Nod32 and Dameware MRC

aqtech · #1 August 21st, 2008, 01:13 PM

I've been receiving these alerts today from a very high percentage of the PCs on one of the networks I manage. We use Dameware to remotely manage the PCs. It seems odd that I would be receiving this message from nearly all of the machines all at once. Is anybody else having this problem?? Is this a legitimate infection that has spread, or a false positive??

Quote:

8/21/2008 10:42:02 AM - NOD32 Kernel Program Virus Alert triggered on PC_NAME: C:\WINDOWS\SYSTEM32\DWRCS.EXE infected with probably a variant of Win32/Genetik trojan.

Marcos · #2 August 21st, 2008, 04:29 PM

Please send the file in an archive protected with the password "infected" and "False positive" in the subject to samples[at]eset.com. It may not be necessarily false positive as commercial tools for remote administration are detected as potentially unsafe applications.

Ghosttown · #3 August 22nd, 2008, 03:19 AM

We also have the same problem, using ESET NOD32 v3.0.669 Business Edition.

Gerrit

Marcos · #4 August 22nd, 2008, 04:51 AM

Quote:

Originally Posted by Ghosttown

We also have the same problem, using ESET NOD32 v3.0.669 Business Edition.

Gerrit

I've installed Dameware 6 on a computer running fully updated ESS and didn't get any warning during installation. Are you using the most current version 3378? If so, please submit the file as described in my previous post.

Ghosttown · #5 August 22nd, 2008, 05:03 AM

Hello Marcos,

It is not the installed software, which gives the problem/alert. It is the remote client, which is being installed on a client when Dameware Mini Remote Control is being used to manage a remote client. At that moment, DWRCS.exe is being installed on the client as a service.

The problem occurs on this client. The alert is also triggered on some clients where the service runs, when the service is updated and a restore point is created.

BTW, our version is indeed 3378.

Gerrit

Armin Pfeffer · #6 August 22nd, 2008, 06:33 AM

Same problem here. Using V2.70.39 (we still have some NT machines)
Started with signature 3374 and still exists with 3379.
DWRCS.exe v. 5.0.1.1 and 5.5.0.0 are suspected.
The fact, that a remote control tool is suspicious is not the problem.
The problem is, that every way we tried to EXCLUDE the file in AMON is obviously ignored. Lower case/ capitals, short path, long file names, no help, the file is found and checked.
Any way around? The tool is definitley okay, only a little bit outdated. But that will never be changed just because of NOD32 not willing to live with Dameware 5.5

roo_B_con · #7 August 22nd, 2008, 06:35 AM

hi there,

just got the response that solution is about to come with one of the next updates - they're working on it, please hold on just a little

Armin Pfeffer · #8 August 22nd, 2008, 09:09 AM

Replying to myself: fur us it seems solved with signature 3380..
Any other experiences?

greeting from germany
Armin

aqtech · #9 August 22nd, 2008, 11:24 AM

3380 seems to have fixed it for us as well. Thanks!!

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search