My OS is Windows XP Home SP2 with all critical updates installed through the last "Patch Tuesday" (June 12) release from Microsoft.
I downloaded the June 20 Spybot updates today and proceeded to "check for problems".
When I returned to my computer an hour later, I was surprised to discover Spybot had detected the "Win32.Viking.j" worm infected the following files.
I think this is a FP for several reasons.Win32.Viking.j: Data (File, nothing done)
C:\WINDOWS\system32\dllcache\arp.exe.tmp
Win32.Viking.j: Data (File, nothing done)
C:\WINDOWS\system32\dllcache\at.exe.tmp
- There is/are June 20, 2007 Spybot S&D definition(s) added for Win32.Viking.j
- I regularly scan my computer with several reputable anti-malware apps (both AV and AS and occasionally anti-rootkit).
- The files are located in a Windows protected system files folder and they are the same size as their counterparts that exist in the same folder without the .tmp extension (arp.exe and at.exe).
- The files also have the same "Modified" date as the .exe files that don't have the .tmp extension.
- The files' Properties indicate they are Microsoft files.
- There are several other .exe.tmp files in my dllcache folder with corresponding .exe files that don't have a .tmp extension..
- I uploaded both files to Jotti's Online Scan and both appear clean according to Jotti.
(The Jotti Results are shown below.)
==========
Jotti's Online Scan Results
File: at.exe.tmp
Status: OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 9bdf13167fbef8da3a4e9a558b169e5e
Packers detected:
-
Bit9 reports: No threat detected (more info)
Scanner results
Scan taken on 21 Jun 2007 02:24:00 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
==========
File: arp.exe.tmp
Status: OK
MD5: 33f9b0e02d9d93f920605d02fb53f3fd
Packers detected:
-
Bit9 reports: No threat detected (more info)
Scanner results
Scan taken on 21 Jun 2007 02:27:53 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
==========
I suspect if anyone else compares the MD5 hash values for those files in the C:\WINDOWS\system32\dllcache\ folder of their own Windows XP Home SP2 box, they will find the hash values match. It would be nice to have confirmation however.