Author Topic: Win32:CRYPTO infection  (Read 6762 times)

0 Members and 1 Guest are viewing this topic.

Offline Kamil

  • Newbie
  • *
  • Posts: 17
Win32:CRYPTO infection
« on: August 21, 2003, 02:50:05 AM »
Hi all,

I just conducted a boot-time drive AV scan with avast! and found the following:

C:\pagefile.sys is infected by Win32:Crypto

I tried "repair" but that only generated "Error 42060" and had to delete the pest.

So, I'd like to know:

1) How did this pest get past avast's scanner defenses?
2) Why does avast list pagefile.sys among its default "excludes" in the software's "Standard Shield"?  ???
3) By deleting the pagefile.sys file, have I lost something critical to my system's performance?  ???
4)  What does Win32:Crypto really do?

Thanks for listening--I'll be interested in your answers.

Kamil

PS  I'm running Windows XP Pro and avast! 4.0 Home Edition plus Outpost Firewall Pro 2.0 and Tauscan.

Offline kubecj

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1123
    • ALWIL Software
Re:Win32:CRYPTO infection
« Reply #1 on: August 21, 2003, 03:08:16 AM »
1) How did this pest get past avast's scanner defenses?

There's non-zero (althought very small) possibility, that's it's avast's own scan string which got swapped there. Or it may be also string from other antivirus.

Quote
2) Why does avast list pagefile.sys among its default "excludes" in the software's "Standard Shield"?  ???

Because viruses can't reside there, the file is usually large and is susceptible to such a false alarms.

Quote
3) By deleting the pagefile.sys file, have I lost something critical to my system's performance?  ???

Yeah, you've lost performance  ;) But most probably windows re-created the file again.

See here for swap-file explanation: http://searchwin2000.techtarget.com/sDefinition/0,,sid1_gci213077,00.html


For the others: Don't do this at home!  ;D
« Last Edit: August 21, 2003, 03:10:12 AM by kubecj »
Jindrich Kubec

Offline Kamil

  • Newbie
  • *
  • Posts: 17
Re:Win32:CRYPTO infection
« Reply #2 on: August 21, 2003, 05:29:33 AM »
Well, that's somewhat reassuring--yet, after deleting the infected pagefile.sys last time around, it's back with the same Win32:Crypto infection  ??? ?

Is this file now permanently corrupted?  Scans in Windows (XP Pro) don't even flag the file, despite being removed from the exclude list....  Is this an avast bug, a false-positive, or a pest avast just can't deal with?

Answers will be most welcome.

K

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Win32:CRYPTO infection
« Reply #3 on: August 21, 2003, 09:04:06 AM »
Like kubecj said, the file is the Windows swapfile and will recreated after each  restart. It is possible that Windows swap out the Memory that the Avast scanner or  Guard is/was using and so the signatures could be swapped out too. ANd than avast get fooled by its own signature.  To avoid this, do not start or load  AVAST  while using Windows! But i do not think that you want  that!:)
Just do no bootscan or  delete the Swapfile on shutdown. There is an option in windows to do so, but it slows down the shutdown (more than a minute)
MfG Ralf

Offline thmclin

  • Newbie
  • *
  • Posts: 1
Re:Win32:CRYPTO infection
« Reply #4 on: August 21, 2003, 03:00:36 PM »
Avast also told me that WIN32:CRYPTO infected my c:\windows\vmmhiber.w9x file with 2 warnings that cite the same path and file.  Google located descriptions of the virus that indicate it attaches to the kernel32 file with certain signatures and can be very destructive but none mention whether it affects Windows ME.   My kernel32 file is free of the signatures, but a search for the vmmhiber.w9x file yields no results.  
1.  Why can't I find the file that Avast cites as infected?  
2.I did not instruct Avast to do anything with this virus since the virus information (Symantec url <http://securityresponse.symantec.com/avcenter/venc/data/w32.crypto.html> ) states that deleting it takes out the files that the virus has encrypted, and that one must reinstall uninfected backup files which I don't think I have.  
3.  I have recently been getting error messages that the kernel32 has caused an error and will shut down (and the same type message for some other dll's also, but when I shut down and reboot, the error messages do not reappear until I have shut down and rebooted 2 or 3 times.  Then they show up again and I have to shut down and reboot again.
4.  Symantec states the following:

"The virus targets the following anti-virus files:
AVP.CRC
IVP.NTZ
ANTI-VIR.DAT
CHKLIST.MS,
SMARTCHK.MS
SMARTCHK.CPS
AGUARD.DAT
AVGQT.DAT
LGUARD.VPS

W32.Crypto does not infect popular anti-virus software or some other common applications that have self-check routines. It will refrain from infecting programs with names beginning with:

TB
F-
AW
AV
NAV
PAV
RAV
NVC
FPR
DSS
IBM
INOC
ANTI
SCN
VSAF
VSWP
PANDA
DRWEB
FSAV
SPIDER
ADINF
SONIQUE
SQSTART"

I assume this includes Avast.

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Win32:CRYPTO infection
« Reply #5 on: August 21, 2003, 03:08:11 PM »
Hm, i never used WinME, but for me the vmmhiber.w9x file could be the "swap" file for the hibernationmode(standbymode?) of ME. And that has the same effect the windowsswapfile has, because Windows write the content of the Memory into that file before going into Standby mode.
I think/hope Avast will fix that "bug" soon.

I found this link about the vmm* file: http://www.gateway.com.au/support/support_news9.htm
« Last Edit: August 21, 2003, 03:09:55 PM by raman »
MfG Ralf

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2085
Re:Win32:CRYPTO infection
« Reply #6 on: August 21, 2003, 03:50:13 PM »
3.  I have recently been getting error messages that the kernel32 has caused an error and will shut down (and the same type message for some other dll's also, but when I shut down and reboot, the error messages do not reappear until I have shut down and rebooted 2 or 3 times.  Then they show up again and I have to shut down and reboot again.
This virus needs to infect kernel32.dll to be active, it also infects DLLs which you could have problems with. Check kernel32.dll end of file if there're suspicious data or use any antivirus program to be sure (but i think, in this case, avast uses only signature from polymorphic envelope, which is not present in kernel32.dll and in all its infected files).

Offline Kamil

  • Newbie
  • *
  • Posts: 17
Re:Win32:CRYPTO infection
« Reply #7 on: August 21, 2003, 07:07:15 PM »
Some good news...

After having WinXPPro "dispose" of the swap file's contents, the Win32:Crypto "infection" disappeared.  avast! scans at boot-up showed up clean, as did the Windows avast! scan.

To be safe, I uninstalled avast! and ran a copy of Panda Platinum 7 AntiVirus: the system was free of all pests except for a copy of Happy.exe buried in an "ancient" e-mail.

Now that I'm convinced that my system's virus-free, I'd still like a note from the avast! guys to explain where and how the Win32:Crypto bug crept in?  ???

Still an avast! believer,

K  8)

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2085
Re:Win32:CRYPTO infection
« Reply #8 on: August 21, 2003, 07:17:57 PM »
Now that I'm convinced that my system's virus-free, I'd still like a note from the avast! guys to explain where and how the Win32:Crypto bug crept in?  ???

Good. Anyway, I would say, we use the bad signature of Win32.Crypto virus - as I said, I guess the signature (which may be weak) is taken from the end of polymorphic loop (and different in every new variant).