3066 definitions: Win32/Delf.NKZ Trojan

Discussion in 'ESET NOD32 Antivirus' started by nflftw, May 1, 2008.

Thread Status:
Not open for further replies.
  1. nflftw

    nflftw Registered Member

    Joined:
    May 1, 2008
    Posts:
    3
    NOD32 detected the file C:\WINDOWS\jestertb.dll as this trojan. I've been made to understand after a lot of searching that this update was made within the past 24-48 hours tops, but searching for hours for info about "jestertb.dll" tells me that it's an extremely old file (I don't recall finding anything anywhere about it from 2008 even).

    I deleted it because I was tired and wasn't thinking, but I'd like to know exactly what this Win32/Delf.NKZ Trojan is. Is it possible that it was some sort of false positive? NOD32 found it when Windows Defender was doing a seemingly routine scan of my WINDOWS folder (something I didn't even know it did until now), and that didn't find anything.

    I've since scanned my computer with NOD32, Spybot S&D, and Windows Defender. These programs have all yielded no results. Looking at other threats related to jestertb.dll, I find none of the DLLs loaded into any of my programs that are mentioned.

    What is jestertb.dll? What is Win32/Delf.NKZ? I'm quite confused here and I'd like to know if I have anything to worry about. Most trojans don't solely consist of a dll file, right? I've always been extremely paranoid about security, what I download, what sites I go to, etc. and I'd like to know what in the world this is or if it's some sort of false positive or what :'(
     
    Last edited: May 1, 2008
  2. dorgane

    dorgane Registered Member

    Joined:
    Oct 17, 2007
    Posts:
    362
  3. ASpace

    ASpace Guest

    ESET doesn't have big database with threat description because there are many many threats being released on daily bases and making such public descriptions will take too much time . It really isn't that necessary.

    This is trojan and not a false positive . It is now detected because the update was released with the update you write about.

    You can read general trojan description:
    http://www.eset.com/threat-center/threats.php
     
  4. nflftw

    nflftw Registered Member

    Joined:
    May 1, 2008
    Posts:
    3
    Hi, thanks for the responses. I understand that the file was probably malicious. However, it puzzles me that everything I can find about this file was posted in 2006/2007 yet NOD32 just started detecting it 24-48 hours ago. It also puzzles me that although the file is apparently about 2 years old, nothing else I ran ever detected it.

    Yet another thing that puzzles me is how in the world I would have got it in the first place. I scan every single file that I download that has a hint of suspicion on virustotal/jotti.

    If "jestertb.dll" was not so enigmatic and if this wasn't all so strange, it would be easier to accept the answer of "you got a trojan, get over it."

    This page has been the one to shed the most light on the situation: http://www.threatexpert.com/files/jestertb.dll.html. It says that 25% of the time, the file was not found to be malicious. That's a pretty big number for a file that there's apparently no documentation for anywhere.

    That's why I'm questioning whether or not it's a false positive. Was NOD32 really 2 years late in detecting this if it is malicious? Is "jestertb.dll" a false positive that's just part of some legitimate, obscure program?

    I know I deleted it and all, but in all of my searches I have yet to find a jestertb.dll that is not the exact same size, so it seems there's only one version of it.

    And everything else I can find about "jester" or whatever involves password stealing. I type things that are worth stealing (seriously) several times a day and have for the past 6 months or so. Why has nothing happened if this was here for so long? Perhaps this isn't a keylogging variant or something, but that still points in the direction of it being a false positive.

    However, it was in the C:\WINDOWS directory and the fact that I couldn't find any legitimate documentation for it on the internet points strongly toward the "malicious" side. I'm honestly not sure. The facts and numbers don't seem to add up at all, but its location and its lack of documentation trouble me.

    Here's a post on here that came out inconclusive as well (it's from early 2007 if one looks at the dates): https://www.wilderssecurity.com/showthread.php?t=165860.

    EDIT: Upon looking at the aforementioned thread with a non-tired brain (as it was last night when I stupidly deleted the file), there is extremely strong evidence that this is a false positive. The guy sent the file to not one, but two different companies who both found it to be either semi-questionable or clean. The guy in the thread who seems to have reverse engineered it or something also says it doesn't seem like it's a full-blown trojan and there's a good chance it might not be malicious at all.

