Author Topic: Found trojan in my virtual W2000 hard drive under Parallels  (Read 12032 times)

0 Members and 1 Guest are viewing this topic.

keithhmh

  • Guest
Found trojan in my virtual W2000 hard drive under Parallels
« on: December 05, 2008, 12:57:36 AM »
My latest scan has shown up the following (which my Windows Antivirus doesn't find).
How do I handle it  - I am worried that I might do something that will deny me access to my virtual hard drive.

also, what is err 42110 against cline.dat

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re: Found trojan in my virtual W2000 hard drive under Parallels
« Reply #1 on: December 05, 2008, 02:26:14 AM »
you are going to have to deal with it from within windows. parallels stores its hard disk image as one file, if you delete the file you delete your parallels image. Use the windows version of avast to remove the virus.


Error Numbers are here:
http://forum.avast.com/index.php?topic=36190.msg303750#msg303750
« Last Edit: December 05, 2008, 02:28:00 AM by .: Mac :. »
"People who are really serious about software should make their own hardware." - Alan Kay

keithhmh

  • Guest
Re: Found trojan in my virtual W2000 hard drive under Parallels
« Reply #2 on: December 05, 2008, 09:03:56 AM »
Sorry to ask again but I can't see what err. no. 42110 is - am I misreading the list

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: Found trojan in my virtual W2000 hard drive under Parallels
« Reply #3 on: December 05, 2008, 02:33:42 PM »
Sorry to ask again but I can't see what err. no. 42110 is - am I misreading the list

Hallo, 42000 is the base of engine-specific errnos. thus, 42110 is decompression bomb (archive, that looks like hand-crafted stuff with intentionally prepared insane compression ratio).

The fact that the virus was found in the disk image, but now directly when the image was running might be due to:

- the virus is active and performs good stealth technique (probably not the case)
- you used "scan full files" on macos x, but not on windows (increase the setting toward more thorough scan onWindows)
- the VPS virus database on Windows and Mac is different (not from the same issue date), and in one of them, the detection is not present. update both to the latest versions and re-scan.

regards,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

keithhmh

  • Guest
Re: Found trojan in my virtual W2000 hard drive under Parallels
« Reply #4 on: December 08, 2008, 11:40:58 AM »
Is there any way to turn off the display of er 13's?

Could you post a new version of the error numbers please - that list doesn't show 42110. Can you fix the list as an "Err no" thread at the top of the forum please?
I downloaded Avast Home for Windows last night and ran it on my virtual Windows 2000 system under Parallel's and it found no viruses. I immediately reran Avast for MAC and it says the virus Win32:SdBot-gen28 virus is still present on my win2000.hdd

What is that virus and is there any other way to track it down on my parallel's W2000 system?

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re: Found trojan in my virtual W2000 hard drive under Parallels
« Reply #5 on: December 10, 2008, 05:26:37 PM »
Is there any way to turn off the display of er 13's?

Could you post a new version of the error numbers please - that list doesn't show 42110. Can you fix the list as an "Err no" thread at the top of the forum please?
I downloaded Avast Home for Windows last night and ran it on my virtual Windows 2000 system under Parallel's and it found no viruses. I immediately reran Avast for MAC and it says the virus Win32:SdBot-gen28 virus is still present on my win2000.hdd

What is that virus and is there any other way to track it down on my parallel's W2000 system?

The number of Error 13 messages will be reduced in the next version.

the list I provided is up to date and it does show error 42110 see my quote below:
Quote
ERR_ENGINE110 "The file is a decompression bomb"

error 42xxx are internal errors so they are under section 2 in the link I provided above

« Last Edit: December 10, 2008, 05:29:02 PM by .: Mac :. »
"People who are really serious about software should make their own hardware." - Alan Kay

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: Found trojan in my virtual W2000 hard drive under Parallels
« Reply #6 on: December 17, 2008, 09:56:04 AM »
Is there any way to turn off the display of er 13's?

Could you post a new version of the error numbers please - that list doesn't show 42110. Can you fix the list as an "Err no" thread at the top of the forum please?
I downloaded Avast Home for Windows last night and ran it on my virtual Windows 2000 system under Parallel's and it found no viruses. I immediately reran Avast for MAC and it says the virus Win32:SdBot-gen28 virus is still present on my win2000.hdd

What is that virus and is there any other way to track it down on my parallel's W2000 system?

42000 is the "BASE" of engine-specific errnos. thus, have a look for BASE+110 (the second part).
this bug is somehow strange, are you ready to do some low-level shamanism, to help us unleash it? :)

1) on Mac, open Terminal Utility, and write:
echo -e -n "2\001\067\001\071\001/\001\062\001/\001\063\001\062\001\061\001]\001J\001Q\001D\001%\001\001\001@@" >probe_file
then, scan the file with avast Mac Edition, then, put the file inside Parallels, and scan it there using avast for Windows. On both machines, something should be detected, and if not, let us know.

