Shadow Defender Worm?

[scitexia]

Had an interesting experience while installing Shadow Defender. Downloaded the file (32-bit) from their site (www.shadowdefender.com) and tried to install it. A-Squared AM told me that it was infected with a worm. Canceled the install and downloaded the file again. Same thing so I figured it was an FP and told it to install anyway.

After rebooting, Symantec Endpoint Security 12 (i have that installed too) immediately identified the trojan (presumably the same that A-Squared tried to warn me about earlier).

Sooo, after allowing SEP to quarantine it and uninstalling, I THEN went to cNet (www.download.com) and downloaded THEIR version and installed it. Guess what?? No worm and both A-Squared & SEP were quite happy.

Strange, huh?

[Cudni]

what did each software tell you that was infected (file name(s)) and where was it/they located?

[NoIos]

Compare the md5 hash of the files and tell us about the results.

[Osaban]

Quote:

Originally Posted by scitexia

Had an interesting experience while installing Shadow Defender. Downloaded the file (32-bit) from their site (www.shadowdefender.com) and tried to install it. A-Squared AM told me that it was infected with a worm. Canceled the install and downloaded the file again. Same thing so I figured it was an FP and told it to install anyway.

After rebooting, Symantec Endpoint Security 12 (i have that installed too) immediately identified the trojan (presumably the same that A-Squared tried to warn me about earlier).

Sooo, after allowing SEP to quarantine it and uninstalling, I THEN went to cNet (www.download.com) and downloaded THEIR version and installed it. Guess what?? No worm and both A-Squared & SEP were quite happy.

Strange, huh?

I've just scanned the Shadow Defender installer (from their website) with Avira Premium and found nothing. I agree it is strange.

[Triple Helix]

I tried to upload to VT and I keep getting errors so I tried Jotti and 2 scanners pick it as:

CP secure BackDoor.W32.Hupigon.jrud

Sophos Sus/Scribble-B

But that's it and the one from Download.com just Sophos Sus/Scribble-B

So that's strange! Mind you that jotti is outdated Feb 23 2010

TH

[Osaban]

Quote:

Originally Posted by Triple Helix

I tried to upload to VT and I keep getting errors so I tried Jotti and 2 scanners pick it as:

CP secure BackDoor.W32.Hupigon.jrud

Sophos Sus/Scribble-B

But that's it and the one from Download.com just Sophos Sus/Scribble-B

So that's strange! Mind you that jotti is outdated Feb 23 2010

TH

I get the same results with Virus Total (errors) and same detections with Jotti. The MD5 and SHA1 are different though with the 2 installers.

[Franklin]

Hmmm, SD1.1.0.325_Setup.exe downloaded from authors site and SD1.1.0.325_Setup(2).exe downloaded from download.com?

[taleblou]

Hi:

I scanned it with a-squared and nothing detected. Also I managed to upload and scan it with virustotal the one from the shadow defender web site and virus total only found "1/40" (only Sophos detected). Here is the result of virus total. Must be a false positive.

~Virus Total results removed per Policy.~

( base data )
entrypointaddress.: 0x12226
timedatestamp.....: 0x4987F062 (Tue Feb 3 08:21:06 2009)
machinetype.......: 0x14C (Intel I386

[LoneWolf]

Quote:

Originally Posted by Franklin

Hmmm, SD1.1.0.325_Setup.exe downloaded from authors site and SD1.1.0.325_Setup(2).exe downloaded from download.com?

Attachment 217188

Waiting for confirmation on why over at SD forums........
http://www.shadowdefender.com/phpbb/....php?f=2&t=289

[Woody777]

I had exactly the same result when I downloaded the file previously. No alerts except with A2. Then I uninstalled. Immediately Threatfire indicated a worm a rootkit. Finally after sometime I got rid of it. I think there is a Worm in ShadowDefender but I can't say so for sure so it could be a FP.

[Tony]

No worm
http://www.shadowdefender.com/phpbb/...f=2&t=289#p997

[Smirs]

Interesting how Prevx doesn't flag it as 'BackDoor.W32.Hupigon.jrud' or 'Sus/Scribble-B' but straight names it a ' Fraudulent Security Program '.

[Triple Helix]

Quote:

Originally Posted by Smirs

Interesting how Prevx doesn't flag it as 'BackDoor.W32.Hupigon.jrud' or 'Sus/Scribble-B' but straight names it a ' Fraudulent Security Program '.

Prevx never pick this up as malware? Or are you saying it does for you?

TH

[Smirs]

Quote:

Originally Posted by Triple Helix

Prevx never pick this up as malware? Or are you saying it does for you?

TH

Yes it picks up Shadow Defender (1.1.0.325) on my computer as malware;
Defender.exe MD5 69F211FC6E27F9AB715279E5FFC34F6E

[Smirs]

I uploaded the file to virus total, Prevx is the only one that flags it, ~ Virus Total Results Removed per Policy ~

[Triple Helix]

Quote:

Originally Posted by Smirs

I uploaded the file to virus total, Prevx is the only one that flags it, ~ Virus Total Results Removed per Policy ~

It doesn't on my machine and and VT still shows Sophos Sus/Scribble-B and my setup file is
SD1.1.0.325_Setup.exe MD5 : 4ed0f50233680ffc37fbe5cf8057c634 Also from my Prevx scan log: [u] (ACTIVE) c:\security programs folder\shadow defender folder\sd1.1.0.325_setup.exe [PX5: E443759160325FB96C54111D18404000A042BF29]


So there could something with the setup file that you have because mine is fine! Do you have Prevx installed? If you do send a scan log and the setup file to Prevx as stated in this post: http://www.wilderssecurity.com/showthread.php?t=245129

TIA,

TH

[Smirs]

Message sent. Thanks a lot for your support.

[PrevxHelp]

Quote:

Originally Posted by Smirs

I uploaded the file to virus total, Prevx is the only one that flags it

This was a false positive but we've corrected it now Shadow Defender is indeed legitimate, but the increasing number of rogues makes it hard for researchers to keep the line well defined

[Triple Helix]

Quote:

Originally Posted by PrevxHelp

This was a false positive but we've corrected it now Shadow Defender is indeed legitimate, but the increasing number of rogues makes it hard for researchers to keep the line well defined

Thanks for the confirmation!

TH