Win32/VMalum.CIDD infection in sbautoupdate.exe?

Today my CA Anti-Virus detected and quarantined on startup a Win32/VMalum.CIDD infection in sbautoupdate.exe. I can't find any information on what win32/VMalum.CIDD is, other than it is a backdoor trojan. I de-installed and re-installed SpywareBlaster using a fresh install file, but still have the problem.

Is it a false positive? Has anyone else running SB and CAV seen this?

Thanks,

Stephen Clark

 

My organization's eTrust AV 8.1 detected Win32/VMalum.CIDD in C:\SYSTEM VOLUME INFORMATION\_RESTORE{4568522D-686F-40CA-B59F-0F43604506A5}\RP394\A0025814.EXE.0.AVB.

 

Hello,

I don't run CA but i'd say it must surely be a FP. Did u submit the file to CA for analysis?

Seems the file is in System Restore.



snowbound

 

I sent a copy of this file to CA analysis, SpywareBlaster and Blink eEye security to check out this file. Since it is in the auto update area we all need to be positive that this is not a backdoor or a virus. In the mean time I would disable auto update and do any by manual updating.

 

Same happened to me today. It seems the file had been there for a long time, but CA just detected it today. I deleted it.
However, I re installed the program some time later and in the process CA warned me again of this virus file.

I couldn`t find any info about it, not even in CA data base.

If it is a FP, how come it only shows up today?

 

Unwittingly I cited the same problem on another thread.

https://www.wilderssecurity.com/showthread.php?p=1212225#post1212225

 

Thank you for your inpout.
However. I have just received the following reply from CA:
_______________________________
Dear customer,

Thank you for using CA Security Advisor.

This is to notify you of the results of your submission, issue number
1291583. Please keep this issue number for future reference.
Please see below for the final results of our analysis of your file
submission.
We successfully received the following files:

FILE SIZE CONCLUSION
------------------------------------------------------------------------
sbautoupdate.zip 607217
------------------------------------------------------------------------
sbautoupdate.exe 902696 malware
------------------------------------------------------------------------

This automated scanning service "Virtue" complements our regular
technical support service. It is not a replacement for it. For
technical support please visit http://www.ca.com/about/support.htm.
If you would like to comment on the quality of this automated service,
please send your suggestion to virtue.feedback@ca.com .

CA Security Advisor
_____________________________

 

MORE ABOUT IT FROM CA:
FILE
------------------------------------------------------------------------
sbautoupdate.zip
------------------------------------------------------------------------
This file is being analyzed by our researchers. We will inform you of
their findings as soon as the analysis is complete.

FILE
------------------------------------------------------------------------
sbautoupdate.exe
------------------------------------------------------------------------
The Windows PE (I386,EXE) file "sbautoupdate.exe" has been determined
to be malicious.

The file is currently detected generically as Win32/VMalum.CIDD. You
will be notified when our researchers have added specific detection and
cure.

Note: A Win32.Malum detection may be reported when CA Antivirus
solutions use advanced techniques to generically detect a worm or
trojan that affects the Win32 platform.

CA products address this malware as follows:
--------------------------------------------
CA Anti-Virus
Engine Update version Last Update
31.3.0 31.3.5653 29 Mar
Please check for the latest signature updates.

==========================================================

 

Yes, I did. I suggested it might be a FP, but that I wanted to be sure, so I was submiting the file to them to be checked.

Should I write back insisting on the FP possibility?

 

If your file has an MD5 of 0d5e4768c82d69256e6ec6e53e0a62bd, it's clean. There are 6 wrong detections at Virustotal (CA, Ikarus, Norman, Panda, Sophos and Webwasher)
Maybe they're detecting the packer (Armadillo)

 

I just emailed CA again asking to re-check the file and reminding them of the FP chance.

Let us wait.

 

Download HashTab and install it. Go to the SpywareBlaster folder (usually in Program Files\SpywareBlaster), right-click the sbautoupdate.exe file and compare the MD5 checksum with the one I've provided above.

 

Hi,

This detection is a false-positive. Unfortunately, these problems seem to crop up every once in a while, especially after a new release.

Please contact your anti-virus company and alert them to the false positive.

Information on the legitimate sbautoupdate.exe file:

File name: sbautoupdate.exe
Default path: C:\Program Files\SpywareBlaster\
MD5 checksum: 0D5E4768C82D69256E6EC6E53E0A62BD

Best regards,

-Javacool

 

Javacool,
There are 6 AV companies detecting sbautoupdate.exe at Virustotal

 

Hi,

Do you happen to have any direct contacts within those companies? (If yes, please PM me.)

I've gone through the normal routes in the past, but it often takes too long.

Best regards and thanks,

-Javacool

 

No, I've just scanned sbautoupdate.exe to help in the troubleshooting of this FP
I have the mail addresses of the viruslabs of some of the AVs which are having the FP:
- CA/eTrust: virus [at] ca [dot] com
- Norman: analysis [at] norman [dot] no
- Panda: virussamples [at] pandasoftware [dot] com
- Sophos: samples [at] sophos [dot] com

Yep, some AV vendors are slow at fixing FPs

 

I just did it. It looks fine as you said.

 

Then, you have nothing to worry about
Greetings from the other side of the river

 

Thank U, Lucas. I`m glad there was no virus in my PC.

The only thing that worries me now is that I can`t use the autoupdate feature in SP, because when CA AV is on, the file is quarantined.

I´ll have to manual uddate it until CA takes notice of this FP then. No big deal though.

 

Can't you exclude the file(s) from being scanned? I would be surprised if CA's eTrust does not have a file exclusion feature.

 

Yes, CA has that feature. I tried it several times to no avail. I tried exclusions from real time scanning, from on demand scanning, from both, but after a while the file is sent to quarantine again. It might be a terrible strong fatal virus

I will leave there for the time being and update the software manually, no problem. Just being on the safe side.

Thanks for your advice anyway.

 

Yup, had exactly the same experience!

Seems like some applications have user options as FPs (False Pacifiers)!

 

GOOD NEWS!
I just received the following reply from CA:
_________________

Dear customer,

Thank you for using CA Security Advisor.

This is to notify you of the results of your submission, issue number
1291583. Please keep this issue number for future reference.

With regards to the file "sbautoupdate.exe" submitted by you on 29 Mar
15:18:18 (Australian Eastern Standard Time), we have updated our
signature files to resolve the false positive problem.

The Windows PE (I386,EXE) file "sbautoupdate.exe" has been determined
to be clean. Our researchers have analyzed the file and found nothing
suspicious.

......
CA Security Advisor
______________________

I checked and CE A doesn`t detect it as malware now. It works fine.