Win32:Bifrose-EGW [Trj]

[DavidR]

I sent from the virus chest to alwil team

Win\installer\8c22ad.msp\win32:Bifrose-EGW (trj)

hope this helps to get answers of what we are dealing with.
<snip>

You could submit the file to virustotal as I outlined in Reply #2 above, that should give us a quick answer one way or the other.

[hlecter]

I digged into my file and it was a hotfix from MS concerning Office XP.

As far as I could find out, my file was the installer for a patch for:

MS SharePointTeamServices for Office XP which is on my machine.
KB 911701, fullfile  Norwegian version.

Thanks

HL

[GramFell]

My Aunt just called to tell me she had a Trojan and that it was in the Chest.  Ran over here to check it out, and it's the identical Trojan that everyone else is talking about in this thread.  The "offending" file is currently residing in the Chest.

On checking the information about the file, I show it's been on this laptop since my Aunt purchased it.  I was very concerned while I was driving over here, since this has never happened before.  Now, along with some others, will be watching to see if this file turns out to be a false positive.  Been using Avast! for years, and still highly recommend it, even with a false positive!      

Thanks for such a great group of people!  I'll be watching the forum on a regular basis now.

JoP
St. Louis, MO
USA

[Pernikkel]

Hallo Polonus

Ok. Ik kijk het nog even aan voor ik wat onderneem.

Ook een aangenaam weekend toegewenst.

[hlecter]

This is an English language forum, use PM for personal messages.

Regards
HL

[Seffrid]

I've also had an alert for this, an hour or so ago, in a windows\installer\22efdf1.msp file. I've ignored it for now.

[DavidR]

Submit to avast as a possible false positive as the more samples sent the better for analysis.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.
 
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

[brandon0413]

This came up on 9 computers out of about 25 at work today. Most before I got in this morning and a few just popped up this afternoon.

Win32:Bifrose-EGW [Trj]

filenames each 6.63MB in size on different computers in the C:\Windows\Installer\ folder:
1d07530.msp
69bb6.msp
253a0b.msp
64129.msp
47d7d4f.msp
3cc9f55.msp
4f78f3.msp
5851a.msp
959a6.msp

virustotal treated them all as the same file and gave this link:
http://www.virustotal.com/analisis/79db13a96db5ec145867d87b178abc926eb951c0605f621de69aad48e8916860-1248460069


Anybody know if these files are safe or not??

[cromag]

I just thought I'd add that I found it too.  It looks like it's been on the computer since 2006.  I put it in quarantine and I'll await the outcome.



I'm just glad that I didn't follow my usual procedure of scanning at 4 AM!  I hate when this happens at bedtime! 

[DavidR]

This came up on 9 computers out of about 25 at work today. Most before I got in this morning and a few just popped up this afternoon.

Win32:Bifrose-EGW [Trj]

filenames each 6.63MB in size on different computers in the C:\Windows\Installer\ folder:
1d07530.msp 69bb6.msp  253a0b.msp 64129.msp 47d7d4f.msp 3cc9f55.msp 4f78f3.msp
5851a.msp 959a6.msp

virustotal treated them all as the same file and gave this link:
http://www.virustotal.com/analisis/79db13a96db5ec145867d87b178abc926eb951c0605f621de69aad48e8916860-1248460069

Anybody know if these files are safe or not??

Given what is said in this topic already it looks like the alert is somehow triggered by the .msp file type, as opposed to the actual content. So it could be something in the file header info.

Given your VT results it confirms it is highly likely it is a false positive as GData uses avast as one of its two scanning engines, so effectively this is a detection only by avast.

I would suggest sending a couple of samples to avast as per the info in my last post.

[hlecter]

Just to add:

I have a huge amount of .msp files that not give the FP.

I saw that the Virustotal example seemed to have a Powerpoint component.

The file I had was a Hotfix for Office.

So far a combination of Office and .msp.

I hope this get solved sooner than later, considering it obviously hits pretty many Avast-users.

HL

I saw all of Brandons files were 6.63 MB and can add that was the size of my file, too.

[kl]

I got the same trojan horse message while I was trying to download an attachment from a colleague.  The document was in a format that required word to install something first, and it was while this process was happening that I got the message.  but Word never installed anything, because I didn't have whatever it needed on my hard drive.  I stopped the process and so was able to put the file in the virus chest.  I did send an email to ALWIL from the virus chest.  The affected file was ea10e.msp.  I don't know what this file does.  It was in WINDOWS\Installer.

Any info appreciated!

[Leafer]

Thanks for the feedback all. I'll also go with the assumption that it is a false positive but will follow this thread in case something develops otherwise.

[Seffrid]

Just to clarify my own circumstances, in the light of kl's post, I was editing a Word document when Avast picked up on the alert. I have had Word installed for all of the couple of years I've had this hard drive. I wasn't installing, or being prompted to install, anything new but was simply reading through and editing a report sent to me (and which I've since scanned with no alerts).

[tanman]

I had the exact same detection - Win32:Bifrose-EGW [Trj]
4e4a5.msp
Size: 6956032