Author Topic: Trojan.Chifrax.a  (Read 16429 times)

Offline alboy

  • Planewalker
  • *****
  • Posts: 67
Trojan.Chifrax.a
« on: February 02, 2008, 05:01:17 AM »
Hi
I have AVG Spyware installed and it has found the "Trojan.Chifrax.a" on a routine scan. It found it in the file I downloaded, but have not yet installed, It has flagged it as being in "BG1UB_V6_TutuBGT.exe".
It has also found the same trojan in WinRAR\Default.SFX on the same scan. AVG has quarantined both.
Has anyone else come across this?

Alboy

Offline jcompton

  • Niche Exploiter
  • Administrator
  • Planewalker
  • *****
  • Posts: 7246
Re: Trojan.Chifrax.a
« Reply #1 on: February 02, 2008, 04:37:34 PM »
It's not uncommon for antivirus programs to have false-positive results on self-extracting archives--as you note yourself, it seems to be mistaking the generic WinRAR SFX code as a trojan as well. Have you let AVG update its definitions lately? If they're brand-new, report it to the AVG people and point them to the file. They're usually pretty good about correcting these sorts of false-positives.
Cespenar says, "Kelsey and friends be at the Pocket Plane? Ohhh yesssss!" http://www.pocketplane.net

Johnathan

  • Guest
Re: Trojan.Chifrax.a
« Reply #2 on: February 03, 2008, 03:28:58 AM »
I have to disagree - this looks like the real deal.
AVG picked this one up on my machine as well.  However, this one had already started spawning militant varients running from the recycle bin!
I had NOT opened any mail or opened my firewall.  So where did this bad character come from?

A format C: may be in order.  You have firewall enabled, AVG running, all of the latest security fixed from Windows Update, an only go to 'trusted' sites... AND STILL THIS HAPPENS.  (yes, I am furious)

- Johnathan

Dave Sant

  • Guest
Re: Trojan.Chifrax.a
« Reply #3 on: February 03, 2008, 08:37:31 AM »
I can understand Jonathon's frustration - was the infection listed as Trojan.Chifrax.a, or another variant? And was it found in WinRAR or the BG file?

My experience of McAfee and AVG has been that their heuristic scanning will throw up and delete at least one "safe" file a year. The lack of definitions for this particular Trojan suggests that it's a mistaken identification. Looking at WinRAR's default.sfx I can see that it hasn't been altered since it's creation date. However, unlike Jonathon I've not seen any trojan like behaviour (my netstat has looked fine since creating this build in December).

Perhaps running GMER would help ensure the militant variant issue isn't down to another hack (if it's going to force you to reformat)?

Offline alboy

  • Planewalker
  • *****
  • Posts: 67
Re: Trojan.Chifrax.a
« Reply #4 on: February 03, 2008, 11:17:22 AM »
Hi,
Yes it is exactly as subject heading and it was found in both BG and WINRAR. I have AVG Root Kit remover installed but am I right in thinking that if I run it now it will not find it as the suspect files are in quarantine. I did wonder if it was a false positive but was not sure.
Thanks for input
Alboy

Johnathan

  • Guest
Re: Trojan.Chifrax.a
« Reply #5 on: February 03, 2008, 02:45:06 PM »
Yes, it found an infection in the WinRar SFX file.
It also found 13 instances for A####.exe (where #### is some integer).  These A#.exe files are of origin unknown.  It also found an infection in an unsigned .exe that I built.  I did not check the processess running in taskmanager before AVG picked them up and quarantined them; hence, I do not know if they were running.  The defininition for this one does not state if it runs under svchost.exe or not.

This thread came up #1 on the google search for this worm... so hopefully some more people will input on this worm's behavior.

- Johnathan

Offline jcompton

  • Niche Exploiter
  • Administrator
  • Planewalker
  • *****
  • Posts: 7246
Re: Trojan.Chifrax.a
« Reply #6 on: February 03, 2008, 02:51:43 PM »
A good strategy for dealing with suspected false positives is to get a second opinion, such as the Trend Micro online scanner. http://housecall.trendmicro.com/ . Obviously I don't want anybody to blissfully ignore virus warnings, it's just that experience tells that virus scanners always seem to have trouble distinguishing actual malware from legitimate self-extracting archives.
Cespenar says, "Kelsey and friends be at the Pocket Plane? Ohhh yesssss!" http://www.pocketplane.net

Offline Shaitan

  • Stolt far
  • Planewalker
  • *****
  • Posts: 52
  • Gender: Male
Re: Trojan.Chifrax.a
« Reply #7 on: February 03, 2008, 03:38:18 PM »
I just checked with "avast!" and didn't find anything suspicious.

Regards

Dave Sant

  • Guest
Re: Trojan.Chifrax.a
« Reply #8 on: February 04, 2008, 06:17:57 AM »
Just got this this morning from AVG, after sending them Default.sfx:

Quote
From: AVG Technical Support <support@avg.com>
Date: 04 February 2008 11:51
To: Dave Santorum
Subject: Re: G#0802430754 - Infected file?

..
Unfortunately, the previous virus database might have detected the
mentioned virus on some legitimate applications. We can confirm that
it was a false alarm. We have immediately released a new virus update
that removes the false positive detection on this file. Please update
your AVG and check your files again.

If you need to restore deleted files from AVG Virus Vault you can do
it this way:
- Open AVG Virus Vault (Start -> Programs -> AVG 7.5 -> AVG Virus
Vault).
- Locate the file that was incorrectly removed.
- Right click on it and choose the "Restore File(s)" option.

We are sorry for the inconvenience.
Answers to the most common questions can be found here as well:
http://www.avg.com/faq/

         Best regards,

         Petr Sevcik
         AVG Technical Support

website: http://www.avg.com
mailto: support@avg.com

It would sound like Jonathon's problem is slightly more serious - a new virus db has been released by AVG this morning. Jcompton's suggestion may be a good way to find the cause and culprit behind the unknown executables, or contacting AVG directly. I have found that they have always been very prompt with their replies (less than 16 hours for that reply sent on Sunday with the virus db updated before the mail was sent).

Hope this helps and your machine is soon infection free!

Dave

Offline cmorgan

  • Planewalker
  • *****
  • Posts: 1424
  • Gender: Male
  • Searcher of Bugs
Re: Trojan.Chifrax.a
« Reply #9 on: February 04, 2008, 03:58:26 PM »
I have downloaded and scanned with McAfee Security Center, updated virus definitions as of a few minutes ago, and found nothing -  which confirms Dave's materials. Iit does sound very different in your case, though, Johnathan. Perhaps there was another source for the infection?

Offline alboy

  • Planewalker
  • *****
  • Posts: 67
Re: Trojan.Chifrax.a
« Reply #10 on: February 05, 2008, 11:24:06 AM »
Hi,

I have replaced the files & rescaned, all seems ok now.
Thanks for all your help

Alboy

charlie

  • Guest
Re: Trojan.Chifrax.a
« Reply #11 on: June 01, 2009, 01:16:05 AM »
Hi wich files where replaced i have the same error but i cant use the pc in normal mode i need to be in safe mode to get in.

nexar

  • Guest
Re: Trojan.Chifrax.a
« Reply #12 on: June 07, 2010, 02:54:18 PM »
I got the Trojan.Chifrax when I installed the new divx.

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Warning: this topic has not been posted in for at least 120 days.
Unless you're sure you want to reply, please consider starting a new topic.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
What color is grass?:
What is the seventh word in this sentence?:
What is five minus two (use the full word)?: