Is netapi32.dll a virus

Hi NOD has told me that netapi32.dll is a virus. I thought this was a regular windows element.
Two instances of it were found, one at D:\WINNT\$NtUninstallKB835732$
and D:\WINNT\servispack files\338\netapi32.dll.
Can anyone advise,
Thanks

 

Chrysty, please send that file to samples@nod32.com. It may actually be a virus so Eset will need to check it.

 

I get netapi32.dll infected

trojan Exploit.CAN.2003-0533 found in operating memory. NOD32 cannot clean this infiltration. No action can be taken on a memory infiltration.

How do I get rid of this in window2000, it keeps repairing itself and windows is very unstable?

 

G'day All,
Received a shock when I discovered the same trojan in the same files on two fully patched Win2KPRo servers.
Also receiving: Error occured while scanning operating memory. Operating memory cannot be scanned (an error occured while loading nod32m1.vxd file or during communication with the testing service).
I really hope this is a False+ as indicated in another post......
I'll try an send the quarantined files to eset.
Fingers Crossed.......
Ben.

 

rdw123,
What ServicePack of Windows 2000 are you running? and have you run KB835732, or security rollup "Microsoft Security Bulletin MS04-011 Security Update for Microsoft Windows (835732)" if not, then I suspect that Nod32 is being overprotective and telling us that these files are "vulnerable" but not that they "haven't been patched", If you get the distinction. On 4 Win2K servers/Pro I run they have all been listed as being in the Service Pack and the KB835732.
I've emailed samples@nod32 with my suspicions and the example files, let's hope they have an answer soon, as tomorrow morning 0900hrs (Aust time) all hell will break loose with those clients who are tardy in applyng their patches....

Cheers Ben.

 

G'day Paul, yes. Too much coffee <grin>.
I REALLY hope they address this before 0900hrs +10 tomorrow!

Cheers Ben.

 

The w2k server I control also shows this file as infected in both locations:

F:\WINNT\$NtUninstallKB835732$\netapi32.dll - Exploit.CAN.2003-0533 trojan
F:\WINNT\ServicePackFiles\i386\netapi32.dll - Exploit.CAN.2003-0533 trojan

They're coming atcha ESET

 

TDS-3 does not report any mischief

 

Hi all,

Same thing here on Win2000 SP4.

Send the bugger to samples@nod32.com

rgds,
Martin

 

have done so

 

Some info about the bugger:

netapi32 - netapi32.dll - DLL Information

DLL File: netapi32 or netapi32.dll
DLL Name: Microsoft LAN Manager DLL
Description: File that contains the Windows NET API used by applications to access a Microsoft network.
Part Of: Microsoft network
System DLL: Yes
Common Errors: File Not Found, Missing File, Exception Errors

 

Some more info:

RpcLsa-B

First Report: 2004-06-08 11:37
Last Update: 2004-06-30 23:38

Aliases: Exploit.CAN-2003-0533
Troj/RpcLsa-B



Information From AntiVirus Vendors

Below you find information from different vendors, which have been included in this Secunia Virus Profile.

Information from the vendors is sorted by the time the information became publicly available at the vendor websites. The first available reports will be displayed first. Please note timestamps are in GMT+1.

#1 - SOPHOS

Troj/RpcLsa-B Severity:
- File Size:
-

Reported:
2004-06-08 11:37 Last Update:
2004-06-30 23:38

Description:
Troj/RpcLsa-B is a malicious executable using the lsasrv.dll RPC buffer overflow exploit vulnerability specified in MS04-011. It is used by hackers to gain remote shell access to target system.

Full Report From Vendor Removal Tool/Instructions View/Hide ChangeLog

ChangeLog:


Changes are listed in chronological order with the latest changes first.

2004-06-08 12:03 Description was changed.

New:
"Troj/RpcLsa-B is a malicious executable using
the lsasrv.dll RPC buffer overflow exploit
vulnerability specified in MS04-011. It is
used by hackers to gain remote shell access
to target system."

Old:
"A detailed analysis will be published here
shortly. Please check again later."

More info:

http://www.sophos.com/virusinfo/analyses/trojrpclsab.html

 

beng was correct, I had not installed "Microsoft Security Bulletin MS04-011 Security Update for Microsoft Windows (835732)"
Once installed no more alerts!!

One of the best ways of checking, suggested by spy1 BelArc Advisor from here: BelArc Advisor d/l site . in thread https://www.wilderssecurity.com/showthread.php?t=30699

I think an alert warning, not a virus warning should be showing! I've got better things to do than chase a non existant virus.

Anyhow I would vote 1 for any political party that proposes the eletric chair or gas chamber for virus writers!

 

I had installed the "patch" and reinstalled it and still getting the same "virus warning", so i guess there is something else going on here.

rgds,
Martin

 

Have you checked that it has been installed correctly with BelArc Advisor? Quite a handy free utility.

Instead of saying that there is a virus, it should say is undeniable proof of weponds of mass destruction. We must destroy netapi32 it has WMD's, for your own security destroy now.

 

The reference to CAN.2003-0533 is on page http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx in the Acknowledgments, the last one on the list.

 

Are you refering to "eEye Digital Security "??

rgds,
Martin

 

I experienced the netapi.dll problem too (see other thread). I deleted netapi.dll from two places and will be able to restore them from a ghost image if/when Eset confirms it was a false positive.

I'm posting here to report that, in the meantime, I downloaded (a version of) netapi.dll from www.dll-files.com and placed it in the appropriate folders. NOD32 doesn't seem to have a problem with this file. Did I do the sensible thing?

 

G'day Guys,
I should point out that RDW123's problem was slightly different, the file NOD32 was finding was in /system32/ not /ServicePackFiles/i386 etc.
Hence my suggestion to apply the Hotfix.

If anyone is finding the problem in a netapi32.dll OTHER than in /System32/ then it is either an archived file (most likely) or an infiltration.

I echo ,RDW123's comment, it should be a warning to update, rather than display the Virus Alert and delete the file.

This could really disable a users Windows 2000 pro, and give Nod32 a bad Rap.

Only if you trust www.dll-files.com, I would advise you apply the hotfix rather than download a single DLL, unless of course the files you deleted were not in /System32. <grin>.

I've seen other posts suggesting turning off AMON until this issue is resolved, imho I think thats a very BAD idea and leaves you open to attack.
My approach is to add the various netapi32.dll files to the exclusion list in AMON, that's what it is there for, and is a far more secure way of dealing with this issue, until we get the word from Eset.
My 2 cents anyway.

Cheers Ben.

 

Thanks for the reply. My machine is fully patched, netapi32.dll was not flagged in /System32.

I agree, turning off Amon is not a wise option. Exclusion is a good choice. Even still, don't know if there's much point in restoring netapi.dll from my ghost image since I found the file elsewhere

 

This is most definitely a false positive. The only machines at work reporting this violation are Windows 2000 machines. XP machines are not. The machines reporting this also have NO network access. They pull all their updates from a LAN SUS server.

NOD32 isn't a stranger to false positives. This has happened before.

 

Don't turn of AMON. I said you have to turn of AMON to email the files. Then I tuned it back on. trojan or no, emailing them isn't going to infect me.

Once you have emailed the files (or trust that the million copies ESET is going to get is already enough) leave the files alone, then AMON won't complain. These files are not needed for normal operation of windows unless you roll back a service pack/hotfix.

@optigrab, it has been my experience that grabbing dlls ifor w2k server almost never works unless you get the exact version you need. I would not have deleted those file if I were you. Delete first ask questions later usually does more damage than the virus/trojan itself.

 

So did they fix it with the new update?

 

https://www.wilderssecurity.com/showthread.php?p=216775#post216775

NOTICE: this thread is going to be merged with the one above shortly. I should have do it yesterday.

change of plans, this thread will be locked. Post follow ups here:

https://www.wilderssecurity.com/showthread.php?t=40633&page=2&pp=20