What is Win32/Glenwiry.p ?

CA quarantined the file wextract.exe on my computer. Does this remove a valid Windows file?

CA also identified SET20.tmp as being infected with Win32/Glenwiry.p.

i just got this too!

As oricle12 says it seems to be a false report going on what I've seen on the net and also judging by what came up when I ran a full scan. CA security have been told by a few people and it seems the general idea is to wait until the next update and then run another scan.
The false report from CA quarantines the files, then Windows gets upset and wants them replaced or restored, but I don't have enough info to say whether that's a good idea.
Maybe wait a little longer for more info.
The best site I've found for info is actually a blog - see source below.

Hi, just barely an hour ago ZA Antivirus place wextract.exe files located on system32 and dllcache directories of my Win XP home based computer, in QUARANTINE,...
I'd just updated my
ZA antivirus update to 6/13/2008 defintion and just restore back the files from ZA antivirus Quarantine.
now its OK.

First up despite what some people have said, as noted above, this has been detected by Zone Alarm as well as CA.

Secondly, if you allow CA to do its thing, and have your Windows CD, it will replace wuauclt.exe with a copy taken from the Windows CD. This appears to resolve the problem (subsequent scans do not detect anything) but I wouldn't guaruntee that the problem is completely solved given previous versions of the glenwiry viruses replace themselves from entries they place in the system registry (I checked and didn't find anything but I wouldn't be certain that nothing has been changed).

Thirdly, despite what some have said it doesn't appear to be a false positive. Our network has ~25 computers all running CA, and all updated today. Only 4 PCs on the network detected the virus. I updated and rescanned the other PCs and they did not detect the virus. If it was a false positive due to a bug with a CA update I would expect all of the PCs to report a virus infection.

(Update):

For those who don't have their XP disk, a system restore should allow you to restore the affected file(s), but I haven't tried that. You need the Windows XP with Service pack 2 disk so just downloading service pack 2 from the Microsoft site probably won't help with that. Any decent IT technician or computer store should have a copy of the XP with SP2 CD available.

Note that it will request Windows XP with SP2 disk whether or not you have since upgraded to SP3. This is why I assumed it would work with the original disk regardless of what version it is (our machines were all installed as XP with SP2 originally and have since been upgraded to SP3).

Also, when we had this come up it did not refer to wextract.exe, but wuauclt.exe (the file Windows uses to open .cab files).

While browsing the internet CA reported 2 viruses win32/glenwiry.p and wextract.exe on my desktop 2 hours ago, computer went beserk. Windows file protection file also opened asking me to insert Windows XP to restore the original versions of these files. I did'nt think this would be such a good idea so I ran the CA scan. Ca reported 1 virus found win32/glenwiry and deleted it. Computer working again. I also searched the drive for wextract.exe and found no such file. CA must of removed it when it deleted win32/glenwiry.p ?? Will need to scan again when CA updates but I think CA nailed it.

The virus was found on my computer as well. Windows file protection file also opened asking me to insert Windows XP sevice pack disk 2. I don't have that disk. Can I down load the service pack from the windows site or should I just restore? Thanks

Apparently it is a false positive - since according to the article in the source, CA's recommendation is to get the latest update again for CA Anti-Virus to correct the problem. You will probably need to go to the Quarantine option and restore the files after updating the Anit-Virus Definition file.

Don't jump to any conclusions quite yet. CA has NOT, I repeat NOT, confirmed or denied anything. Others are reporting additional files that were downloaded prior to extraction, like A022879.exe!

Verbal phone answers and third party sites are HEARSAY. Wait until CA publishes a retraction before you take any action to restore!

I got this last night while surfing. The CA virus alert popped up and quarantined two out of three viruses. When asked and I inserted my Win XP Home disk, it said it was the wrong disk but it is my only XP disk. It wanted the XP Service Pack 2 disk but my system was updated via Microsoft's site, not from disk. At that point I was stuck. Hopefully a restore point will take care of it since the disk didn't work.

CA a/v reported wextract.exe infected with WIn32/Glenwiry.P in 3 locations (all \windows folders, from \system32 through \servicepack1 and \servicepackfiles\i386). First 2 quarantined and the 3rd just listed as infected. XPSP2 popped up a hard request (no redirect to a folder name) for the SP2 disk, which I don't have either, being updated/upgraded via MS Update all along.

I searched the CA support and av center site and got ZERO results on either the filename or the glenwiry name, really surprising! Did a quick update check and my CA AV is fully up to date.

I'm not doing anything until I find out some more information. Going to check the MS site and run another full scan...

More recent information at the rabidwombats blog, for any readers here, up to early this afternoon.

Win32/glenwiry.p is a dangerous virus that spreads throug security holes and infects network computers. After Win32/glenwiry.p will infect your computer it may download additional malware (trojan horses, spyware, adware, hijackers and keyloggers). Moreover, Win32/glenwiry.p can change system settings and slow your PC.

Use a gud antivirus software, eg, i use Za aka Zonealarm !!

it detected the virus after i updated my antivirus software !!
n i was able to delete it using ZA !!