Avast WEBforum
Other => Viruses and worms => Topic started by: Leafer on July 24, 2009, 03:08:16 PM
-
Avast Home 4.8 indicated a "Warning" for the following:
Sign of "Win32:Bifrose-EGW [Trj]" has been found in "C:\WINDOWS\Installer\78604.msp"
At the time it appeared, I was running a SUPERAntiSpyware system scan, which is something I do regularly as well as running a MalwareBytes' Anti-Malware scan. I run the scans consecutively (not concurrently). I also use SpywareBlaster as part of my desktop's security.
I tried to find specific information on the above detection on the AVAST forums but to no avail. Furthermore, it would not allow me to quarantine the file as it stated it was in use so my only option was to delete it.
Running XP SP3 (with IE8). Everything else is up to date (MS security patches, SAS, MBAM, most recent version of Java, etc).
Could you please advise if the above detection is a valid or a false positive? If required I can post a HJT or other log files if necessary. In the interim, I will run another full AVAST scan pending your reply.
Thanks in advance.
-
Upload the file to VirusTotal (http://www.virustotal.com/) and post results.
-
Unless you have made a type, the file name or rather the file type looks strange .MSP (though could be a Windows Installer patch file) when MS installer files are usually .MSI.
The nondescript numeric file name is also strange as they tend to be a little more descriptive of what program (or possibly in this case Patch) they represent.
So it certainly warrants further investigation at VT as mentioned by Jtaylor83.
You may need to take some additional actions to upload it to VT without avast blocking it:
Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
-
Thanks for the prompt replies. Unfortunately I couldn't send it to the Virus Chest at the time it was identified, the only option was to delete it.
As for a possible typo, I doubt it as I cut and pasted the info directly when the Warning splash box appeared. It was definitely a .msp file extension. I tossed the info copied directly into a notepad file.
I have since completed a full system scan with Avast and nothing out of the ordinary was detected.
-
Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate. I would sooner ignore than delete and investigate.
It is strange that it couldn't be sent to the chest but could be deleted, what errors were given for not being able to send to the chest ?
You can't do a system wide scan with VirusTotal it is a multi engine scanner and you upload single files for scanning by multiple engines, this is for confirmation purposes.
-
I just realized I couldn't do a system wide scan with VirusTotal (as you just indicated).
The message I was getting at the time is that the file could not be moved to the Chest as it was actively running (or in use) and I didn't try the Ignore option, I simply deleted it.
(PS - Sorry, I used the terminology "quarantine" as opposed to "Chest" in my initial post which may have added to the confusion).
I always follow the same steps when running my security scans. I close all browser windows, use ATF Cleaner to dump cache, then run the scans. The only thing weird about the process is that SAS was running and about 50% complete when the Avast Warning appeared.
-
I have had this same problem today. I couldn't move the file or delete it. I think it's because my administrator account is disabled and I only have power user privileges. Does this sound right?
-
Just to add to the Bifrose-EGW [Trj] discussion:
Sign of "Win32:Bifrose-EGW [Trj]" has been found in "C:\WINDOWS\Installer\50de86.msp"
I am pretty sure this is a false one, got it with todays defs only, and in a file that has stayed there for years.
Tried uploading it to VT, but the speed of my upload is very low so I had to cancel that.
There often is a .msp file behind a .msi file and I have a lot of .msp files.
I let it alone.
It would be fine if somebody could upload such a file to Virustotal.
Whatever you do, don't delete it.
Regards
HL
-
Today, during a scan with Avast, I also got a warning for this Trojan. I was able to move it to the chest and was surprised to find out this file was on my pc since 2006, and only now came up as a Trojan. Could this be a false positive?
-
Hi Pernikkel,
Could be a false positive, whenever this is not found in the registry:
Win32.Bifrose.ri creates the following registry key to register itself as a service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SecSvc
polonus
-
Hi Polonus;
Nothing of that kind in my registry, a FP I think, but can't prove it, of course. :)
HL
-
Goeienavond Polonus
No such key in my registry either.
-
I sent from the virus chest to alwil team
Win\installer\8c22ad.msp\win32:Bifrose-EGW (trj)
hope this helps to get answers of what we are dealing with.
thank you for your work. I very much appreciate the answers I find here.
Becky
-
Hoi Pernikkel,
Hou het wat mij betreft dan maar op een vals positieve vondst. Voor de zekerheid kun je hem nog opladen naar virustotal.com en naar avast. Meestal halen ze FP's er snel uit en kan die met een volgende avast update al verdwenen zijn,
groetjes en een fijn weekend,
@specklebird,
I bet it is a FP. Let's see. They will repair this soon I guess,
polonus
-
<snip>
The message I was getting at the time is that the file could not be moved to the Chest as it was actively running (or in use) and I didn't try the Ignore option, I simply deleted it.
<snip>
I always follow the same steps when running my security scans. I close all browser windows, use ATF Cleaner to dump cache, then run the scans. The only thing weird about the process is that SAS was running and about 50% complete when the Avast Warning appeared.
