Author Topic: false positive for the Firkin-gen worm?  (Read 6980 times)

0 Members and 1 Guest are viewing this topic.

kkaran168

  • Guest
false positive for the Firkin-gen worm?
« on: April 03, 2010, 03:21:56 PM »
Is this a false positive for the Firkin-gen worm?  The batch file contains no non-printable characters.  It creates a temporary batch file.  I used it on my work computer with out problems. NAV did not flag it then.   I also attached it to my Yahoo e-mail and NAV did not pick it up there.  Is this batch file safe?  Text of the batch file is below and is attached.

Many thanks in advance.

-- Ken

@echo off
rem
rem Put string "Current time is hh:mm:ss.ssp" in a file called "cu##ent.bat"
rem
    echo.|time|find "Current" >cu##ent.bat

rem
rem Put the string "set time=%3" in a file called "current.bat"
rem
    echo set time=%%3> current.bat

rem
rem Execute the first batch file in which the first word is the name of the second batch
rem file and whose third word is the time.  This calls the batch file CURRENT.BAT which takes
rem it's third argument -- the time -- and sets it to an environment variable called "time".
rem
    call cu##ent.bat
rem
rem At this point the time is in the environment but has colons and periods in it. Both are
rem bad news. They will be replaced by harmless dashes. CU##ENT.BAT and CURRENT.BAT are no
rem longer needed and will be overwritten below
rem
rem build a batch file that replaces the existing CURRENT.BAT.
rem misuse of the choice command puts the following string in the file "current.bat":
rem Note that commas can separate arguments to a file just as spaces can.
rem      cu##ent.bat [=,h,h,:,m,m,:,s,s,.,s,s,p,=]?=
rem

    echo = | choice /c=%time%= cu##ent.bat > current.bat
rem echo = | choice /c=%time%= cu##ent.bat | set time

rem
rem build a batch that replaces the existing cu##ent.bat
rem

rem Set echo off
    echo @echo off                   > cu##ent.bat
rem Clear environment variable, not needed
    echo set time=                  >> cu##ent.bat
rem Start top of loop
    echo :LOOP                      >> cu##ent.bat
rem make second arg first and so on
    echo shift                      >> cu##ent.bat
rem if you are at the end of the string created by the choice command, exit the loop
    echo if "%%1"=="]?" goto DONE   >> cu##ent.bat
rem if the argument is a colon or a period then concatenate the existing time variable with
rem a dash
    echo if "%%1"==":" goto REPLACE >> cu##ent.bat
    echo if "%%1"=="." goto REPLACE >> cu##ent.bat
rem otherwise concatenate the existing time variable with the next argument
    echo goto KEEP                  >> cu##ent.bat
rem labelled sections
    echo :REPLACE                   >> cu##ent.bat
    echo set time=%%time%%-         >> cu##ent.bat
    echo goto LOOP                  >> cu##ent.bat
    echo :KEEP                      >> cu##ent.bat
    echo set time=%%time%%%%1       >> cu##ent.bat
    echo goto LOOP                  >> cu##ent.bat
rem end of loop
    echo :DONE                      >> cu##ent.bat

rem
rem Call the CURRENT.BAT file which calls the CU##ENT.BAT file
rem
   call current.bat

rem
rem Remove the CURRENT.BAT and the CU##ENT.BAT files.
rem
    rem del cu??ent.bat > nul

Offline .: L' arc :.

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1780
  • Thinking with Portals
Re: false positive for the Firkin-gen worm?
« Reply #1 on: April 03, 2010, 03:29:16 PM »
It appears like your suspicion was correct. reference


>> Sending Samples to Virus Lab <<

There are two ways of sending samples to the virus lab.


1   Send the sample to virus@avast.com zipped and password protected with the password in email body. It would be better if the e-mail has:

  • False Positive or Undetected Malware as the title or heading
  • If you have a topic in the forums regarding the files you want to submit. It would be helpful to add a link to it in the e-mail body.

2  Open avast! > Maintenance > Virus Chest. From there, right click anywhere inside the Virus Chest and click Add... Choose the file(s) you want to be submitted then click Open when done. The file(s) you selected will appear on the chest, highlight it then right click and select Submit to Virus Lab
Windows 7 (64-bit) Home Premium SP1
avast! 9 RC1

bong2x

  • Guest
Re: false positive for the Firkin-gen worm?
« Reply #2 on: April 03, 2010, 03:47:37 PM »
what is useful in that batch file?

why we can say that it is FP?



 

kkaran168

  • Guest
Re: false positive for the Firkin-gen worm?
« Reply #3 on: April 03, 2010, 04:23:43 PM »
what is useful in that batch file?

This utility batch file was called within other batch files.  It generates a temporary name.  The driver batch file creates a file with that name, uses it, and deletes it at end of job.  It is from http://www.ericphelps.com/batch/samples/namedate.txt .  He does have a workaround which doesn't trigger the Firkin warning, so I can delete if necessary.

Online polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33748
  • malware fighter
Re: false positive for the Firkin-gen worm?
« Reply #4 on: April 03, 2010, 04:27:43 PM »
@justaguy168,

This responds to the description here:
http://www.f-secure.com/v-descs/firkin.shtml

@bong2x
Right, because this worm's components are mostly BAT files

If not a False Positive the removal instructions are:
To remove Firkin, you must first stop any Firkin processes that are running in your computer's memory. To stop all Firkin processes, press CTRL+ALT+DELETE to open the Windows Task Manager. Click on the "Processes" tab, search for Firkin, then right-click it and select "End Process" key.

To delete Firkin registry keys, open the Windows Registry Editor by clicking on the Windows "Start" button and selecting "Run." Type "regedit" into the box and click "OK." Once the Registry Editor is open, search for the registry key "HKEY_LOCAL_MACHINE\Software\Firkin." Right-click this registry key and select "Delete."

Finally, to completely get rid of Firkin, you must manually remove other Firkin files. These Firkin files can be in the form of EXE, DLL, LSP, TOOLBAR, BROWSER HIJACK, and/or BROWSER PLUGIN. For example, Firkin might create a file like
%PROGRAM_FILES%\Firkin\Firkin.exe. Locate and remove these files,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

kkaran168

  • Guest
Re: false positive for the Firkin-gen worm?
« Reply #5 on: April 03, 2010, 04:38:11 PM »
It appears like your suspicion was correct. reference

I have sent an e-mail to virus@avast.com as you suggested.  Many thanks for the quick reply.

-- Ken

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2284
Re: false positive for the Firkin-gen worm?
« Reply #6 on: April 06, 2010, 08:51:38 AM »
Hello,
thank you for sending sample, FP was fixed.

Milos