Re: Win32 backdoor D in Security

Re: Win32 backdoor D in Security http://www.dslreports.com/forum/r20187040 en Sat, 26 Jul 2008 13:32:50 EDT Sat, 26 Jul 2008 13:32:50 EDT Update http://www.dslreports.com/forum/remark,20276381 EGeezer : The Zone Alarm false positive issue appears to be resolved by updates to ZoneAlarm's engine (not just the updater function) and CCleaner - see
»forum.piriform.com/index.php?s=&···&p=99079

--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )]]> http://www.dslreports.com/forum/remark,20276381 Thu, 03 Apr 2008 13:08:58 EDT Re: Win32 backdoor D http://www.dslreports.com/forum/remark,20218553 anon : ZA Forum confirms false positive, but it was this site that gave me a warm fuzzy feeling and the inclination to not worry about it.

DSL Forum rocks! Especially for a newbie-to-midi like me.

Thanks and »www.zonealarm.com/store/content/···port.jsp]]> http://www.dslreports.com/forum/remark,20218553 Mon, 24 Mar 2008 17:58:25 EDT Re: Win32 backdoor D http://www.dslreports.com/forum/remark,20194772 CalamityJane : Even Microsoft says it's clean...here is your report

quote:
Hello. The Microsoft Malware Protection Center (MMPC) has finished analyzing submission ID 16331310 and the results are listed below. If the files were determined to be malware or potentially unwanted software, the results will identify the threat for each file submitted.

This is the last e-mail the MMPC will send to this e-mail address concerning this submission ID.

Analyst comments:
=================

=================

Analysis summary:
=================
Total Files: 1
Clean: 1
Malware: 0
Malware Related: 0
Malware Container: 0
Potentially Unwanted Software: 0
Potentially Unwanted Software Container: 0
Postponed: 0
Not Yet Analyzed: 0

=================

Per-file summary:
=================
20080319_175736820_0_ccsetup205.exe | Clean

=================

Note: in the course of analyzing the files that you submitted, the MMPC decompresses the files in your submission, such as extracting files from archives or other containers. Subsequently you may see more files listed than you originally submitted.

Category Descriptions:

Clean
Files that do not appear to be malware or potentially unwanted software.

Thank you for contacting the Microsoft Malware Protection Center.

So the installer at least is fine if you want to reinstall it.

It is hard to say what is causing the MSRT to remove it because you can't "catch" what file is being flagged. It may need to be addressed by the Developer of the CCleaner to get in touch with Microsoft to report his program is being targeted by that tool.

As we know it has already been reported to Zone Alarm so it is in their hands now to fix it.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,20194772 Thu, 20 Mar 2008 09:13:50 EDT Re: Win32 backdoor D http://www.dslreports.com/forum/remark,20193948 EGeezer : You might post at CCleaner's forum. they're looking for reports on this at

»forum.piriform.com/index.php?showtopic=14886

Also you can submit the flagged file to Jotti at

»virusscan.jotti.org/

I agree, it's probably a FP but never hurts to check.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )]]> http://www.dslreports.com/forum/remark,20193948 Thu, 20 Mar 2008 01:21:49 EDT Re: Win32 backdoor D http://www.dslreports.com/forum/remark,20193027 CalamityJane : Ok this isn't results (hasn't been analyzed yet) but they do acknowledge they got it FYI :)
Very nice feature that new submission thingy for them :)

quote:
Hello. Thank you for submitting suspicious files to the Microsoft Malware Protection Center (MMPC).

The MMPC will analyze the files that you submitted to determine if the files are malware or potentially unwanted software. If the files are identified as new malware, the MMPC will add detection signatures for the new malware and publish the signatures after they have been tested and certified.

Your submission has been assigned ID 16331310.

The MMPC has completed an initial scan of the files you submitted and the results are below. If the files are known malware or potentially unwanted software, the results will identify the threat for each file submitted.

The MMPC will send a second and final e-mail to this e-mail address once it makes a final determination concerning this specific submission.

Initial analysis summary:
=================
Total Files: 1
Clean: 0
Malware: 0
Malware Related: 0
Malware Container: 0
Potentially Unwanted Software: 0
Potentially Unwanted Software Container: 0
Postponed: 0
Not Yet Analyzed: 1

=================

Per-file summary:
=================
20080319_175736820_0_ccsetup205.exe | Not Yet Analyzed

=================

Note: in the course of analyzing the files that you submitted, the MMPC decompresses the files in your submission, such as extracting files from archives or other containers. Subsequently you may see more files listed than you originally submitted.

Category Descriptions:

Clean
Files that do not appear to be malware or potentially unwanted software.

Malware
Files that appear to be known malware. Malware includes viruses, Trojans, worms, file infectors, etc.

Malware Related
Files that are not malicious by themselves and should not pose a threat by themselves.

Malware Container
Container files are archives, binders, etc. that contain files in the "malware" category. Note that they may also contain files in the "Clean" category.

Potentially Unwanted Software
Files that have been identified as potentially unwanted software. Potentially unwanted software includes dialers, adware, spyware, etc.

Potentially Unwanted Software Container
Container files are archives, binders, etc. that contain files in the "spyware" category. Note that they may also contain files in the "Clean" category.

Postponed and Auto-postponed
The file does not appear to be malware or potentially unwanted software, but more analysis is necessary to confirm the file is not malicious.

Not Yet Analyzed
The file will require further analysis to determine whether the file is malicious or not.

Thank you for contacting the Microsoft Malware Protection Center.