When this happens then you should use the unique feature of avast the boot-time scan where the file won't be in use, as windows hasn't fully started.
If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php (http://www.digitalred.com/avast-boot-time.php).
I to believe this could possibly be a false positive detection, but since it has been deleted there really is no way to investigate further. Since we have other detections on the same file type we may be able to get to the bottom of it.
-
I sent from the virus chest to alwil team
Win\installer\8c22ad.msp\win32:Bifrose-EGW (trj)
hope this helps to get answers of what we are dealing with.
<snip>
You could submit the file to virustotal as I outlined in Reply #2 above, that should give us a quick answer one way or the other.
-
I digged into my file and it was a hotfix from MS concerning Office XP.
As far as I could find out, my file was the installer for a patch for:
MS SharePointTeamServices for Office XP which is on my machine.
KB 911701, fullfile Norwegian version.
Thanks
HL
-
My Aunt just called to tell me she had a Trojan and that it was in the Chest. Ran over here to check it out, and it's the identical Trojan that everyone else is talking about in this thread. The "offending" file is currently residing in the Chest.
On checking the information about the file, I show it's been on this laptop since my Aunt purchased it. I was very concerned while I was driving over here, since this has never happened before. Now, along with some others, will be watching to see if this file turns out to be a false positive. Been using Avast! for years, and still highly recommend it, even with a false positive! ;) :D
Thanks for such a great group of people! I'll be watching the forum on a regular basis now.
JoP
St. Louis, MO
USA
-
Hallo Polonus
Ok. Ik kijk het nog even aan voor ik wat onderneem.
Ook een aangenaam weekend toegewenst.
-
This is an English language forum, use PM for personal messages.
Regards
HL
-
I've also had an alert for this, an hour or so ago, in a windows\installer\22efdf1.msp file. I've ignored it for now.
-
Submit to avast as a possible false positive as the more samples sent the better for analysis.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
-
This came up on 9 computers out of about 25 at work today. Most before I got in this morning and a few just popped up this afternoon.
Win32:Bifrose-EGW [Trj]
filenames each 6.63MB in size on different computers in the C:\Windows\Installer\ folder:
1d07530.msp
69bb6.msp
253a0b.msp
64129.msp
47d7d4f.msp
3cc9f55.msp
4f78f3.msp
5851a.msp
959a6.msp
virustotal treated them all as the same file and gave this link:
http://www.virustotal.com/analisis/79db13a96db5ec145867d87b178abc926eb951c0605f621de69aad48e8916860-1248460069
Anybody know if these files are safe or not??
-
I just thought I'd add that I found it too. It looks like it's been on the computer since 2006. I put it in quarantine and I'll await the outcome.
I'm just glad that I didn't follow my usual procedure of scanning at 4 AM! I hate when this happens at bedtime! ;)
-
This came up on 9 computers out of about 25 at work today. Most before I got in this morning and a few just popped up this afternoon.
Win32:Bifrose-EGW [Trj]
filenames each 6.63MB in size on different computers in the C:\Windows\Installer\ folder:
1d07530.msp 69bb6.msp 253a0b.msp 64129.msp 47d7d4f.msp 3cc9f55.msp 4f78f3.msp
5851a.msp 959a6.msp
virustotal treated them all as the same file and gave this link:
http://www.virustotal.com/analisis/79db13a96db5ec145867d87b178abc926eb951c0605f621de69aad48e8916860-1248460069
Anybody know if these files are safe or not??
Given what is said in this topic already it looks like the alert is somehow triggered by the .msp file type, as opposed to the actual content. So it could be something in the file header info.
Given your VT results it confirms it is highly likely it is a false positive as GData uses avast as one of its two scanning engines, so effectively this is a detection only by avast.
I would suggest sending a couple of samples to avast as per the info in my last post.
-
Just to add:
I have a huge amount of .msp files that not give the FP.
I saw that the Virustotal example seemed to have a Powerpoint component.
The file I had was a Hotfix for Office.
So far a combination of Office and .msp.
I hope this get solved sooner than later, considering it obviously hits pretty many Avast-users.
HL
I saw all of Brandons files were 6.63 MB and can add that was the size of my file, too.
-
I got the same trojan horse message while I was trying to download an attachment from a colleague. The document was in a format that required word to install something first, and it was while this process was happening that I got the message. but Word never installed anything, because I didn't have whatever it needed on my hard drive. I stopped the process and so was able to put the file in the virus chest. I did send an email to ALWIL from the virus chest. The affected file was ea10e.msp. I don't know what this file does. It was in WINDOWS\Installer.
Any info appreciated!
-
Thanks for the feedback all. I'll also go with the assumption that it is a false positive but will follow this thread in case something develops otherwise.
