• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2047
  • Last Modified:

Clamwin is reporting "Trojan.Aavirus" is it actually a virus, spyware, or something that Symantec uses?

We recently go hit by a virus. We are about to get rid of Symantec and go with Trend Micro for our Antivirus solution. During this last outbreak we experienced our Internet connection getting saturated by traffic. We have since cleaned every pc using Clamwin. My question after extensive Internet searching is whether the virus "Trojan.Aavirus" is actually a virus, spyware, or something that Norton uses. I am finding mixed results on it online. One link I found that makes sense about it says "This parasite, as it is clear from its name, specializes in disabling the defense installed on the target computer. This technique is tremendously dangerous, because it makes system unable to resist other destructive parasites. What is more, AntiAntivirus also tries to download various Trojans and install them onto the infected machine." http://logiguard.com/spyware/a/antiantivirus.htm
This would make sense because of the virus outbreak that effected our Internet connection. It would also make sense because I am wondering how pc's running Symantec 7.5 allowed virus' (Trojans) to infect pc's.
The webpage in the above link mentions that the full name of "Trojan.Aavirus" is antianitvirus. When I searched for more info on this virus I found sites that gave me more info on this spyware program. I have not found one instance of a pc that is being reported by Clamwin as infected, that was running the anti.exe process as described in the first link. I also found a couple of sites that say this is not really a virus http://forums.clamwin.com/viewtopic.php?p=530&sid=cc49b92235dbf46f77c5c2c52303786c .
So my questions are these:
If this was really a false positive it seems that if Clamwin was having you remove a component of your Corporate Antivirus solution that Clamwin would have been updated by someone with such a serious flaw quickly.
If this is not a component of Symantec the only thing that makes sense to me is that another version release other than 7.5 fixes this problem and Symantec considers this a spyware program and not a virus. Am I correct?
I guess my last question is if this is not a virus or a threat to my network why did I have so many Trojans infected on my pc's/servers (maybe 1 out of 5) and shareware installed on pc's/servers that I KNOW no one but me touches (our domain controller for one).

Before I began to clean infected pc's I ran a virus sweep with Symantec Corporate 7.5 and my Internet bandwidth was maxed out. Symantec did not catch the virus' that Clamwin's found (big surprise) and as I cleaned pc's/servers I saw my bandwidth usage dropping. Is it just a coincidence that I got this "antiantivirus" reporting back to me, with another site that says it is a destructive parasite that tries to download other Trojans and install them on infected pc's, when I really had another virus on my network?
Thanks in advance. I will give 500 pts to anyone who can give me a good explanation about the "Trojan.Aavirus" being reported as a infected file by Clamwin.
0
Natldiag
Asked:
Natldiag
  • 6
  • 6
  • 4
  • +1
3 Solutions
 
Irwin SantosComputer Integration SpecialistCommented:
Seems like you need some alternate cleaning methods.  Being that you mentioned that you treated all your workstations...there could be inherent problems if you did NOT disconnect from your network.  As the trojan may have traversed through to another machine.

As for that anti-ANTIvirus...I think Clamwin is NOT catching it, and you need some other 3rd party spyware, adware, or anti-viral solution. One thing that you didn't mention was running spyware screening software.. which could in effect release that Trojan...

Here is my recipe
--------------------------
Download and Install.
http://www.majorgeeks.com/HijackThis_d3155.html

Copy and paste your log to:
http://www.hijackthis.de/index.php?langselect=english
Click ANALYZE

Look for NASTIES and post your results here
-------------------
Download Ewido, http://www.ewido.net/en/download/, install, open program, check for updates, restart computer, press F8 before windows logo appears, select safe mode, open Ewido, run full system scan. let Ewido delete all it finds, if anything is called serious by Ewido, disable Norton's Goback, and run Ewido again.
------------------------

Test this on single workstation that is Disconnected from the network...

Evidence of that trojan or instance?

The next step is to remove the hardrive from that workstation and attach it to a know good NON-infected machine (basically, brand new system with the latest antiviral solution & updates). Scan the hardrive and see if there are any instances.

One of these solutions should pickup the culprit and help you determine what is what.

The anti-anti-virus is like poison the kill the pain. ;-)
0
 
NatldiagAuthor Commented:
Ok, so I am doing what you said now and will post the results when I am done. So is the "Trojan.Aavirus" that Clamwin keeps on finding in the SAV directory in VDB files a legitimate virus, or you won't know yet until I do what you asked? Thanks!
0
 
NatldiagAuthor Commented:
Here is my log file contents (unedited) from hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 9:16:37 AM, on 5/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [eCopy Desktop Printer Service] C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = natldiag.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E54450D6-4EAD-4C60-A091-194BDEF5957D}: NameServer = 38.9.212.2,38.9.222.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = natldiag.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = natldiag.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Irwin SantosComputer Integration SpecialistCommented:
Here's your analyzed log
http://www.hijackthis.de/logfiles/ab580c49a07c46ad55a1941bfb05d82c.html

There are several "Nasties".. that you should fix a prescribed by hijack.this... next step to run Ewido.
0
 
r-kCommented:
Actually the HJT log seems fairly clean. The Unknown and Possibly Nasty items are just normal.
0
 
NatldiagAuthor Commented:
Yeah, I think Clamwin got whatever it was. I noticed a network spike again the other day and found some more servers that were getting the "Trojan.aavirus" reported from the sav folder in a .edb file. I removed that and any other virus that Clamwin's reported. I am going to watch if my bandwidth spikes again and use Kiwi to find a pc that is broadcasting allot of traffic. I will then run what was suggested to me in the appropiate steps. Does anyone know the answer to this question (below)?

