archive files.
  2. Using the Interface (skin) that could, or could not, scan archives depending on what you set so.
    So, avast could detect it if you scan archives but won’t if you don’t set so…

To know if a file is a false positive, please submit it to JOTTI or VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button…
You can use wildcards like * and ?. But be carefull, you should ‘exclude’ that many files that let your system in danger.
After that, please, periodically check it - scan it into Chest, right clicking the file - there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838