--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,20193027 Wed, 19 Mar 2008 21:43:04 EDT Re: Win32 backdoor D http://www.dslreports.com/forum/remark,20192764 CalamityJane : Ok file submitted to Microsoft for analysis at the
Microsoft Malware Protection Center (submit page)
»www.microsoft.com/security/portal/

I cannot say if they will respond but at least they will get my report,including the scan results posted earlier and a copy of the file :)

That's the best I can do.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,20192764 Wed, 19 Mar 2008 20:58:34 EDT Re: Win32 backdoor D http://www.dslreports.com/forum/remark,20192521 CalamityJane :

said by Mikey :

Suggestions?

1. Will have to wait for Zone Alarm to correct it. It's their move now.

2. Don't use the Microsoft Malicious Software Removal Tool (for now).

I'll see if I can find a way to get the CCleaner installer to them to examine. I just downloaded a fresh copy and only Prevx Heuristics has a possible problem with it (Heuristics can do that - have FPs). All other scanners call it clean

quote:
File ccsetup205.exe received on 03.20.2008 01:01:51 (CET)
Current status:finished
Result: 1/32 (3.13%)

Antivirus Version Last Update Result
AhnLab-V3 2008.3.19.1 2008.03.19 -
AntiVir 7.6.0.75 2008.03.19 -
Authentium 4.93.8 2008.03.19 -
Avast 4.7.1098.0 2008.03.19 -
AVG 7.5.0.516 2008.03.19 -
BitDefender 7.2 2008.03.20 -
CAT-QuickHeal 9.50 2008.03.14 -
ClamAV 0.92.1 2008.03.20 -
DrWeb 4.44.0.09170 2008.03.19 -
eSafe 7.0.15.0 2008.03.18 -
eTrust-Vet 31.3.5628 2008.03.19 -
Ewido 4.0 2008.03.19 -
F-Prot 4.4.2.54 2008.03.19 -
F-Secure 6.70.13260.0 2008.03.19 -
FileAdvisor 1 2008.03.20 -
Fortinet 3.14.0.0 2008.03.19 -
Ikarus T3.1.1.20 2008.03.19 -
Kaspersky 7.0.0.125 2008.03.20 -
McAfee 5255 2008.03.20 -
Microsoft 1.3301 2008.03.19 -
NOD32v2 2961 2008.03.20 -
Norman 5.80.02 2008.03.19 -
Panda 9.0.0.4 2008.03.18 -
Prevx1 V2 2008.03.20 Heuristic: Suspicious Hijacker
Rising 20.36.22.00 2008.03.19 -
Sophos 4.27.0 2008.03.20 -
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.03.20 -
TheHacker 6.2.92.250 2008.03.19 -
VBA32 3.12.6.3 2008.03.17 -
VirusBuster 4.3.26:9 2008.03.19 -
Webwasher-Gateway 6.6.2 2008.03.19 -
Additional information
File size: 2733520 bytes
MD5: 06ab7fd00ca2f03baf4616c40bb2c761
SHA1: 96f0796a003371529d023d4381f7d6e8e6d55f1e
PEiD: -
packers: WiseSFXDropper, WiseSFXDropper, WiseSFXDropper
Prevx info: »info.prevx.com/aboutprogramtext.···7DCE38E9

If you download the installer again check it first at VirusTotal:
»www.virustotal.com/

Check the MD5 to my file above listed
(MD5: 06ab7fd00ca2f03baf4616c40bb2c761)
If it is the same, you have the clean one (with the FP problem ZA and MSRT).

All you can do is ignore those false reports.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,20192521 Wed, 19 Mar 2008 20:14:37 EDT Re: Win32 backdoor D http://www.dslreports.com/forum/remark,20192283 anon : Hmmm. Got an Office Update today along with Microsoft Malicious Malware Tool. You guessed it. CCleaner disappeared again.

Checked back with ZA site and no definitive answer there.

Suggestions?]]> http://www.dslreports.com/forum/remark,20192283 Wed, 19 Mar 2008 19:29:01 EDT Re: Win32 backdoor D http://www.dslreports.com/forum/remark,20187645 CalamityJane : Ah, good Mikey - glad to hear. Thanks for reporting it too so they can fix it :)]]> http://www.dslreports.com/forum/remark,20187645 Tue, 18 Mar 2008 21:16:43 EDT Re: Win32 backdoor D http://www.dslreports.com/forum/remark,20187167 anon : ZA quarantined it on regular weekly scan and maybe I overreacted and asked ZA to delete it. Simply reinstalled and life is good.]]> http://www.dslreports.com/forum/remark,20187167 Tue, 18 Mar 2008 19:51:46 EDT Re: Win32 backdoor D http://www.dslreports.com/forum/remark,20187135 anon : If I downloaded CCleaner from the creator's site then I wouldnt have let ZA scanner delete it.]]> http://www.dslreports.com/forum/remark,20187135 Tue, 18 Mar 2008 19:45:11 EDT Re: Win32 backdoor D http://www.dslreports.com/forum/remark,20187040 anon : Thanks Calamity! I would think it a false positive. I got it from Piraforms site. Made report to Check Point.

Did I ever mention, you're the best?]]> http://www.dslreports.com/forum/remark,20187040 Tue, 18 Mar 2008 19:25:54 EDT Re: Win32 backdoor D http://www.dslreports.com/forum/remark,20187022 CalamityJane : Provided you downloaded it from an authorized source, it may likely be a false detection. It's being reported over in the Zone Alarm Forums in this topic:
ZAPro found trojan in CCleaner
»forums.zonelab.com/zonelabs/boar···id=27597

and as stated in that thread by one of their gurus, here is where to report it and get it checked out:

quote:
probably a false positive from the ZA own scanner.
Report it to ZA including as much details as possible, including a download link to the ccleaner you use.

Here:
»www.zonealarm.com/store/content/···port.jsp