DCOMbobulator: False Positive

I’m using NOD32 v2.000.9, Virus Signature1.611 (20040127).
It is detecting GRC’s DCOMbobulator (dcombob.exe) as
Win32/Exploit.DComRpc.A trojan.

http://www.grc.com/dcom/

Is this a False Positive?

 

Hmm tricky, but I dont think it is in my opinion. The program exploits DCOM, and NOD32 detects it as a program that exploits DCOM. No legitimate program should exploit this vulnerability, other than a diagnostic utility to check for it such as this, which does exactly the same as a worm would do to help propagate itself (Obviously this diagnostic tool doesnt propagate itself though before anyone points it out. ).

Hard to make it clear, but if I installed a program that worked exactly the same as subseven, even with some of the same code, to check whether my system was vulnerable to subseven, and NOD32 picked it up as subseven, I wouldnt call it a false positive, because it is exactly what subseven is, just under a different name perhaps.

 

Hi guys,

I've been a Wilders visitor for some time, but only recently came across this board.

Having just read this thread I'd thought I'd say that I have had DCOMbob.exe on my system for some months and it hasn't been flagged previously. I used the recently acquired shell extension (well done for that too btw) to do an adv hueristic scan of the file and once again it wasn't highlighted.
I'm running NOD32 v2.0.8 & Virus Signature1.611 (20040127).
DCOMbob.exe is v2.0 (29,184 bytes) and compares precisely with a duplicate that I just d/l from grc.com.

2.000.9 the only difference here, or perhaps your file has become infected ?

 

I let NOD delete the file, I wasn’t using it anyway.
I believe I had the original file that GRC made available.
It doesn’t detect the current DCOMbob.exe but it did detect the previous one.

I just got a NOD update to v1.612 (2004012.

No big deal.

 

Cancel

 

OK, I've had Gibson's DCOM thingy on my PC for a long time and only just now is AMON having fits over it. I just happened to run my mouse over a shortcut and AMON went off. Ditto when I checked to see if it borked the app itself. Don't have to open the app at all, just mousing over the icon sets off AMON.

I would have thought one would have to open the app before one got a response from the resident monitor. Is it now just responding to the word "DCOM" in the app's name? This seems a new detection/behavior on AMON's part.

I haven't updated to newer program components so I'm running 2.000.6 with the latest virus defs.

Edited to add, I just saw a post in the other thread that it is a new detection as of 1/27. Still, AMON's detecting DeCOMbobulator evidently based on the name when the app hasn't even been opened.

 

Ah, it's XP. See what you mean. Yeah, I considered changing the name and will try that as soon as I temporarily squash AMON. Now it squeals (if it could) when I just open the folder where the shortcut is.

 

Renamed file and shortcut. AMON now doesn't react to a mouseover on the shortcut, but when I open the folder that contains various Gibson's utilities AMON alerts on the dcom app. So it's not hitting on the name only.

So with XP, executing the file (I should have said) is not always necessary for detection since XP in effect reads the file to identify it and give out info about it. Hmn...

 

Sig, what VERSION of DCOMbobulator do you have? I have version 2 which I downloaded last November when I got this new XP box. I just tried running my mouse over the application, then opened it, ran it....did everything I could think of ...scanned it with command line adv. heuristics, regular NOD32 scanning, etc. and nothing I did could get AMON to peep. I have the 1/29 definitions and have version 2.000.6.

I also have this same version 2 of DCOMbobulator on my W98SE box...I have had it there for ages. I just ran my mouse over it, opened it, ran it and AMON remained silent the entire time.

I think you have something else going on or you have a different version of DCOMbobulator.

 

This is the info on the one I had (no warnings from Amon or NOD32 itself anytime, ever, including today with 2.000.8 and DB 1.614) - notice that the exe name is all lower-case):

dcombob.exe
Size: 28.5KB (29,184 bytes)
Size on disk: 32.0KB (32,768 bytes)
Product Version: 2.00
File Version: 2.0.0.0
Created: Tuesday, Nov 11, 2003 3:51:44 AM
MD5: 96bbaf5c624ebbee275dec7c4cf87c74 dcombob.exe

Deleted that one and re-d/l'ed a fresh copy, info below (no warnings from anything after hovering and both right-click scans):

DCOMbob.exe
Size: 28.5KB (29,184 bytes)
Size on disk: 32.0KB (32,768 bytes)
Product Version: 2.00
File Version: 2.0.0.0
Created: Today February 02, 2004 10:07;34 AM
MD5: 96bbaf5c624ebbee275dec7c4cf87c74 DCOMbob.exe

(Notice uppercase in new exe).

So, at least we know that nothing has changed size, size on disk, product version, file version or MD5-wise - the only difference I'm seeing is some (probably irrelevant) upper-vs-lowercase stuff in the exe name.

And I haven't gotten any warnings on either with v2.000.8.

HTH Pete

 

OK, I have version 1.0 of DCOMbob. Hmn....maybe that's it.... I'll give the new version a try and see what's up.

Good thing AMON doesn't come with the famous KAV pig squeal or I would have jumped out of my chair last night.

 

AMON doesn't alert on DCOMbob version 2. But did on version 1. OK.