Hi,
I left my PC scanning last night on ultra-ultra-paranoid mode using the latest definitions as of last night. This morning, Avast said it had found some issues in a few of my Oracle VirtualBox HDD images (the images in question are both Windows 7 32-bit images). Both were detected as “High severity”:
- “Threat: Win32:VB-RLH [Trj]”
- “Threat: Win32:Adloader-AC [Trj]”
This post concerns the first threat, Win32:VB-RLH, as there is quite a lot of information surrounding the second.
Before I go on (this is a long post), I should say that I’ve found several other references to people with similar issues, where Avast has found trojans in .vdi files and memory dumps, and usually they are told or assume that they are false positives. I wanted to ask here as a) I’ve still got the files if they might be handy for analysis, and b) it may well be the case that they are infected which might become apparent to someone from reading the rest of this post
First, a bit about my setup. My PC is an Apple iMac, but I never use Mac OS X - I always boot into Windows using Boot Camp. For those that may not be familiar with how Boot Camp partitions the HDD ready for Windows, my one HDD (Disk 0) is split into 4 partitions as follows:
1) 200MB - Healthy (GPT Protective Partition)
2) 15GB HFS formatted - Healthy (Primary Partition) - This is the Mac partition. Windows sees it as a read-only drive [- E: -]
3) 129MB Unallocated
4) 450GB NTFS formatted - Healthy (System, Boot, Page File, Active, Crash Dump, Primary Partition) [- C: -]
I’m running Windows 7 64-bit, Avast 6 (v6.0.1000, updated from v5 a while ago), and automatically update the definitions every few hours (currently using 110323-1 from 23/03/2011 17:14:18). I’ve just re-scanned the files using the latest definitions to see if they’d been reported as a false positive already, but it still detects the same threats.
Now to my dilemma. I’ve only really found 2 credible sources of information about this threat:
-
Microsoft’s Malware Protection Centre, which calls it “Worm:Win32/Hamweq.AO”
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FHamweq.AO -
McAfee’s Virus Information database, which calls it “Generic.dx!tsv!1F7F14D3AD6E”
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=275785#none
The problem I’ve got is that between Avast, Microsoft, and McAfee, I’ve got so much conflicting information:
-
The virus name:
Avast detected it as as “Win32:VB-RLH”
Microsoft and McAfee say that this is the name that Kaspersky detects it as
McAfee’s page says that Avast should detect it as “Win32:Vitro” - and if this is really what it is, I could have a very long ride ahead of me -
The virus characteristics:
Both MS and McAfee (see previous links) give conflicting information about the characteristics to watch out for, none of which my PC nor the VM have (either registry settings or files). This might indicate no infection, or it could be that the characteristics have changed or are being hidden -
The virus severity:
Avast says “High”
Microsoft says “Severe”
McAfee says “Low” -
The date of addition to the various AV definitions:
Microsoft: 23 Nov 2009
McAfee: 10 Sep 2010
Avast: 25 Feb 2011 (update 110225-0) [see http://www.avast.com/vuh-get-data.php?id=2011w08&g=data] -
Suspiciously, Avast also finds the same threat in a Windows Error Reporting (WER) memory dump from when Opera crashed 3 days ago.
-
Other software finds nothing: I booted using Microsoft’s DaRT toolset CD v6.5, updated to the latest antivirus and antispyware definitions (23/03/2011 02:46), and scanned the same files. Nothing was found.
All of this leaves me still very much in the dark as to what I’m actually infected by (if anything), and the best course of action to take:
- How can I tell whether I am actually infected or not?
- If I am infected, which infection do I actually have - Win32:VB-RLH? Win32:Vitro? Something else?
- Is it a "Severe" risk, or simply "Low" as McAfee says?
- Does Avast actually scan VirtualBox HDDs as if they were a real HDD (and is thus implying the Windows 7 32-bit installation in that VM is infected), or does it simply scan the file as any other binary file?
- Why was there a 15-month gap between when MS published details about this threat and Avast adding it to their definitions? (maybe if Avast were members of the AVPD Consortium it would have been sooner?)
If it helps, here are the answers to the relevant questions from polonus’s ‘what to do’ post:
-
How was it detected?
By Avast in ‘Scan Now’ mode. Settings were: scan all HDDs, memory, full rootkit scan, check for PUPs, check whole file, check inside all archives, high sensitivity, high heuristics sensitivity, use code emulation -
What was the source of the file?
The VirtualBox .vdi file HDD was created from scratch by me, and then had Windows 7 32-bit installed on it. I’ve installed a few pieces of software on it, but nothing that isn’t already on my PC. -
What is the exact file name with extension.
C:\Users\Dan\VirtualBox VMs\Windows 7 32-bit\Windows 7 32-bit.vdi
C:\Users\Dan\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_Opera.exe_5f8dfb7b7d89ddfd15b094fe76f21a1a197285_cab_0eeb4157\WER372C.tmp.hdmp -
What was the exact wording of the message that the AV program came up with? This is important for later.
No wording - just the scan results:
C:\Users\Dan\VirtualBox VMs\Windows 7 32-bit\Windows 7 32-bit.vdi [L] Win32:VB-RLH [Trj] (0)
C:\Users\Dan\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_Opera.exe_5f8dfb7b7d89ddfd15b094fe76f21a1a197285_cab_0eeb4157\WER372C.tmp.hdmp [L] Win32:VB-RLH [Trj] (0) -
Now go back and do nothing yet. Scan the particular file once again with your AV product.
I’ve scanned many times - still Avast finds the same things. -
Check with an on line scanner or update to jotti for a second opinion. Jotti resides at http://virusscan.jotti.org/
The files are 9.8GB and 275MB respectively… I don’t think they would appreciate me uploading files that big… for the same reason I probably shouldn’t email them to virus@avast.com -
Make an informed decision on the basis of what you have found.
As I mentioned at the start of this post (are you still reading? ;-), I found several other references to people with similar issues… I guess I just wanted a second opinion. You can never have too many opinions when it comes to the security of your data!
Any advice (even if it a “of course they’re false positives, stop being a muppet and go enjoy the sun”) greatly received.
Thanks!
Dan