[clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770
JD Ackle
jdalinux at yahoo.com.br
Wed Jul 22 12:23:49 UTC 2015
Hello,
Currently, ClamAV run from Linux reports Docx.Exploit.CVE_2015_1770 in my Windows 8.1 install, in files:
- pageFile.sys
- Windows/System32/config/SOFTWARE (a piece of the Windows registry)
If I understand it correctly, pageFile.sys works much like a Linux swap, hence basically containing RAM dumps. After removing the file from the Windows system and booting to it I noticed Windows just made a new one when needed, as I expected. Thus I am actually using that file as a checkpoint to track whether the system is clean or not - whether the virus appears in the volatile memory when Windows is run.
When I first noticed the infection, pageFile.sys did not get infected upon a Windows startup without logging on a user (it would however otherwise, regardless of whether the user was and administrator or a regular one).
I noticed the infection on Windows/System32/config/SOFTWARE later and moved it to Linux to try and fix it - even though I was not really sure how to do it. Upon giving up on the later plan I simply tried booting onto Windows which failed. Since copying the SOFTWARE file back in, pageFile.sys now becomes infected even if I don't logon any user.
I presume the reason for this may be that the file lost its Windows permission upon being copied to my Linux install and is now world-accessible, thus being run by the system even before an allowed user is logged on...?
On another hand, I am hesitant to consider this a false positive as ClamAV did detect another virus in my Windows system:
- Program Files (x86)/Hewlett-Packard/Shared/WizLink.exe: Win.Worm.Tenga-113 FOUND
I don't need that file at all, so I simply deleted and no further infections of that virus have been detected since. My Windows install was running considerably slow (specially network-related tasks) before removing that file and seems to have picked back up on its speed, so I am assuming the said virus was indeed, at least for the most common use of that system, been removed.
However, I'm not sure whether this worm and the Docx.Exploit.CVE_2015_1770 are not related...?
No other infections were detected by ClamAV on the affected system and Norton Internet Security, which I have installed and running on Windows, doesn't seem to have ever noticed anything.
So that's basically the full story.
At this moment, I would like to know how can I remove Docx.Exploit.CVE_2015_1770 from Windows/System32/config/SOFTWARE (any particular key or value I should be looking for?), so that I'm sure it's not its loading into RAM at startup that's making its signature appear on /pageFile.sys.
Thanks in advance,
JD Ackle
More information about the clamav-users
mailing list