Ok, so I am doing what you said now and will post the results when I am done. So is the "Trojan.Aavirus" that Clamwin keeps on finding in the SAV directory in VDB files a legitimate virus, or you won't know yet until I do what you asked? Thanks!
0
 
r-kCommented:
I am fairly sure that any virus reported in the vdb files is a false positive.
0
 
NatldiagAuthor Commented:
Why when I remove the .vdb file Clamwin's tells me is the "Trojan.aavirus" Symantec still works? If Clamwin's is pulling out Symantec files that it uses it seems like someone would have fixed the problem.
0
 
Irwin SantosComputer Integration SpecialistCommented:
Here's some supporting info for you

http://www.2-spyware.com/remove-antiantivirus.html
0
 
NatldiagAuthor Commented:
Yeah, I saw that site before. There are also sites that I put in my first post that says it is a false positive along with ones that say it is a virus.
0
 
Irwin SantosComputer Integration SpecialistCommented:
find a workstation that has this virus.. then apply the tool.. if it removes it.. then it is NOT a false positive as it actually existed as a file and more than likely in the registry.
0
 
CyberGhostCommented:
First of all, a difference between spyware and virus should be (in my opinion, I'm not a virus expert) that spyware DOESN'T change your system settings (apart from MSIE default page and simmilar funny stuff) but a virus DOES change your system state, i.e. disable firewall, antivirus, damage files and so on.
From your sources above that describe Trojan.aavirus, it would seem to me that Trojan.aavirus is really a virus.

To help you with your false positives - did you repeat your scan with any other antivirus apart from Clamwin? Something like NOD32 (www.eset.com) might help to answer your question about false positive. It has heuristic analyzes that catch even potential infections that are not yet known.

regards,
CyberGhost
0
 
r-kCommented:
You can try the suggestion by irwinpks, but as far as I can see the message is a false positive. The .VDB files are just the virus definitions that Symantec uses to look for viruses, so it is possible another AV program might find a false match within them. This used to be quite common a while back, and one reason people don't suggest multiple AV programs on the same machine.

As far as I can see, all the links point to a file named anti.exe being the virus.

Also, you HJT log is clean.

If you suspect the virus might be truly "hidden", get and run RootkitRevealer from:

 http://www.sysinternals.com/Utilities/RootkitRevealer.html

Don't do too many other things while it is running to avoid false positives.

Since you had a virus outbreak it's a good idea to run RKR, I thinl=k, just in case someone left behind a rootkit.

Since your server was affected, I would recommend reviewing the accounts there to be sure no new accounts got created. Also look for all open ports (netstat -ab)

0
 
NatldiagAuthor Commented:
It makes sense what you are saying. Coincidentally, I had been using Clamwin and it did not pull that file but right about the time the network got hit by a virus. I am not conviced though that "Trojan.aavirus" is what we had though because I have yet to find anti.exe residing on any pc's. I am going to watch for another bandwidth spike and do the recommendations on a pc I suspect is infected.
Thanks for all of your help! I will let you know if I find the exact culprit.
0
 
Irwin SantosComputer Integration SpecialistCommented:
cool.. we'll be waiting.
0
 
r-kCommented:
CyberGhost: thanks for joining the thread. You raised an interesting question about the difference between a virus and spyware. Historically, a virus was any bit of code that was hidden within some other normal file, e.g. it could hide within Notepad.exe, or within a Word document, so that whenever you open Notepad or Word, you started the virus running. A "worm" was a malicious program that existed by itself. In our case "anti.exe" would be a worm because it has no reason to exist on a clean system.

Over time, worms became more malicious, and their behavior and intent led to terms like "spyware", "adware" and "malware" in general.

Traditional AV programs have also expanced their role to look for malware/spyware as well, so the definitions are a bit blurred. As you observed, many malware programs take steps to hide themselves by interefering with system functions, like rootkits. Spyware/malware is easier to write, so its numbers have been increasing faster than strict viruses.

To summarize: Hides within normal files = Virus
                       Exists as its own separate file = Malware (worms, adware, spyware, rootkits, bots etc.)


0
 
CyberGhostCommented:
r-k: thanx for your explanation, I've learned something new today :-)
0
 
Irwin SantosComputer Integration SpecialistCommented:
@natldiag....did you FORGET us?
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 6
  • 6
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now