    Considering I was able to find only one version of this file talked about anywhere (same byte size), it is reasonable to assume that I had the same version, thus this is likely a false positive. I do cheat in several games I play after I finish them off the first time, and several of them bypass security measures as the Avira report talked about this file being a part of (security measures in single-player games, MADNESS! But I digress), so chances are it IS a false positive.

    It is worth investigation, I think.
     
    Last edited: May 1, 2008
  5. moose2

    moose2 Registered Member

    Joined:
    May 4, 2008
    Posts:
    3
    On a bit of investigation I've found a report on threatexpert here: http://www.threatexpert.com/report.aspx?uid=d95731c9-e192-4b1c-9ada-9d2220f858a6 .

    My system had jestertb.dll reported as an infection, but did not have the felicitare.exe file referred to in the threatexpert report. The "3rd Eye Solutions" registry key was presented, but with an additional subkey named "MapEditorv0.05". The Jestertb.dll file also contains the string "3rdeye_tb_hacking_dll".

    On investigation it seems that there is a company called 3rd Eye Solutions ( ht tp://www.3rdeye.co.uk/ ) which makes a product called FlashJester ( ht tp://www.flashjester.com/ ), which may be behind the jestertb.dll file. (There is not clear evidence that they make any "map editor", though.) I've contacted their support department regarding the file, to see if they can throw any light on the subject.

    By the way, I should add that I consider the policy of not providing descriptions of threats rather misguided, especially when the names used aren't standard with other security sites. If my system IS infected, I need to know what to do about it - if it's just some adware I can get rid of, or if I need to call my bank and raise the alarm, or if it's an actual rootkit and I need to basically degauss my hard disks and start from scratch.
     
    Last edited by a moderator: May 4, 2008
  6. moose2

    moose2 Registered Member

    Joined:
    May 4, 2008
    Posts:
    3
    It seems that the filename jestertb.dll belongs to FlashJester Jugglor, a utility for creating stand-alone flash executables. This utility is also responsible for the mutex 3rdEyeSRunnerMutex, the "3rd Eye Solutions" registry key, and the directory %tmp%/jgl_rt ("Jugglor Runtime").

    Jugglor enhances the Flash runtime with some utilities that could concievably be useful for writing spyware in Flash, for example, the ability to completely hide a Projector window, to access local files (via the JSystem tool), to send e-mail, and to detect the presence or absence of an internet connection. However, nothing I have found suggests that Jugglor itself is spyware.

    The current version of Jugglor includes a jestertb.dll of 21504 bytes which does not trigger alerts from NOD32 when accessed (but *does* still contain the string "3rdeye_tb_hacking_dll"). The "suspicious" jestertb.dll is 20992 bytes. I have proceeded with asking 3rd eye software if a 20992 byte version was ever released legitimately.
     
    Last edited: May 5, 2008
  7. moose2

    moose2 Registered Member

    Joined:
    May 4, 2008
    Posts:
    3
    I contacted 3rd Eye on the phone today. They confirmed that jestertb.dll is part of Jugglor, as is the Jgl_Rt subdirectory. Jugglor is used to produce a standard .EXE file and the .DLL file and the contents of the Jgl_Rt temp directory are unpacked from the .EXE file when it is run. They would not give me any MD5 information, but they did offer to examine the suspect jestertb.dll and see if it is one of theirs, and I have sent it to them.

    They did also mention that they have "been through this procedure with Norton, F-Secure, and some others" and that they intend to e-mail ESET details on the safe versions of the file(s).

    The version of jestertb.dll that actually comes with the current release of Jugglor has an MD5sum: 56df1b6c087d4b9c0ab2318f226d3040.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    Please zip the file in question, protect the archive with the password "infected" and send it to samples[at]eset.com with this thread's url in the subject.
     
  9. nflftw

    nflftw Registered Member

    Joined:
    May 1, 2008
    Posts:
    3
    I would if I didn't dumbly delete the file late at night when it was detected, unless you were talking to moose2.

    Also, I thank you greatly for your help, moose2. The main reason for me posting this thread was the lack of descriptions; just like you, I didn't know whether to call my bank or if it was just some minor thing.

    It looks like this was indeed a false positive; it seems to be something that could be used with malicious intent, but usually isn't.

    We both probably got it from installing an application that utilized some of the features that Jugglor offered or something. Of course, there's a chance that a virus/trojan actually attempted to masquerade part of itself as this obscure file.
     
Thread Status:
Not open for further replies.