-
Just to clarify my own circumstances, in the light of kl's post, I was editing a Word document when Avast picked up on the alert. I have had Word installed for all of the couple of years I've had this hard drive. I wasn't installing, or being prompted to install, anything new but was simply reading through and editing a report sent to me (and which I've since scanned with no alerts).
-
I had the exact same detection - Win32:Bifrose-EGW [Trj]
4e4a5.msp
Size: 6956032
-
A similar detection for me as well, posted here (http://forum.avast.com/index.php?topic=47074.0) in error... a Windows Installer file named c415ae.msp infected with Win32:Bifrose-EGW[Trj]
-
A similar detection for me as well, posted here (http://forum.avast.com/index.php?topic=47074.0) in error... a Windows Installer file named c415ae.msp infected with Win32:Bifrose-EGW[Trj]
Looks like the answer is in the thread you originally posted in, too:
http://forum.avast.com/index.php?topic=47074.0
The crossposting is fulfilled. :)
HL
-
Apologies in advance, I'm new to this forum and found my way here after Googling "Win32:Bifrose-EGW [Trj]"
When I spotted this same detection I also noticed a popup about Mozy doing a version update on my system.
Probably completely conincidental but I thought I'd mention it.
-
I just came up with the same warning today. I ran malwarebytes which showed no infection. I went ahead and ignored the warning and reported it as a possible false positive.
-
Hi,
I'm new here with my very first posting on any of Avast forums and couldn't help notice that apparently I have joined those with the Win32:Bifrose-EGW[Trj] infection as well.
I did my weekly standard virus scan awhile ago and it was detected in the 313a5f.msp file. size of file shows it as 6.96 MB
It's in the virus chest now. What do I do now? Just leave it there? Send it to Avast? Delete It?
Will it affect my computer in any way?
As I said, I'm new here and any inf/help/suggestions is certainly appreciated! :)
-
It's highly possible a False Positive that will be corrected in the next VPS-update.
Whatever you do, don't delete the file.
You can scan it in the Chest after new VPS-update to be sure.
As long as it stays in Chest it can't do any harm.
HL
-
Today I too gotten the same thing: c:Windows\Installer\735BF5.msp
I just turned on my computer and then the internet as I was waiting for it to connect was playing spider solitaire. So I wasn't actually downloading anything or doing anything out of the ordinary. Although this file did appear to have had last change 3/28/2006. I still moved it into chest first so I could be sure this was really a false positive alert.
From what it appears with so many people getting the same file different version per say looks like this is another false positive alert. Although I couldn't email it to avast from the chest or at list I don't think it went through. That was actually my first time doing that.
I can say that I did a windows update on the 21st a few days ago but again it appears to have been on my computer since 2006. Like others have said.
I've only had two false alerts since I have been using avast over 4 years now so that is pretty good in my book. All of which I was able to send into chest except for my email issue I just had to wait for an update vd and then I was able to get into it.
I will sit and wait before doing anything. Love having that chest because I don't have to worry about what to do.
-
See http://forum.avast.com/index.php?topic=47074.msg396483#msg396483 (http://forum.avast.com/index.php?topic=47074.msg396483#msg396483), should be fixed on VPS 090725-0.
-
Although I couldn't email it to avast from the chest or at list I don't think it went through. That was actually my first time doing that.
I encountered something quite similar, as I noted here (http://forum.avast.com/index.php?topic=47074.msg396483)...
I also noticed that when I tried to email the file to avast from the Chest (by clicking the email icon on the toolbar), nothing happened... that is, the Submit file dialog did not appear. It does appear for other files in the Chest. Any ideas?
Do you get the Submit file dialog when you highlight this particular file (735BF5.msp) and then click the email icon? I did not, but as stated above, I get the dialog when highlighting every other file in the chest and clicking the email icon.
-
Do you get the Submit file dialog when you highlight this particular file (735BF5.msp) and then click the email icon? I did not, but as stated above, I get the dialog when highlighting every other file in the chest and clicking the email icon.
Like you I did not get the submit file on that particular file. And like you the others in there I did. Not sure why that is but it is. lol. I'm just waiting for Avast to update again with the definitions so it would be fix as it's like many others have said.
-
See http://forum.avast.com/index.php?topic=47074.msg396483#msg396483 (http://forum.avast.com/index.php?topic=47074.msg396483#msg396483), should be fixed on VPS 090725-0.
Thanks David this is what I figured.
-
That VPS Update has been released now so if you ensure you have it and scan those files again.
-
Sure enough, the update fixed my c415ae.msp false positive. :)
-
That VPS Update has been released now so if you ensure you have it and scan those files again.
I just updated and went into the chest section and scanned. No Virus. So I did restore it and it states successfully but when I checked chest again it's still there. Shouldn't it have delete it out of chest?
-
A copy remains in the chest, confirm that the file has been copied back to the original location and if so delete the copy in the chest.
-
No postings on this in a few days - so is everyone agreed it's a false positive?
Any idea why .msp files are getting aggravated all of a sudden?
Has everyone restored the file from the chest with no problem?