2) well, you file was detected in both cases. now, on MacOS, use some hexa-editor (this, for example: http://ridiculousfish.com/hexfiend/ ), and search the parallels file for the occurence of this hexa-sequence:
32 01 37 01 39 01 2f 01 32 01 2f 01 33 01 32 01 31 01 5d 01 4a 01 51 01 44 01 25 01 01 01 40 40
when not found in the whole parallels file, let us know. if found, have a look around the occurence to get a clue which file might it belong to. then, try to scan this file under Parallels.

regards,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

keithhmh

  • Guest
Re: Found trojan in my virtual W2000 hard drive under Parallels
« Reply #7 on: December 21, 2008, 11:14:28 PM »
Hi Zilog, I tried to enter your data string into Terminal and got the following response: 

Last login: Sun Dec 21 07:38:59 on console
(macname):~ (myname)$ echo -e -n
(macname):~  (myname)$ "2\001\067\001\071\001/\001\062\001/\001\063\001\062\001\061\001]\001J\001Q\001D\001%\001\001\001@@">probe_file
-bash: 2\001\067\001\071\001/\001\062\001/\001\063\001\062\001\061\001]\001J\001Q\001D\001%\001\001\001@@: No such file or directory
(macname):~  (myname)$ echo -e -n
(macname):~  (myname)$ 2\001\067\001\071\001/\001\062\001/\001\063\001\062\001\061\001]\001J\001Q\001D\001%\001\001\001@@>probe_file
-bash: 2001067001071001/001062001/001063001062001061001]001J001Q001D001%001001001@@: No such file or directory
 (macname):~  (myname)$

As you can see, I tried it with and without the quote marks. What am I doing wrong?

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: Found trojan in my virtual W2000 hard drive under Parallels
« Reply #8 on: January 02, 2009, 03:09:56 PM »
Hi Zilog, I tried to enter your data string into Terminal and got the following response: 

Last login: Sun Dec 21 07:38:59 on console
(macname):~ (myname)$ echo -e -n
(macname):~  (myname)$ "2\001\067\001\071\001/\001\062\001/\001\063\001\062\001\061\001]\001J\001Q\001D\001%\001\001\001@@">probe_file
-bash: 2\001\067\001\071\001/\001\062\001/\001\063\001\062\001\061\001]\001J\001Q\001D\001%\001\001\001@@: No such file or directory
(macname):~  (myname)$ echo -e -n
(macname):~  (myname)$ 2\001\067\001\071\001/\001\062\001/\001\063\001\062\001\061\001]\001J\001Q\001D\001%\001\001\001@@>probe_file
-bash: 2001067001071001/001062001/001063001062001061001]001J001Q001D001%001001001@@: No such file or directory
 (macname):~  (myname)$

As you can see, I tried it with and without the quote marks. What am I doing wrong?

hallo,
you 're pushing enter too much :>. just type the line as was given (it's one looong line, just occupying more lines), and at the end (after >probe_file) it's the right time to press enter :).

regards,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

keithhmh

  • Guest
Re: Found trojan in my virtual W2000 hard drive under Parallels
« Reply #9 on: January 08, 2009, 01:11:51 PM »
Sorry it took so long to re-try the string you wanted me to type in, my wife went into hospital and it somewhat focused my mind.

The Mac scan found

"win32:SdBot-gen28[trj]

and as soon as I copied the file to the Parallels desktop Avast screamed virus found and  displayed a yellow/red warning line. It also displayed a subwindow asking what I wanted to do with the file and I took the recommended route of moving it to the quarantine virus chest.

Do you want me to do anything else. I will try and find the hex string you asked about but please be patient for the moment

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: Found trojan in my virtual W2000 hard drive under Parallels
« Reply #10 on: January 09, 2009, 01:23:28 AM »
Sorry it took so long to re-try the string you wanted me to type in, my wife went into hospital and it somewhat focused my mind.

The Mac scan found

"win32:SdBot-gen28[trj]

and as soon as I copied the file to the Parallels desktop Avast screamed virus found and  displayed a yellow/red warning line. It also displayed a subwindow asking what I wanted to do with the file and I took the recommended route of moving it to the quarantine virus chest.

Do you want me to do anything else. I will try and find the hex string you asked about but please be patient for the moment

Hallo,
well, now we know enough to explain it:

- both versions of avast are capable of catching this malware (expected)
- the malware apparently exists in the parallels image (some sector contains it), but isn't accessible as file from windows

thus, it might be simply some infection, which existed in Parallelised Windows in the past, but the file was deleted (but, the sectors with the infected data remained polluted, and thus, might be detected when scanning the whole image sector by sector, as Mac sees it).

what could help here is so called "disk wiper", which "wipes" (zeroes) unused sectors, to get rid of all the former data that might remain there. there are pleeenty of wipers for free, for windows (for example http://www.softdd.com/no-file-recovery/)

regards,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)