Author Topic: Hybris worm in "System volume information..."  (Read 8448 times)

0 Members and 1 Guest are viewing this topic.

jimn

  • Guest
Hybris worm in "System volume information..."
« on: August 24, 2004, 05:27:54 PM »
New user of trial Pro version running XP Pro SP1 with critical patches applied.

I have received 8 (so far) warnings about the Winn32:Hybris work being in files that are all C:\System Volume Information\_restore{....

This really doesn't make a lot of sense to me.
So far I've taken comfort that they seem to be in RESTORE-related data, giving me hope that as long as I don't need to restore I shouldn't have any problem.

The question is: Does this make any sense and what am I supposed to do for these cases?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re:Hybris worm in "System volume information..."
« Reply #1 on: August 24, 2004, 05:38:20 PM »
Just disable the system restore feature (Control Panel > System > System restore), click apply and after all, enable it again.

This will delete the restore points (and with one of them, the infection) and enable it again. You don't have even to boot beetween the disable/enable operation  8)
The best things in life are free.

jimn

  • Guest
Re:Hybris worm in "System volume information..."
« Reply #2 on: August 24, 2004, 05:47:02 PM »
Thanks, and I will do that.

But does it makes sense that these would even be "infected", especially given that no other file has been reported (one would assume that something ELSE would have to have messed with these) nor have I knowingly had any infections ever on my system?
The full scan done first time only reported these and no others.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re:Hybris worm in "System volume information..."
« Reply #3 on: August 24, 2004, 05:50:30 PM »
I'm not an expert on virus infection... Maybe you should ask to whocares, raman or anybody from Alwil team. You can be lucky to just one file infected... Maybe the virus, knowing that, infects only files on that folder  :P

Other possibility, automatic actions took place while you were running the antivirus (Silent Mode?)
The best things in life are free.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:Hybris worm in "System volume information..."
« Reply #4 on: August 24, 2004, 06:26:33 PM »
It is just the way some files are encoded in that folder that is causing this. And you do need to reboot after disabling system restore before all changes take efect.

jimn

  • Guest
Re:Hybris worm in "System volume information..."
« Reply #5 on: August 24, 2004, 06:41:37 PM »
Hi Eddy,

If I understand you correctly you are saying that most likely these files are **NOT** "infected", but the information they are storing and how they store it causes them to look like they are infected. Is that correct?

I just had another such warning 5 minutes ago, even though my VRDB went through all files overnight last night. AND I haven't had any cause to cause a new restore point to have been written (though possibly Avast! has, since it auto-downloaded a new file today).
NOTE: I have not yet deleted the restore points because I want to observe more first.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Hybris worm in "System volume information..."
« Reply #6 on: August 24, 2004, 07:25:15 PM »
The system restore alarms are generally not false positives. They mean that historically, your computer hit the worm (doesn't really mean the computer was ever infected, it can e.g. mean that you have received an email with an attachment infected by this worm).

The reason the System Restore files are hard to access is that by default, Windows sets quite strict access rights to the folder. Namely, even the Administrator cannot read the data in the folder. This may sound strange but that's the fact. The reason avast on-access scanner can access the folder is that it uses low-level APIs and system process context for file access.

What you can also do is right click the System Volume Information folder in Explorer, and edit its ACL (Access Control List) - ie. the thing on the Security tab. Simply grant access to the folder to your account. You will then be able to see the contents of the folder (and so the avast on-demand scanner will).


