Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please Help Interpret Results - wmipvs.exe

Started by DerbyDad03 , Jan 05 2008 11:46 AM

  • Please log in to reply

#1
DerbyDad03
Posted 05 January 2008 - 11:46 AM

DerbyDad03

    Member

  • Member
  • PipPip
  • 78 posts
Greetings and Happy New Year.

I found a file on one of my systems and I am trying to understand its threat level.

One account (out of 4) began to pop-up an "Unknown Publisher - Do you want to run this file?" message for wmipvs.exe.

msconfig showed this file listed in the Startup tab for just 1 out of the 4 accounts. The file is located in c:\windows\system32.

SpyBot, AVG Spyware and CA Spyware and CA VirusScan do not recognize this file as a threat.

I have renamed the file to wmipvs.old to ensure it can't be run.

I uploaded the file to http://virusscan.jotti.org/ and received the results shown in the table below. My first question would be this: Why do different scanners show a different name for the same threat?

File: wmipvs.exe
Status: INFECTED/MALWARE
MD5: 135e4a9e8ad6e1c34314b45e23cd18c5
Packers detected: -
Bit9 reports: High threat detected (more info)

Scan taken on 05 Jan 2008 17:09:40 (GMT)
A-Squared Found nothing
AntiVir Found WORM/IrcBot.160768.1
ArcaVir Found nothing
Avast Found Win32:IRCBot-CFV
AVG Antivirus Found Obfustat.EJS
BitDefender Found Backdoor.IRCBot.ABEK
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found BackDoor.Oscar
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Backdoor.IRCBot.ABEK
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/Nugache
Norman Virus Control Found W32/Malware.ADIF
Panda Antivirus Found W32/Oscarbot.MT.worm
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


In addition, when I clicked on the (more info) link in the line that reads "Bit9 reports: High threat detected (more info)" it says the file name is index.html. What does that mean?

Search results by hash:MD5: 135e4a9e8ad6e1c34314b45e23cd18c5

File Information help »
File Name: index.html Description: Unknown
Version: Unknown MD5: 135e4a9e8ad6e1c34314b45e23cd18c5
Size: 157 KB SHA-1: de13836be7a8b964686e345adc92a975b8700a7e

Threat level
This file was analyzed on 9/28/2007 4:17:00 AM and multiple tests reported it as malicious.

File found in 1 package(s) from Honeypot 3:



Package name File name Operating system Language
File Collection index.html Unknown Unknown

Any enlightenment you can provide would be greatly appricated. Thanks!
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP