Otwycal-X worm detected

[crococ]

Hello all,

While doing a complete SuperAntispyware scan, Avast sent me the following worm alert
(info copied from the chest) :

DLIMPORT.EXE      C:\WINDOWS\$NTSERVICEPACKUNINSTALL$   ...date...    Win32:Otwycal-[Wrm]

(At the moment this alert came, SAS was checking some of these $NTSERVICEPACK files).

Now, what to do to see if this worm as propagated itself and, if yes, how to stop it ?

(I have'nt yet done anything else other than submit this post yet).

TIA.

[Maxx_original]

first you should check the file at www.virustotal.com to be sure if it is really malicious... the location of the file is pretty strange, let's see the virustotal analysis..

[DavidR]

@ Maxx
Since this dlimport.exe is inside an $ntservicepackuninstall$ I would imagine it would exceed the 10MB upload maximum of VT and I don't believe it is possible to extract the dlimport.exe file from the ntservicepackuninstall archive

[crococ]

first you should check the file at www.virustotal.com to be sure if it is really malicious... the location of the file is pretty strange, let's see the virustotal analysis..

well, I have submitted the file to VT, here are the results :

Avast   4.8.1195.0   2008.06.13   Win32:Otwycal-X
GData   2.0.7306.1023   2008.06.13   Win32:Otwycal-X

All other line have a - (dash) on the 4th column.

Does this allow us to conclude this detection might be a FP ?

I week ago, I removed, using the usual MS delete/modify program procedure (independently
of what SAS had discovered), some adware pieces of code that came along with the Pando
toolbar (see my previous post entitled : "Pando false positive ?" ), do you think this might be
related to the strange location of the suspicious file ?

Even if this file might be a FP, can it spread itself anywhere ?

[crococ]

@ Maxx
Since this dlimport.exe is inside an $ntservicepackuninstall$ I would imagine it would exceed the 10MB upload maximum of VT and I don't believe it is possible to extract the dlimport.exe file from the ntservicepackuninstall archive

Here some additionnal info as given by VT :

Information additionnelle
File size: 294912 bytes
MD5...: 6bd762c0ca605c88f96e3d84800a45bd
SHA1..: b26e89a134e8d8b2c4c84515c9ad2367cb7e2531
SHA256: 673bfcd1fd52c62933add4691b263f2aa573e160f997b8907e21676867bd40be
SHA512: dfb89f97c9dfb1203bee750a526bdf1c704f13e654265bede031a8116cb188b5
66c4962acd875dbaa3c032f8e0efdfcd92cb5d0ce1b18acbde680c8416afe134
PEiD..: Armadillo v1.71
PEInfo: PE Structure information

Hope it might help

[Lisandro]

Avast   4.8.1195.0   2008.06.13   Win32:Otwycal-X
GData   2.0.7306.1023   2008.06.13   Win32:Otwycal-X

There are, indeed, some viruses that avast is being the first (or among the first) of detect.
GData uses avast scanner as well. It's difficult to judge right now. Maybe yes, maybe not.

I week ago, I removed, using the usual MS delete/modify program procedure (independently
of what SAS had discovered), some adware pieces of code that came along with the Pando
toolbar (see my previous post entitled : "Pando false positive ?" ), do you think this might be
related to the strange location of the suspicious file ?

Pando has false positives last weeks.

Even if this file might be a FP, can it spread itself anywhere ?

Why should you spread the file?

[DavidR]

I would say it is an FP but it may be worth sending the sample to avast for analysis and exclude the file C:\WINDOWS\$NTSERVICEPACKUNINSTALL* see below (the asterisk saves typing the full file name, I suggest excluding the archive file as I don't know if you can exclude a file within the archive or not).

I don't thing this is related to your earlier issue.

See http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

[crococ]

I would say it is an FP but it may be worth sending the sample to avast for analysis and exclude the file

OK, I have emailed the file along with a comment so I hope you can make the link.
Thanks for the help !

[DavidR]

I would say it is an FP but it may be worth sending the sample to avast for analysis and exclude the file

OK, I have emailed the file along with a comment so I hope you can make the link.
Thanks for the help !

You're welcome.

I hope they can make the link too as I'm just an avast user like yourself.

[crococ]

Why should you spread the file?

Well, I do not know how worms do work : are they not supposed to spread  and/or
replicate (reincarnate) themselves for ever ? When a worm is detected, how do you
have to behave the best ? Sorry, I do not much about these bests ...

[PiotrW]

I got the same worm. Avast claims it infected my Windows Media Player (wmplayer.exe, to be exact).

Another false positive?

[DavidR]

There really is only one way to tell and that is by analysis as outlined in the above posts.

However, I my memory isn't playing tricks wmplayer.exe may have featured in a previous detection (try the forum search). So a) insure that you have the latest version of the avast VPS, b) ensure you have the latest version of WMP and c) if the file is still detected upload to VT to confirm.

[crococ]

There are, indeed, some viruses that avast is being the first (or among the first) of detect.
GData uses avast scanner as well. It's difficult to judge right now. Maybe yes, maybe not.

Due to the recent Avast virus database (version 080613-1), it looks that the file is no more
consided as worm, so I have restored the file to it's original location and removed the name
of this file from the Avast exclusion list.

So I can assume this detection is definitively a FP, right ?

Many thanks to the whole Avast support team !

[Chunker]

Now this is of no help to me.  I did what I was supposed to do but avast didn't give me the option of returning two files from the chest back to the d (system restore) drive.  Thus they are lost.  The main false positive restored just fine to the c drive.  Do what you're supposed to do and get screwed!!!!!!

[euroblaster]

Now this is of no help to me.  I did what I was supposed to do but avast didn't give me the option of returning two files from the chest back to the d (system restore) drive.  Thus they are lost.  The main false positive restored just fine to the c drive.  Do what you're supposed to do and get screwed!!!!!!

Can someone help me please. I am new here having never had trouble with it in four years! I haven´t had time to read about how this forum works because I need help quickly.
This post relates to 1-18. I keep getting the same warnings (3 in all) but I cannot get Avast to quarantine them. It keeps telling me that they are being used by another programme. Every time I try to do something to resolve the problem I get the same message when I am asked by Windows update to install it which installs up to the first 5 and then everything freezes. I keep getting stuck with windows update and Avast virus alert open but frozen.! Can someone please help before I go nuts. I have Very little tech skills but normally can handle stuff. I have even panicked and pulled the plug just to clear the desktop but I keep getting this problem. Help!!