Mailing List Archive

potential FP on Trojan.Rootkit-3041?
Hi there

We picked up an infected machine, and ran ClamAV over it. ClamAV picked
up iastor.sys as Trojan.Rootkit-3041

However according to virustotal.com, only ClamAV claims this is infected
- so I'm wary of it.

However... the machine it was got from WAS infected with other viruses,
and windows\system32 contains THREE copies of iastor.sys: "iastor.sys",
"iaStor.sys" and "IaStor.sys" - which have two different sizes (but both
were detected as Trojan.Rootkit-3041 by ClamAV and nothing else)

So, that smells really suspicious to me - but I'm surprised no other AV
picks it. It isn't impossible ClamAV is ahead of everyone else on this
particular virus, so I thought I'd check here

Update: a week has past since I saved this email to my Drafts - as I
initially decided to report it as a FP via the clamav.net website
instead. Anyway, a week has past and clamav just declared a different
box as being infected - this time iastor.sys is Trojan.Rootkit-3054.
Again, nothing else picks it as a virus on virustotal.com, AND clamav
says copies of this file under "WINDOWS/dell/iastor/iastor.sys" and
"Drivers/DELL/SATA_RAID/driver_only/iastor.sys" are also infected -
which I find very hard to believe a virus would bother looking for.

Has anyone else been seeing FPs with iastor.sys?

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: potential FP on Trojan.Rootkit-3041? [ In reply to ]
That's strange I am unable to locate "Trojan.Rootkit-3041" in the current
clamav db or on VirusTotal. When I Google that name the only thing I find
is your message. Do you have the VirusTotal ID?


-Al-

--
Al Varnell
Mountain View, CA

On 9/4/11 6:57 PM, "Jason Haar" <Jason_Haar@trimble.com> wrote:

> Hi there
>
> We picked up an infected machine, and ran ClamAV over it. ClamAV picked
> up iastor.sys as Trojan.Rootkit-3041
>
> However according to virustotal.com, only ClamAV claims this is infected
> - so I'm wary of it.
>
> However... the machine it was got from WAS infected with other viruses,
> and windows\system32 contains THREE copies of iastor.sys: "iastor.sys",
> "iaStor.sys" and "IaStor.sys" - which have two different sizes (but both
> were detected as Trojan.Rootkit-3041 by ClamAV and nothing else)
>
> So, that smells really suspicious to me - but I'm surprised no other AV
> picks it. It isn't impossible ClamAV is ahead of everyone else on this
> particular virus, so I thought I'd check here
>
> Update: a week has past since I saved this email to my Drafts - as I
> initially decided to report it as a FP via the clamav.net website
> instead. Anyway, a week has past and clamav just declared a different
> box as being infected - this time iastor.sys is Trojan.Rootkit-3054.
> Again, nothing else picks it as a virus on virustotal.com, AND clamav
> says copies of this file under "WINDOWS/dell/iastor/iastor.sys" and
> "Drivers/DELL/SATA_RAID/driver_only/iastor.sys" are also infected -
> which I find very hard to believe a virus would bother looking for.
>
> Has anyone else been seeing FPs with iastor.sys?


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: potential FP on Trojan.Rootkit-3041? [ In reply to ]
Sorry - it was 3041 last week - now it's 3054

http://www.virustotal.com/file-scan/report.html?id=594d97054e3a8034d8bc3ae3b9cd8a00d95bb68f8cda84e96d8ee08d5f24e101-1315184892

On 05/09/11 19:20, Al Varnell wrote:
>
> That's strange I am unable to locate "Trojan.Rootkit-3041" in the current
> clamav db or on VirusTotal. When I Google that name the only thing I find
> is your message. Do you have the VirusTotal ID?
>
>
> -Al-
>
> --
> Al Varnell
> Mountain View, CA
>
> On 9/4/11 6:57 PM, "Jason Haar" <Jason_Haar@trimble.com> wrote:
>
> > Hi there
> >
> > We picked up an infected machine, and ran ClamAV over it. ClamAV picked
> > up iastor.sys as Trojan.Rootkit-3041
> >
> > However according to virustotal.com, only ClamAV claims this is infected
> > - so I'm wary of it.
> >
> > However... the machine it was got from WAS infected with other viruses,
> > and windows\system32 contains THREE copies of iastor.sys: "iastor.sys",
> > "iaStor.sys" and "IaStor.sys" - which have two different sizes (but both
> > were detected as Trojan.Rootkit-3041 by ClamAV and nothing else)
> >
> > So, that smells really suspicious to me - but I'm surprised no other AV
> > picks it. It isn't impossible ClamAV is ahead of everyone else on this
> > particular virus, so I thought I'd check here
> >
> > Update: a week has past since I saved this email to my Drafts - as I
> > initially decided to report it as a FP via the clamav.net website
> > instead. Anyway, a week has past and clamav just declared a different
> > box as being infected - this time iastor.sys is Trojan.Rootkit-3054.
> > Again, nothing else picks it as a virus on virustotal.com, AND clamav
> > says copies of this file under "WINDOWS/dell/iastor/iastor.sys" and
> > "Drivers/DELL/SATA_RAID/driver_only/iastor.sys" are also infected -
> > which I find very hard to believe a virus would bother looking for.
> >
> > Has anyone else been seeing FPs with iastor.sys?
>
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml