mswin.exe

Discussion in 'malware problems & news' started by Pieter_Arntz, Oct 27, 2002.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Someone sent me a file called mswin.exe.
    On his computer it tried to gain internet access at startup.
    The file name and the registry-entry HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows\Run\mswin seem to indicate Backdoor.Dumba but NAV didn´t find it, although it should be in their definitions.

    Any ideas on this one?

    Regards,

    Pieter
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Pieter,

    NAV certainly should cover both backdoor.Dumba and Trojan.Dumba.

    I suggest putting up the file for a (free) check on both KAV/AVP and Dr.Web; links available on our free services page. The person infected could run a free system check (Panda, Trend) over there as well.

    Apart from that, NAV is an antivirus. I would recommend installing a trial version from TDS, update de signatures (radius) by grabbing the latest radius file here, overwriting the existing ones, and perform a full system scan.

    Keep us posted!

    regards.

    paul
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    A little more info about this one: the file was offered for download as DIVX 2003 from BBShareware.com

    Paul, I missed your post
    The person I got it from had removed DIVX 2003 some time ago. On my advise he deleted the registry entry, the file has been quarantained and submitted to SARC
    I certainly will keep you posted.

    Regards,

    Pieter
     
  4. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    Feel free to send me the file via email to support@ eurosecure.com and I'll check it out.

    Regards,
    Anders
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Talking about service... :D

    regards.

    paul
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    It´s on it´s way Anders. Thnx for the offer. :)

    I submitted them to the scans Paul suggested.
    On DrWeb it came up suspicious, KAV could not find anything wrong with it.

    Regards,

    Pieter
     
  7. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    Seems to be a dropper for an IRC-backdoor. I didn't check it THAT throughly. It will be further analyzed and if needed added to the NOD32 database.

    If you ever get any other suspicious files, don't hesitate to send them...

    Regards,
    Anders
    EuroSecure
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    With this kind of service? I´d be a fool not to send them. :D

    Thnx again,

    Pieter
     
  9. Caspar107

    Caspar107 Registered Member

    Joined:
    Oct 27, 2002
    Posts:
    25
    Location:
    Apeldoorn, Netherlands
    Thanks guys, I'm the person with the mswin.exe firewall alert, so I'll keep an eye on this topic.
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Well Caspar, you ended up on the right place here! ;). Welcome.

    regards.

    paul
     
  11. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    FYI, that file is now detected by NOD32 as Win32/IRC.Dix.A.

    And, I can't stress it enough, don't hesitate to send me any suspicious files.

    Regards,
    Anders
    EuroSecure
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Thanks again anders and what I don't trust is all yours ;)

    Regards,

    Pieter
     
  13. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Please let me have a copy just in case, submit@diamondcs.com.au

    thx :)
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    I'll do that tonight Gavin, if that's OK. (in about 5 hours, keep forgetting time- zones ;))

    Regards,

    Pieter
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Gavin,

    I´m sorry to tell you that I can´t send you the file. I´m pretty sure I copied the file from my attachments folder to a safe place before I sent it to Anders and SARC. But the copy in the attachments folders is gone which was to be expected, since I put it in quarantaine before I sent it to SARC.
    But unfortunately the copy is gone as well o_O

    BTW This is the answer from SARC:

    quote

    resultaat: Dit bestand is geïnfecteerd met Trojan.Dumba
    This file is infected with Trojan.Dumba
    opmerkingen van Symantec Security Response-medewerker:
    remarks by SSR-employee
    C:\Program Files\IncrediMail\Data\Identities\{50AE2311-B53A-4AED-84F7-43F56DA0449F}\Message Store\Attachments\mswin.exe is a non-repairable threat. It is detected by NAV after an update using the attached definition updater. Please delete this file and replace it if neccessary.

    unquote

    Well at least I got the 29-10 update by e-mail :D
    Maybe Anders would be so kind to send you his copy?

    Sorry,

    Pieter
     
  16. Caspar107

    Caspar107 Registered Member

    Joined:
    Oct 27, 2002
    Posts:
    25
    Location:
    Apeldoorn, Netherlands
    So now it's detected by NAV? I can have a look on the site where I downloaded the file, it's on a so called warez site :blink:
    I'll check it out
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Caspar107,

    Please be carefull in doing so. Symantec claimed it to be Trojan.Dumba which was in their definitions al along.
    Besides that: they e-mailed me the update for the 29th which is not available for download yet.
    [EDIT] Is available now [/EDIT]

    Take care,

    Pieter
     
  18. Caspar107

    Caspar107 Registered Member

    Joined:
    Oct 27, 2002
    Posts:
    25
    Location:
    Apeldoorn, Netherlands
    It's a zipped file, but I looked on the site and............ it's not there anymore :cool:, that's better!

    But it's detected now with the latest ref of NAV? LiveUpdate? Because mine stands at 28-10, and no more updates available
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Direct download link:

    http://www.symantec.com/avcenter/download/us-files/20021029-003-i32.exe

    Regards,

    Pieter
     
  20. Caspar107

    Caspar107 Registered Member

    Joined:
    Oct 27, 2002
    Posts:
    25
    Location:
    Apeldoorn, Netherlands
    Got it from the Helpmij NAV update topic, recieve automatic email :D

    But I still don't get it why NAV did not detect it while it was a known trojan? Or is the difference now that it was a so called "dropper" wich is not detected as a part of it?
     
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Not quite sure about that. Maybe Anders can answer that. He´s the one that took it apart to see what made it tick :D

    Regards,

    Pieter
     
  22. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    Symantecs Dumba description somewhat matches this file. I assume this is another variant of the file they detected already, and, as they received the sample, they added detection for it.

    Regards,
    Anders
    EuroSecure
     
  23. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Got a copy, thanks everyone - don't hesitate to send me suspicious samples either :)
     
Thread Status:
Not open for further replies.