Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please Help Interpret Results - wmipvs.exe


  • Please log in to reply

#1
DerbyDad03

DerbyDad03

    Member

  • Member
  • PipPip
  • 78 posts
Greetings and Happy New Year.

I found a file on one of my systems and I am trying to understand its threat level.

One account (out of 4) began to pop-up an "Unknown Publisher - Do you want to run this file?" message for wmipvs.exe.

msconfig showed this file listed in the Startup tab for just 1 out of the 4 accounts. The file is located in c:\windows\system32.

SpyBot, AVG Spyware and CA Spyware and CA VirusScan do not recognize this file as a threat.

I have renamed the file to wmipvs.old to ensure it can't be run.

I uploaded the file to http://virusscan.jotti.org/ and received the results shown in the table below. My first question would be this: Why do different scanners show a different name for the same threat?

File: wmipvs.exe
Status: INFECTED/MALWARE
MD5: 135e4a9e8ad6e1c34314b45e23cd18c5
Packers detected: -
Bit9 reports: High threat detected (more info)

Scan taken on 05 Jan 2008 17:09:40 (GMT)
A-Squared Found nothing
AntiVir Found WORM/IrcBot.160768.1
ArcaVir Found nothing
Avast Found Win32:IRCBot-CFV
AVG Antivirus Found Obfustat.EJS
BitDefender Found Backdoor.IRCBot.ABEK
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found BackDoor.Oscar
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Backdoor.IRCBot.ABEK
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/Nugache
Norman Virus Control Found W32/Malware.ADIF
Panda Antivirus Found W32/Oscarbot.MT.worm
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


In addition, when I clicked on the (more info) link in the line that reads "Bit9 reports: High threat detected (more info)" it says the file name is index.html. What does that mean?

Search results by hash:MD5: 135e4a9e8ad6e1c34314b45e23cd18c5

File Information help »
File Name: index.html Description: Unknown
Version: Unknown MD5: 135e4a9e8ad6e1c34314b45e23cd18c5
Size: 157 KB SHA-1: de13836be7a8b964686e345adc92a975b8700a7e

Threat level
This file was analyzed on 9/28/2007 4:17:00 AM and multiple tests reported it as malicious.

File found in 1 package(s) from Honeypot 3:



Package name File name Operating system Language
File Collection index.html Unknown Unknown

Any enlightenment you can provide would be greatly appricated. Thanks!
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP