Malware or not ???

[Sydney]

Hi there, just wondering if anyone could kindly help out:
Avast found the following in C:\WINNT\system\32\i
Win32:Downloader-BKN [trj]   

It was initially found when I first installed Avast in May of this year, after coming from AVG and Avira. Moved it to the chest for a while, restored it later, neither had any effect as far as I could tell. Could not identify any damage to data. I have therefore not yet attempted to remove this "malware", but would need to know what to do with it in the long run. (Never had any viruses in the past).
Virustotal-result below.
Uncertain how to proceed. Is this malware or a FP ?? Any further advice would be greatly appreciated.
Many thanks, Syndey


Antivirus     Version     Last Update     Result
AhnLab-V3     2008.7.25.1     2008.07.25     -
AntiVir     7.8.1.12     2008.07.25     -
Authentium     5.1.0.4     2008.07.24     -
Avast     4.8.1195.0     2008.07.25     BV:Ftp-L
AVG     8.0.0.130     2008.07.25     -
BitDefender     7.2     2008.07.25     Generic.Botget.4F977CAC
CAT-QuickHeal     9.50     2008.07.24     -
ClamAV     0.93.1     2008.07.25     Trojan.Downloader.Small-1042
DrWeb     4.44.0.09170     2008.07.25     -
eSafe     7.0.17.0     2008.07.24     -
eTrust-Vet     31.6.5981     2008.07.25     BAT/FTPDownloader
Ewido     4.0     2008.07.25     -
F-Prot     4.4.4.56     2008.07.24     -
F-Secure     7.60.13501.0     2008.07.25     Trojan-Downloader.BAT.Ftp.ab
Fortinet     3.14.0.0     2008.07.25     BAT/Dloader.AB!worm
GData     2.0.7306.1023     2008.07.25     BV:Ftp-L
Ikarus     T3.1.1.34.0     2008.07.25     Trojan-Downloader.BAT.Ftp.AB
Kaspersky     7.0.0.125     2008.07.25     -
McAfee     5346     2008.07.24     W32/Sdbot.worm!ftp
Microsoft     1.3704     2008.07.24     TrojanDownloader:BAT/Ftper.gen
NOD32v2     3298     2008.07.25     -
Norman     5.80.02     2008.07.24     Text/BotFTP.gen
Panda     9.0.0.4     2008.07.25     W32/Sdbot.ftp.worm
PCTools     4.4.2.0     2008.07.24     BAT.Botget.B
Prevx1     V2     2008.07.25     -
Rising     20.54.42.00     2008.07.25     -
Sophos     4.31.0     2008.07.25     Mal/BotFTP-A
Sunbelt     3.1.1536.1     2008.07.18     -
Symantec     10     2008.07.25     Downloader
TheHacker     6.2.96.389     2008.07.25     W32/SdBot.worm
TrendMicro     8.700.0.1004     2008.07.25     BAT_FTPER.C
VBA32     3.12.8.1     2008.07.24     -
ViRobot     2008.7.25.1310     2008.07.25     BAT.Ftp.E
VirusBuster     4.5.11.0     2008.07.24     BAT.Botget.B
Webwasher-Gateway     6.6.2     2008.07.25     -

Additional information
File size: 70 bytes
MD5...: 47473f9195c3530f4b249b10e35c9214
SHA1..: e2646619ad8444a2db392086363b5aaa8c441b60
SHA256: daa63fc5c7a7af1f08779a50a4dba5f9da62c340e283284fe8500e40b74d549a
SHA512: b656f4ac5e7f3872216235e6d4c10e9e0b3f418751a4e3e686356ba54aba4bc5
fcd64bb48a1e9963d1dcffb37b7fc31767d039ae7b17929f4e7a5e314815bead
PEiD..: -
PEInfo: -

[DavidR]

I think the VT results are pretty clear the avast detection was good and it is malware, which should have remained in the chest for a few weeks prior to being check scanned 'inside' the chest and if still detected, deleted. One thing for sure it is no FP.

Is this path correct, C:\WINNT\system\32\i ?

The C:\WINNT\system\32\i seems strange to start with C:\WINNT\system32\ is more likely and if correct would imply that it is designed to confuse so a user doesn't remove it.

What is your OS ?

[Sydney]

Hi David, thanks for getting back to me.
Win 2000.
This path is correct (had mistakenly added a backslash before - sorry !!!):
C:\WINNT\system32\i 
The file properties show it has been in place pretty much ever since I had the computer.
I had the file in the chest for nearly 2 months, but it still is identified as being infected.
I sent it to the Avast support two times, never received a reply.
Also sent the file to the Avira support (including the VT results), but they insist it is clean.
So really don't know who and what to believe and what to do
Thanks again,
Sydney.

[Lisandro]

I won't judge that this file is clean... really, too many 'important' antivirus are detecting it as being infected. Do you need that file, I mean, why did you restore it?

[FreewheelinFrank]

Walks like a duck, talks like a duck, smells like a duck. Oh yeah, that's because it's a duck.

On first execution,Trojan-Downloader.BAT.Ftp.ab creates a file in the following location:
C:\WINDOWS\SYSTEM32\I.

http://www.microworldtechnologies.com/virus_info/virusalertd.asp?vid=920

[Sydney]

Hi Tech, no I personally do not "need" that file at all. But I thought Windows did - otherwise: why should it have been there ever since Windows had been installed ??
So you think it's o.k. to just delete the whole file ?? (i.e. move it to the chest again & delete it from there) rather than trying to fix it ?
Also, how come various antiviral programs detect different "bugs" (a worm/a trojan/etc) ?
Thanks,
Syd.

[FreewheelinFrank]

Mal/BotFTP-A is a malicious FTP script typically created by IRC backdoor worms of the Sdbot family.

http://www.sophos.com/security/analyses/viruses-and-spyware/malbotftpa.html

It downloads more malware, so some AV's call it a Trojan downloader.

C:\WINDOWS\SYSTEM32\I

On clean installations there is no such file in the system32 directory. This is malware.

http://forum.kaspersky.com/lofiversion/index.php/t11781.html

[DavidR]

Win 2000.
This path is correct (had mistakenly added a backslash before - sorry !!!):
C:\WINNT\system32\i 

That is better, though it is also unusual for single character folder names (or is that the file name with no file type, which is also suspect), is there anything else in that folder ?

The file properties show it has been in place pretty much ever since I had the computer.
I had the file in the chest for nearly 2 months, but it still is identified as being infected.
I sent it to the Avast support two times, never received a reply.

File properties aren't entirely reliable as a) it depends on if this value is creation or the last modified date. Signatures are constantly added and updated so it isn't unusual to see a file that wasn't previously detected now detected. This is why it is important to send to the chest (rather than delete) and confirm the detection at VT and in this case it confirms a good detection.

You will not normally receive a reply unless they need more information, they will analyse the submitted sample and if it was an FP would correct the VPS so it would no longer be detected. Obviously if it is still considered infected then there would be no change to the VPS

Also sent the file to the Avira support (including the VT results), but they insist it is clean.
So really don't know who and what to believe and what to do

They would obvious still say it is clean as they still don't detect it, but in the face of the VT results, I'm afraid I couldn't accept that assurance.

I still don't know the file name that was detected, you gave a folder location and a malware name but no file name, so there is no way to know what the file is associated with using google, etc. and give any advice/assurance ?

[Sydney]

Wow, Frank, David, thanks a lot for the infos, it all makes more sense now. You guys are great !
@ Dave: that's all I've got: "Original location: C:\WINNT\system32". "Name: i".
I think Frank's duck is a duck  (Please see links in his 2 posts).
So: where to from here ? Move to chest & delete from there or deal with it some other way ??
Thanks so much again !
Syd.

[DavidR]

<snip>
@ Dave: that's all I've got: "Original location: C:\WINNT\system32". "Name: i".
<snip>
So: where to from here ? Move to chest & delete from there or deal with it some other way

Essentially since you have had it in the chest previously for some time and repeat scans still show infected, you should be able to safely delete it without sending to the chest.

Have you got any anti-spyware tools installed, if so what ?
If not those that Spiritsongs posted would be a good addition to your overall security.

[Sydney]

Hi, I wish posts would not just disappear from this thread....
I have been using Ad-Aware and Spybot on a regular basis, but nothing was ever found, apart from a few tracking cookies.
I have read Spiritsong's reply (which has now disappeared) and have in the meantime downloaded & run both: SuperAntiSpyware & Malwarebytes.
SAS just detected more tracking cookies (which I have deleted). Malwareb. did not find anything.
I cannot remember exactly what else Spiritsongs said, other than getting expert help....
So, David, you think it would be o.k. to just go into Windows Explorer and send the the "i-file" to the rubbish-bin (rather than to the chest again) ?

[FreewheelinFrank]

The "i-file" is malware, as I think has been demonstrated beyond reasonable doubt. Perhaps some "expert help" might be what you need after all... 

[Sydney]

Frank, yeah, I entirely agree and you have proven beyond doubt that it is malware. In his post (now not showing any more), "Spiritsong" suggested to run the both applications (SAS & Malwarebytes), implying that they might get rid of the problem altogether - so that's just what I did. Except neither fixed the problem...
"Spiritsong" also suggested using another forum for "expert help" (? which), whereas DavidR seems to be saying to simply delete the i-File..

[FreewheelinFrank]

Spiritsongs turns up occasionally, recommends  SUPERAntiSpyware, recommends that the poster seeks "expert advice" on another forum, and then goes away again for a week or two.

[DavidR]

Personally I feel this might be a remnant of a previous infection and the idea of running the other programs (which are specialist anti-spyware/trojan programs) is a belt and braces approach to confirm there is nothing else lurking.

They look for entries in the registry as well for malicious entries (where avast doesn't do that in its scans), for something to run there will normally be an associated registry entry.

I see no point in sending the i file to the chest when that has been done before so since we are all agreed that after investigation, this is malware then delete it.

Same sentiment on Spiritsongs  seek 'expert advice' as FWF you should be fine where you are.