Hope this clears it a bit,
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:Hybris worm in "System volume information..."
« Reply #7 on: August 24, 2004, 07:32:59 PM »
Quote
Namely, even the Administrator cannot read the data in the folder.
A little correction/addition. You can access the folder if you want. HERE is how to do it.
« Last Edit: August 24, 2004, 07:33:27 PM by Eddy »

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Hybris worm in "System volume information..."
« Reply #8 on: August 24, 2004, 09:35:16 PM »
Correction/addition? This is exactly the procedure that I posted, right? :)
If at first you don't succeed, then skydiving's not for you.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:Hybris worm in "System volume information..."
« Reply #9 on: August 24, 2004, 09:37:59 PM »
Quote
even the Administrator cannot read the data in the folder
Was just correcting that part. It is possible to read/view the data. But we are on the same line here Vlk ;)

I blame it on the fact that neither of our natural language is English. ;D
« Last Edit: August 24, 2004, 09:39:52 PM by Eddy »

jimn

  • Guest
Re:Hybris worm in "System volume information..."
« Reply #10 on: August 24, 2004, 11:16:38 PM »
Thank you BOTH, Eddy and Vlk!

I have lots o throuble with English myself and it's my native language!

I think virtually everyone here does a fantastic job with the English language, all things considered.

cheers

PS to Technical: The author of MONTAGE will soon, I anticipate, supply some information HERE about the program.

jimn

  • Guest
Re:Hybris worm in "System volume information..."
« Reply #11 on: August 25, 2004, 12:12:00 AM »
I just went to the System Restore dialog to delete the entries.
But, to my great surprise, I found that there were NO "restore points" recorded for today.
This has me perplexed to the extreme because the reason I went there was because I had just received ANOTHER ALARM about a virus and again it was a restore file!?

I'd like to understand what is going on here... there was no restore point created today yet 20 minutes ago I got another warning. What would have made Avast! even look at that file?? ESPECIALLY since I let the system run overnight to create a VRDB (which I assume looks at EVERYTHING and which did in fact wake me 3 times with alarms).

I'm delighted to protect my system but this situation really has me asking what is going on???

Is there somewhere that documents WHEN the system does it's determinations? Is there somewhere might explain why I am seeing this?
I know there are explanations above, but these relate to the virus and not to what is GOING ON.
I simply do not believe that what are being reported are viruses/worms given the action that have occurred on my system vis-a-vis Avast!

Any help appreciated

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re:Hybris worm in "System volume information..."
« Reply #12 on: August 25, 2004, 12:23:18 AM »
PS to Technical: The author of MONTAGE will soon, I anticipate, supply some information HERE about the program.

Thanks... I'm anxious for that  ;)
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re:Hybris worm in "System volume information..."
« Reply #13 on: August 25, 2004, 12:25:44 AM »
Jimn, I suggest to browse and search on Microsoft webpages...
Anyway, neither Windows nor the System Restore are deterministics softwares  8)
Wellcome to Windowsland  ;D

If you want a really System Restore, try Symantec GoBack DeLuxe  ;)
The best things in life are free.

jimn

  • Guest
Re:Hybris worm in "System volume information..."
« Reply #14 on: August 25, 2004, 01:28:35 AM »
Hi Technical,

Searching MS will not tell me what Avast! is doing with these files and when it is doing it.

I just got another alarm. This time, when I looked at the log, I expanded it so that I could see the full file name. Turns out the more recent warnings were all for PREVIOUSLY WARNED ABOUT fies where I had told Avast! to rename the file (seemed  safest alternative at the time).

The last warning in fact, after I told it to rename, has a name ending in .vir.vir! I assume you know that Avast!, when "Rename" is specified as the action on an alarm, adds the suffix ".vir" to the end.

Given that Avast! has a log it might be VERY HELPFUL if it checked the log first before issuing SOME alarms. Specifically in the case of a file name ending in ".vir" it seems logical that it could forego warning again. And certainly renaming ".vir" to ".vir.vir" seems a bit odd.

Windowsland is almost Wonderland except that a whole lot of people are getting very wealthy because of Windows < s >

As regards System Restore, it's not that I want/need a better one, but that Avast! is looking at its files when it seems there is no real need to be doing so. I'd like to understand the timing of these warnings as well as their cause.

I'm NOT "blaming" Avast! for anything, just wanting to understand it AND avoid unnecessary alarms.