mswin.exe

[Pieter_Arntz]

Someone sent me a file called mswin.exe.
On his computer it tried to gain internet access at startup.
The file name and the registry-entry HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows\Run\mswin seem to indicate Backdoor.Dumba but NAV didn´t find it, although it should be in their definitions.

Any ideas on this one?

Regards,

Pieter

[Paul Wilders]

Pieter,

NAV certainly should cover both backdoor.Dumba and Trojan.Dumba.

I suggest putting up the file for a (free) check on both KAV/AVP and Dr.Web; links available on our free services page. The person infected could run a free system check (Panda, Trend) over there as well.

Apart from that, NAV is an antivirus. I would recommend installing a trial version from TDS, update de signatures (radius) by grabbing the latest radius file here, overwriting the existing ones, and perform a full system scan.

Keep us posted!

regards.

paul

[Pieter_Arntz]

A little more info about this one: the file was offered for download as DIVX 2003 from BBShareware.com

Paul, I missed your post
The person I got it from had removed DIVX 2003 some time ago. On my advise he deleted the registry entry, the file has been quarantained and submitted to SARC
I certainly will keep you posted.

Regards,

Pieter

[anders]

Feel free to send me the file via email to support@ eurosecure.com and I'll check it out.

Regards,
Anders

[Paul Wilders]

Quote:

quoting: anders link=board=30;threadid=4464;start=0#29146 date=1035726228]
Feel free to send me the file via email to support@ eurosecure.com and I'll check it out.

Regards,
Anders

Talking about service...

regards.

paul

[Pieter_Arntz]

It´s on it´s way Anders. Thnx for the offer.

I submitted them to the scans Paul suggested.
On DrWeb it came up suspicious, KAV could not find anything wrong with it.

Regards,

Pieter

[anders]

Seems to be a dropper for an IRC-backdoor. I didn't check it THAT throughly. It will be further analyzed and if needed added to the NOD32 database.

If you ever get any other suspicious files, don't hesitate to send them...

Regards,
Anders
EuroSecure

[Pieter_Arntz]

Quote:

quoting: anders link=board=30;threadid=4464;start=0#29155 date=1035730218]
If you ever get any other suspicious files, don't hesitate to send them...

With this kind of service? I´d be a fool not to send them.

Thnx again,

Pieter

[Caspar107]

Thanks guys, I'm the person with the mswin.exe firewall alert, so I'll keep an eye on this topic.

[Paul Wilders]

Quote:

quoting: Caspar107 link=board=30;threadid=4464;start=0#29168 date=1035733972]
Thanks guys, I'm the person with the mswin.exe firewall alert, so I'll keep an eye on this topic.

Well Caspar, you ended up on the right place here! . Welcome.

regards.

paul

[anders]

FYI, that file is now detected by NOD32 as Win32/IRC.Dix.A.

And, I can't stress it enough, don't hesitate to send me any suspicious files.

Regards,
Anders
EuroSecure

[Pieter_Arntz]

Quote:

quoting: anders link=board=30;threadid=4464;start=0#29345 date=1035822607]
FYI, that file is now detected by NOD32 as Win32/IRC.Dix.A.

And, I can't stress it enough, don't hesitate to send me any suspicious files.

Thanks again anders and what I don't trust is all yours

Regards,

Pieter

[Gavin - DiamondCS]

Please let me have a copy just in case, submit@diamondcs.com.au

thx

[Pieter_Arntz]

Quote:

quoting: Gavin / DiamondCS link=board=30;threadid=4464;start=0#29515 date=1035901501]
Please let me have a copy just in case, submit@diamondcs.com.au

thx

I'll do that tonight Gavin, if that's OK. (in about 5 hours, keep forgetting time- zones )

Regards,

Pieter

[Pieter_Arntz]

Gavin,

I´m sorry to tell you that I can´t send you the file. I´m pretty sure I copied the file from my attachments folder to a safe place before I sent it to Anders and SARC. But the copy in the attachments folders is gone which was to be expected, since I put it in quarantaine before I sent it to SARC.
But unfortunately the copy is gone as well

BTW This is the answer from SARC:

quote

resultaat: Dit bestand is geïnfecteerd met Trojan.Dumba
This file is infected with Trojan.Dumba
opmerkingen van Symantec Security Response-medewerker:
remarks by SSR-employee
C:\Program Files\IncrediMail\Data\Identities\{50AE2311-B53A-4AED-84F7-43F56DA0449F}\Message Store\Attachments\mswin.exe is a non-repairable threat. It is detected by NAV after an update using the attached definition updater. Please delete this file and replace it if neccessary.

unquote

Well at least I got the 29-10 update by e-mail
Maybe Anders would be so kind to send you his copy?

Sorry,

Pieter

[Caspar107]

So now it's detected by NAV? I can have a look on the site where I downloaded the file, it's on a so called warez site
I'll check it out

[Pieter_Arntz]

Caspar107,

Please be carefull in doing so. Symantec claimed it to be Trojan.Dumba which was in their definitions al along.
Besides that: they e-mailed me the update for the 29th which is not available for download yet.
[EDIT] Is available now [/EDIT]

Take care,

Pieter

[Caspar107]

It's a zipped file, but I looked on the site and............ it's not there anymore , that's better!

But it's detected now with the latest ref of NAV? LiveUpdate? Because mine stands at 28-10, and no more updates available

[Pieter_Arntz]

Direct download link:

http://www.symantec.com/avcenter/download/us-files/20021029-003-i32.exe

Regards,

Pieter

[Caspar107]

Got it from the Helpmij NAV update topic, recieve automatic email

But I still don't get it why NAV did not detect it while it was a known trojan? Or is the difference now that it was a so called "dropper" wich is not detected as a part of it?

[Pieter_Arntz]

Not quite sure about that. Maybe Anders can answer that. He´s the one that took it apart to see what made it tick

Regards,

Pieter

[anders]

Symantecs Dumba description somewhat matches this file. I assume this is another variant of the file they detected already, and, as they received the sample, they added detection for it.

Regards,
Anders
EuroSecure

[Gavin - DiamondCS]

Got a copy, thanks everyone - don't hesitate to send me suspicious samples either