I keep getting the Win32.Wali.KA virus being detected in lots and lots of executables.
Most appear to be older executables but there are plenty of modern ones too.
I currently have hundreds of exclusions for all of these random executables because of this and still they keep randomly popping up now and then.
I’ve searched the forums and google several times to see if there is a solution to this problem but I haven’t been able to find any indication of this being a problem anywhere else even though it occurs on both my home PCs running CIS.
Firstly, is there any way I can just exclude Win32.Wali.KA from being scanned for or remove it from my virus signatures? I would rather have one exclusion for a single virus def that is finding lots of false positives than excluding all of the exe files which could potentially have other viruses.
Secondly, is there a way to fix this erroneous behaviour?
Thanks, I tried uploading to that location with two different browsers but it just sits at “File upload is in progress” with a flashing bar but doesn’t seem to do anything after that.
However, as I was doing that I started thinking “What if this isn’t a false positive?” so I uploaded one of the files to virustotal and it came back with a bunch of detections:
I’ve since found the detected files all appear to actually be exe files that have been infected and modified by a virus.
I have had a look at a couple and can see that they have been modified slightly from the original files:
With about 20KB of data added to the ends of the files.
Know of anyway to clean the infection without losing the data?
I might try write a script/program to truncate the data from each of the files.
I’m currently running procmon to see if I can find what is editing the exe’s to stop it.
OK, so I wrote a script to detect the added bytes at the end of the files and truncate that off them however after removing that data and rescanning the files they are now being detected as having Heur.Corrupt.PE@4294967295.
This can only be from the 20 bytes of variance in the screenshot in my post above.
Unfortunately that variance is not consistent so I’m not sure if I can search and replace this content in any way.
Obviously there is a signature to how to detect those bytes (since the CIS scan finds it consistently), if I knew what the signature was to find the zero bytes that were replaced I could at least recover that part but I’m not sure how to find out what that signature is.
I’ve managed to find and replace the zero byte sections in the files successfully so there is now only 6 bytes difference between the infected and original files however that is still enough to have them detected as Heur.Corrupt.PE
There’s no way I can fix the remaining bytes since they can be any sort of variation
