Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Packed.Win32.Katusha.e

  1. #1
    worenx Guest

    Default Packed.Win32.Katusha.e

    My scan this morning found 2 instances of this 'Packed.Win32.Katusha.e' and on-access scanning found 2 more after the scan within about five minutes. I usually do a bit of research on a new virus I get, but there's nothing on this here, on Symantec or even anywhere else. Can anyone tell me what the **** this is?

  2. #2

    Default Re: Packed.Win32.Katusha.e

    Hello,

    Do you have the file location(s) where ZoneALarm detected the infection?

  3. #3
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,291

    Default Re: Packed.Win32.Katusha.e

    Hi!
    informations on malware detected by ZA is published here: www.viruslist.com

    Here a link on another variant. Or here.

    You may want to upload the file(s) to www.virustotal.com and check for a false positive. If it is a false positive then report it as explained here.

    Cheers,
    Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  4. #4
    worenx Guest

    Default Re: Packed.Win32.Katusha.e

    I sent a reply, but it apparently needs to be approved...

    Anyway, when I restored one of the files so I can submit it to Viruslist.com, ZA's on-access scanning picked it up, quarantined it and I couldn't scan it.

    Also, when something's quarantined, is it safe to just forget about it?

  5. #5

    Default Re: Packed.Win32.Katusha.e

    Anyway, when I restored one of the files so I can submit it to Viruslist.com, ZA's on-access scanning picked it up, quarantined it and I couldn't scan it.
    One option is to temporarily disable ZA's on-access scanning in order to upload the file.

    Also, when something's quarantined, is it safe to just forget about it?
    Yes, the object will have been put 'out of action', so to speak. Quarantining the object moves the file to safe storage under control of the antivirus program - so it can't harm your system - but it's there in case a mistake was made and you need to restore that file. Otherwise, you can delete it.

  6. #6
    worenx Guest

    Default Re: Packed.Win32.Katusha.e

    http://www.virustotal.com/analisis/8...0b6-1244809426
    Well, I uploaded the offending file onto Virus Total, but I don't know how to tell if it's a false positive or not. I'm not worried about it anymore thanks to what Chiaz said. Could someone check the link and see for sure if it's a false positive--it'd be much appreciated. Thanks for the suggestions guys.

  7. #7

    Default Re: Packed.Win32.Katusha.e

    Hello,

    Well it does appear to be a false positive. None of the anti-virus programs recognized it as a threat. Including Kaspersky, which supplies ZA's anti-virus engine. So maybe if you update ZA anti-virus now, you will get a clean status on that file.

    But as someone who deals with malware on a regular basis I'm quite wary of the filename: 0D30F10398A14CD55DD524AA9859770083ED52B5.sys.
    Looks rather suspicious to me. Where did you get this file from? What is the folderpath?


    If everything is running as it should, I recommend leaving it in quarantine first.

  8. #8
    worenx Guest

    Default Re: Packed.Win32.Katusha.e

    C:\Program Files\Microsoft LifeCam\Driver32\VX6000\VX6000Xp.sys

    It was apparently installed in 2006 when I got my Webcam, and has never been a problem before.

    The other three instances came from:

    C:\WINDOW\system32\DRVSTORE\VX6000_2DD332AD17334A7 6BABFAE3D3F1C0795D0B900F6\VX600Xp.sys

    C:\System Volume Information\restore_{FE2A970F-A341-41F1-BBEF-BAE339C2B20C}RP833\A0167073.sys

    C:\System Volume Information\restore_{FE2A970F-A341-41F1-BBEF-BAE339C2B20C}RP833\A0167076.sys


    But they're all called 'Packed.Win32.Katusha.e'. The first one from the webcam passed a Virus Scan, but the other three are still in quarantine. Everything's working fine with them in there, and before restoring the first one it was fine too. Would it be better to just leave it as it is or quarantine the LifeCam one again? (And how would I do that?)

  9. #9
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,291

    Default Re: Packed.Win32.Katusha.e

    Hi!

    but the results of virus scan are related to another file. You should upload VX6000Xp.sys, if this was the file.

    Also note that if Kaspersky does not detect it, also ZA should not detect it. This leads to a problem in your ZA that does not update correctly.

    But you should post the ZA logs otherwise it is difficult to understand exactly what you are doing.

    Cheers,
    Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  10. #10

    Default Re: Packed.Win32.Katusha.e

    Fax is right. Which file did you exactly upload?

    Also,
    C:\WINDOW\system32\DRVSTORE\VX6000_2DD332AD17334A7 6BABFAE3D3F1C0795D0B900F6\VX600Xp.sys
    C:\System Volume Information\restore_{FE2A970F-A341-41F1-BBEF-BAE339C2B20C}RP833\A0167073.sys
    C:\System Volume Information\restore_{FE2A970F-A341-41F1-BBEF-BAE339C2B20C}RP833\A0167076.sys
    C:\WINDOW\system32\DRVSTORE\ is a backup folder created by some installers. The other two entries that you spoke of are part of System Restore; they are your old restore points.

    Hence, all three are not active files, and are not crucial to any software or program. You can leave it in quarantine.

    C:\Program Files\Microsoft LifeCam\Driver32\VX6000\VX6000Xp.sys
    This is legitimate. No need to remove it.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •