mswin.exe

Someone sent me a file called mswin.exe.
On his computer it tried to gain internet access at startup.
The file name and the registry-entry HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows\Run\mswin seem to indicate Backdoor.Dumba but NAV didn´t find it, although it should be in their definitions.

Any ideas on this one?

Regards,

Pieter

 

A little more info about this one: the file was offered for download as DIVX 2003 from BBShareware.com

Paul, I missed your post
The person I got it from had removed DIVX 2003 some time ago. On my advise he deleted the registry entry, the file has been quarantained and submitted to SARC
I certainly will keep you posted.

Regards,

Pieter

 

Feel free to send me the file via email to support@ eurosecure.com and I'll check it out.

Regards,
Anders

 

It´s on it´s way Anders. Thnx for the offer.

I submitted them to the scans Paul suggested.
On DrWeb it came up suspicious, KAV could not find anything wrong with it.

Regards,

Pieter

 

Seems to be a dropper for an IRC-backdoor. I didn't check it THAT throughly. It will be further analyzed and if needed added to the NOD32 database.

If you ever get any other suspicious files, don't hesitate to send them...

Regards,
Anders
EuroSecure

 

With this kind of service? I´d be a fool not to send them.

Thnx again,

Pieter

 

Thanks guys, I'm the person with the mswin.exe firewall alert, so I'll keep an eye on this topic.

 

FYI, that file is now detected by NOD32 as Win32/IRC.Dix.A.

And, I can't stress it enough, don't hesitate to send me any suspicious files.

Regards,
Anders
EuroSecure

 

Thanks again anders and what I don't trust is all yours

Regards,

Pieter

 

Please let me have a copy just in case, submit@diamondcs.com.au

thx

 

I'll do that tonight Gavin, if that's OK. (in about 5 hours, keep forgetting time- zones )

Regards,

Pieter

 

Gavin,

I´m sorry to tell you that I can´t send you the file. I´m pretty sure I copied the file from my attachments folder to a safe place before I sent it to Anders and SARC. But the copy in the attachments folders is gone which was to be expected, since I put it in quarantaine before I sent it to SARC.
But unfortunately the copy is gone as well

BTW This is the answer from SARC:

quote

resultaat: Dit bestand is geïnfecteerd met Trojan.Dumba
This file is infected with Trojan.Dumba
opmerkingen van Symantec Security Response-medewerker:
remarks by SSR-employee
C:\Program Files\IncrediMail\Data\Identities\{50AE2311-B53A-4AED-84F7-43F56DA0449F}\Message Store\Attachments\mswin.exe is a non-repairable threat. It is detected by NAV after an update using the attached definition updater. Please delete this file and replace it if neccessary.

unquote

Well at least I got the 29-10 update by e-mail
Maybe Anders would be so kind to send you his copy?

Sorry,

Pieter

 

So now it's detected by NAV? I can have a look on the site where I downloaded the file, it's on a so called warez site
I'll check it out

 

Caspar107,

Please be carefull in doing so. Symantec claimed it to be Trojan.Dumba which was in their definitions al along.
Besides that: they e-mailed me the update for the 29th which is not available for download yet.
[EDIT] Is available now [/EDIT]

Take care,

Pieter

 

It's a zipped file, but I looked on the site and............ it's not there anymore , that's better!

But it's detected now with the latest ref of NAV? LiveUpdate? Because mine stands at 28-10, and no more updates available

 

Direct download link:

http://www.symantec.com/avcenter/download/us-files/20021029-003-i32.exe

Regards,

Pieter

 

Got it from the Helpmij NAV update topic, recieve automatic email

But I still don't get it why NAV did not detect it while it was a known trojan? Or is the difference now that it was a so called "dropper" wich is not detected as a part of it?

 

Not quite sure about that. Maybe Anders can answer that. He´s the one that took it apart to see what made it tick

Regards,

Pieter

 

Symantecs Dumba description somewhat matches this file. I assume this is another variant of the file they detected already, and, as they received the sample, they added detection for it.

Regards,
Anders
EuroSecure

 

Got a copy, thanks everyone - don't hesitate to send me suspicious samples either