Author Topic: Win32:Bifrose-EGW [Trj]  (Read 24577 times)

0 Members and 1 Guest are viewing this topic.

Leafer

  • Guest
Win32:Bifrose-EGW [Trj]
« on: July 24, 2009, 03:08:16 PM »
Avast Home 4.8 indicated a "Warning" for the following:

Sign of "Win32:Bifrose-EGW [Trj]" has been found in "C:\WINDOWS\Installer\78604.msp"

At the time it appeared, I was running a SUPERAntiSpyware system scan, which is something I do regularly as well as running a MalwareBytes' Anti-Malware scan. I run the scans consecutively (not concurrently). I also use SpywareBlaster as part of my desktop's security.

I tried to find specific information on the above detection on the AVAST forums but to no avail. Furthermore, it would not allow me to quarantine the file as it stated it was in use so my only option was to delete it.

Running XP SP3 (with IE8). Everything else is up to date (MS security patches, SAS, MBAM, most recent version of Java, etc).

Could you please advise if the above detection is a valid or a false positive? If required I can post a HJT or other log files if necessary. In the interim, I will run another full AVAST scan pending your reply.

Thanks in advance.

Jtaylor83

  • Guest
Re: Win32:Bifrose-EGW [Trj]
« Reply #1 on: July 24, 2009, 03:29:38 PM »
Upload the file to VirusTotal and post results.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Win32:Bifrose-EGW [Trj]
« Reply #2 on: July 24, 2009, 04:03:39 PM »
Unless you have made a type, the file name or rather the file type looks strange .MSP (though could be a Windows Installer patch file) when MS installer files are usually .MSI.

The nondescript numeric file name is also strange as they tend to be a little more descriptive of what program (or possibly in this case Patch) they represent.

So it certainly warrants further investigation at VT as mentioned by Jtaylor83.

You may need to take some additional actions to upload it to VT without avast blocking it:
Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Leafer

  • Guest
Re: Win32:Bifrose-EGW [Trj]
« Reply #3 on: July 24, 2009, 04:47:51 PM »
Thanks for the prompt replies. Unfortunately I couldn't send it to the Virus Chest at the time it was identified, the only option was to delete it.

As for a possible typo, I doubt it as I cut and pasted the info directly when the Warning splash box appeared. It was definitely a .msp file extension. I tossed the info copied directly into a notepad file.

I have since completed a full system scan with Avast and nothing out of the ordinary was detected.
« Last Edit: July 24, 2009, 04:49:36 PM by Leafer »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Win32:Bifrose-EGW [Trj]
« Reply #4 on: July 24, 2009, 04:51:38 PM »
Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate. I would sooner ignore than delete and investigate.

It is strange that it couldn't be sent to the chest but could be deleted, what errors were given for not being able to send to the chest ?

You can't do a system wide scan with VirusTotal it is a multi engine scanner and you upload single files for scanning by multiple engines, this is for confirmation purposes.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Leafer

  • Guest
Re: Win32:Bifrose-EGW [Trj]
« Reply #5 on: July 24, 2009, 04:59:12 PM »
I just realized I couldn't do a system wide scan with VirusTotal (as you just indicated).

The message I was getting at the time is that the file could not be moved to the Chest as it was actively running (or in use) and I didn't try the Ignore option, I simply deleted it.

(PS - Sorry, I used the terminology "quarantine" as opposed to "Chest" in my initial post which may have added to the confusion).

I always follow the same steps when running my security scans. I close all browser windows, use ATF Cleaner to dump cache, then run the scans. The only thing weird about the process is that SAS was running and about 50% complete when the Avast Warning appeared.

RickWood

  • Guest
Re: Win32:Bifrose-EGW [Trj]
« Reply #6 on: July 24, 2009, 05:05:18 PM »
I have had this same problem today. I couldn't move the file or delete it. I think it's because my administrator account is disabled and I only have power user privileges. Does this sound right?

hlecter

  • Guest
Re: Win32:Bifrose-EGW [Trj]
« Reply #7 on: July 24, 2009, 06:14:26 PM »
Just to add to the Bifrose-EGW [Trj] discussion:

Sign of   "Win32:Bifrose-EGW [Trj]" has been found in "C:\WINDOWS\Installer\50de86.msp"

I am pretty sure this is a false one, got it with todays defs only, and in a file that has stayed there for years.

Tried uploading it to VT, but the speed of my upload is very low so I had to cancel that.

There often is a .msp file behind a .msi file and I have a lot of .msp files.

I let it alone.

It would be fine if somebody could upload such a file to Virustotal.

Whatever you do, don't delete it.

Regards
HL

« Last Edit: July 24, 2009, 06:32:35 PM by hlecter »

Pernikkel

  • Guest
Re: Win32:Bifrose-EGW [Trj]
« Reply #8 on: July 24, 2009, 06:18:50 PM »
Today, during a scan with Avast, I also got a warning for this Trojan. I was able to move it to the chest and was surprised to find out this file was on my pc since 2006, and only now came up as a Trojan. Could this be a false positive?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Win32:Bifrose-EGW [Trj]
« Reply #9 on: July 24, 2009, 06:31:04 PM »
Hi Pernikkel,

Could be a false positive, whenever this is not found in the registry:
Win32.Bifrose.ri creates the following registry key to register itself as a service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SecSvc

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

hlecter

  • Guest
Re: Win32:Bifrose-EGW [Trj]
« Reply #10 on: July 24, 2009, 06:37:32 PM »
Hi Polonus;

Nothing of that kind in my registry, a FP I think, but can't prove it, of course.  :)

HL

Pernikkel

  • Guest
Re: Win32:Bifrose-EGW [Trj]
« Reply #11 on: July 24, 2009, 06:50:29 PM »
Goeienavond Polonus

No such key in my registry either.

speckledbird

  • Guest
Re: Win32:Bifrose-EGW [Trj]
« Reply #12 on: July 24, 2009, 07:14:07 PM »
I sent from the virus chest to alwil team

Win\installer\8c22ad.msp\win32:Bifrose-EGW (trj)

hope this helps to get answers of what we are dealing with.

thank you for your work. I very much appreciate the answers I find here.

Becky

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Win32:Bifrose-EGW [Trj]
« Reply #13 on: July 24, 2009, 07:20:54 PM »
Hoi Pernikkel,

Hou het wat mij betreft dan maar op een vals positieve vondst. Voor de zekerheid kun je hem nog opladen naar virustotal.com en naar avast. Meestal halen ze FP's er snel uit en kan die met een volgende avast update al verdwenen zijn,

groetjes en een fijn weekend,

@specklebird,

I bet it is a FP. Let's see. They will repair this soon I guess,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Win32:Bifrose-EGW [Trj]
« Reply #14 on: July 24, 2009, 07:24:33 PM »
<snip>
The message I was getting at the time is that the file could not be moved to the Chest as it was actively running (or in use) and I didn't try the Ignore option, I simply deleted it.
<snip>
I always follow the same steps when running my security scans. I close all browser windows, use ATF Cleaner to dump cache, then run the scans. The only thing weird about the process is that SAS was running and about 50% complete when the Avast Warning appeared.

When this happens then you should use the unique feature of avast the boot-time scan where the file won't be in use, as windows hasn't fully started.
If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php.

I to believe this could possibly be a false positive detection, but since it has been deleted there really is no way to investigate further. Since we have other detections on the same file type we may be able to get to the bottom of it.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security