Author Topic: BART says pagefile.sys is infected with netsky ?  (Read 13262 times)

0 Members and 1 Guest are viewing this topic.

Offline johnt2004

  • Newbie
  • *
  • Posts: 10
BART says pagefile.sys is infected with netsky ?
« on: August 27, 2004, 11:45:32 PM »
Latest BART (trial)  using todays defs.
The computer was infected with netsky and several trojans (which Symatec 9 did not catch !)It still reports that pagefile.sys contains " netsky-p [dll] "
I have turned paging off, deleted pagefile.sys with salamander, turn paging back on  then rescan and it reports the virus is back.
The computer has not been on the network at all since I started working on it and reports this as the only infected file now.

Is this a false positive ?

Thanks.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:BART says pagefile.sys is infected with netsky ?
« Reply #1 on: August 27, 2004, 11:51:19 PM »
It's not (technically) a false positive because the sample is really there (although it's quite benign). Deleting the file didn't help because it doesn't overwrite the data -- just delete the directory entry. To delete the file thoroughly, you can use the Data Shredder from BART 2 (upgrade your install to BART 2 Beta as described in another thread on the forum - the "Introducing BART2..." thread) and shred pagefile.sys. That will do the trick.

Cheers,
Vlk
« Last Edit: August 27, 2004, 11:52:35 PM by Vlk »
If at first you don't succeed, then skydiving's not for you.

Offline johnt2004

  • Newbie
  • *
  • Posts: 10
Re:BART says pagefile.sys is infected with netsky ?
« Reply #2 on: August 27, 2004, 11:59:38 PM »
Interesting,
So when a system re-creates a file with the same name after deletion it uses the same area on disk and directory entry ?  I even changed the size of the pagefile when re-creating.

Can I upgrade my trial version of bart to Bart 2 ?

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:BART says pagefile.sys is infected with netsky ?
« Reply #3 on: August 28, 2004, 12:03:20 AM »
Quote
So when a system re-creates a file with the same name after deletion it uses the same area on disk and directory entry ?  I even changed the size of the pagefile when re-creating.

Usually not (normally it takes the nearest free clusters) but in the case of page file, yes. Page file is a very special file that is unmovable on the disk because it is being accessed low-level on a sector level (bypassing the file system). If you lowered the size of the file, it only means that the "sample" was present in the first part of the file.

Quote
Can I upgrade my trial version of bart to Bart 2 ?

Absolutely. In fact, you're encouraged to do so.


Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline johnt2004

  • Newbie
  • *
  • Posts: 10
Re:BART says pagefile.sys is infected with netsky ?
« Reply #4 on: August 28, 2004, 12:12:05 AM »
 :D Good will do !

The fact Bart found the Trojan's after multiple scans in safe mode with Symantecs latest version will likely lead to a purchase.
Being able  to create a boot cd with the latest updates and run it that way is another big plus.

Thanks for the quick replies !

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:BART says pagefile.sys is infected with netsky ?
« Reply #5 on: August 28, 2004, 12:20:17 AM »
No AV program is able to scan pagefile.sys from the running OS because it's locked down by the OS and no program can access it (even for read access). On the other hand, "viruses" in pagefile.sys are really not a big deal as the contents of the file is not really reused after reboot (so it's useless). But anyway, it's physically still on the disk so it makes sense to try to delete it.

I'd say the biggest plus of BART is cleaning. Stealth and/or driver-based viruses are becoming pretty common now and a regular AV running under the same OS as the virus has virtually no chance to detect/remove it (if the virus is written well).

Having the ability to do a clean boot (with no virus in memory, guaranteed) is great -- something that was available only back in the days of DOS when booting from a system diskette.


Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline whocares

  • Super Poster
  • ***
  • Posts: 1698
  • I'm not a llama! :-)
Re:BART says pagefile.sys is infected with netsky ?
« Reply #6 on: August 28, 2004, 12:46:06 AM »
Hi Vlk,

Avast BART sure is great, esp. the NTFS write/clean access & RegEditor..  :)

Just a question for alternatives & FMI ...
-> in the long run and pretty complicated, too, but:
can the same be achieved by
- read-only scanning with ANY Boot-Disk/CD with NTFS-Read-Support (Linux, or even NTFSDOS),
- a decent AV-Scanner which of course needs to detect the malware,
- and AFTERWARDS DELETING malicious files via e.g. Win2000/XP-Setup-CD ?
(or replacing them with avast cleaner ;D ;D )

(Provided the crass deletion of the file doesn't damage the system too much, e.g. if inserted into ShellOpen or the like.. ?)

Thx for your input..

 :)

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:BART says pagefile.sys is infected with netsky ?
« Reply #7 on: August 30, 2004, 08:16:27 PM »
Sorry for the delay. :)

Quote
Just a question for alternatives & FMI ...
-> in the long run and pretty complicated, too, but:
can the same be achieved by
- read-only scanning with ANY Boot-Disk/CD with NTFS-Read-Support (Linux, or even NTFSDOS),
- a decent AV-Scanner which of course needs to detect the malware,
- and AFTERWARDS DELETING malicious files via e.g. Win2000/XP-Setup-CD ?
(or replacing them with avast cleaner   )

Basically, yes, but with much more effort. BART is not a revolution but it can certainly make admin's life simpler. In a professional IT environment, such a simplification can be of great value. This is why BART is primarily aimed to such customers instead of hobbyists/home-users.


BART also features some important stuff such as registry cleaning after the infected files are removed/cleaned (just as you wrote) that can be extremely difficult to achieve otherwise.
If at first you don't succeed, then skydiving's not for you.

Offline whocares

  • Super Poster
  • ***
  • Posts: 1698
  • I'm not a llama! :-)
Re:BART says pagefile.sys is infected with netsky ?
« Reply #8 on: August 30, 2004, 09:16:09 PM »
thx a lot, Vlk
 :)  :)