Adobe Gamma Loader A Virus?

Discussion in 'other anti-virus software' started by shanijee, Mar 8, 2006.

Thread Status:
Not open for further replies.
  1. shanijee

    shanijee Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    107
    Location:
    Faisalabad(Pakistan)
    i install Adobe Acrobat Reader v7.0.7(2k.XP) on xp
    some days later my firwall block a file from accessing internet
    the file name is AdobeGammaLoader.exe at Start Menu\Programs\StartUp folder
    i block the file and scan it at http://virusscan.jotti.org/
    the file detect as trojan-clicker.win32.vb.la
    but nod32 did Not detect ito_O?
    i send the file to eset lab 3 day later but no signature added?
    on a web site i learn about Adobe Gamma Loader
    Filename Startup entry
    Adobe Gamma Loader.exe Adobe Gamma Loader
    From adobe: "The Adobe Gamma Control Panel is used to eliminate color casts in a monitor's display. This allows for accurate on-screen previews of an image as it will appear on a variety of other devices. When you install Photoshop 5.0, 6.0 and 7.0, the installer places a shortcut to Adobe Gamma Loader.exe in the Start Menu\Programs\StartUp folder. This causes Adobe Gamma Loader.exe to load the settings in the Adobe Gamma Control Panel when Windows starts. Those settings are then applied system-wide."
    is Adobe Gamma Loader A Viruso_O?
     

    Attached Files:

    • pop.jpg
      pop.jpg
      File size:
      42.8 KB
      Views:
      1,318
    Last edited: Mar 8, 2006
  2. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    I doubt it. No idea why those other av vendors are detecting it as a trojan.
     
  3. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    More likely a fp. You actually read the writeup from Adobe you quoted didn't you?
     
  4. shanijee

    shanijee Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    107
    Location:
    Faisalabad(Pakistan)
    i think Happy Bytes knows the answer?
     
  5. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    And so do you. What a time waster.
     
  6. shanijee

    shanijee Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    107
    Location:
    Faisalabad(Pakistan)
    i donot know why you think that man this is a serious problem
    every use adobe acrobat reader
    see this
     

    Attached Files:

    • sa.jpg
      sa.jpg
      File size:
      71.4 KB
      Views:
      1,306
  7. shanijee

    shanijee Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    107
    Location:
    Faisalabad(Pakistan)
    Trojan Clickers
    This family of Trojans redirects victim machines to specified websites or other Internet resources. Clickers either send the necessary commands to the browser or replace system files where standard Internet urls are stored (e.g. the 'hosts' file in MS Windows).

    Clickers are used:

    To raise the hit-count of a specific site for advertising purposes
    To organize a DoS attack on a specified server or site
    To lead the victim to an infected resource where the machine will be attacked by other malware (viruses or Trojans)
     
  8. Lollan

    Lollan Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    288
    Then answer this question yourself, are you being redirected?
     
  9. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    And you suspect Adobe of this? Report the false positive to the vendors of any security programs on your system that detected it. Oh, and have a nice day. :D
     
  10. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    C'mon, give shanijee a break. Looking at the the writeups of this trojan at Fortinet and Sophos, it appears that this trojan does drop an executable with the name of "Adobe Gamma Loader.exe" in the startup folder.

    The real question is then, is the file on shanijee's computer really from Adobe, or is it the trojan? Shanijee, I suggest you read the writeup of this file over at Adobe. If it is the true Adobe file, then the file should exist at C:\Program Files\Common Files\Adobe\Calibration (for Windows 2000/XP). Also the file in the Startup folder will be a link or shortcut to this file. The file in the Startup folder should not be an .exe.

    By the way, I do find it strange that a Gamma calibration utility would trigger his firewall.
     
  11. shanijee

    shanijee Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    107
    Location:
    Faisalabad(Pakistan)
    i have no folder at d:\Program Files\Common Files\Adobe\Calibration
    i have install winxp on d:/ drive
     

    Attached Files:

    Last edited by a moderator: Mar 8, 2006
  12. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    That's what I thought. I also have a sneaky feeling that you do not have an Adobe Gamma entry in your Control Panel, either.

    Find that AdobeGammaLoader file in your Startup folder. Right-click it and choose Properties. If it is the real Abobe file, the tabs at the top should say General, Shortcut, and Security. If it says, General, Security, and Summary, it is probably a fake. If there is a Version tab, see if that says anything about Adobe.
     
  13. shanijee

    shanijee Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    107
    Location:
    Faisalabad(Pakistan)
    here is ito_O
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      131.6 KB
      Views:
      542
  14. VikingStorm

    VikingStorm Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    387
    Well it seems both my computers have version 1.0.0.1 which is 111kb. So not sure if your version is actually real and just an older version...
     
  15. TeraInnovations

    TeraInnovations Registered Member

    Joined:
    Jan 25, 2006
    Posts:
    91
    If the file is sitting in the
    Start Menu\Programs\StartUp folder, it is most likely malicious. That many different companies would not detect the sample if it was a false positive. It is very rare that false positives affect that many scanners at the same time, and there are a lot of top-notch scanners in that list.

    Even though the text says that it isnt a virus and is a legit component of the program, that is just based on the filename. There are hundreds of trojans floating around that use the filename svchost.exe, and svchost.exe is a legit name of a Windows system file, but that doesn't make all files named svchost.exe legit.

    Not to answer for NOD or anything, but samples do get lost 'in transit' sometimes, so, they might not have even gotten your submission. Did you try sending it again?

    If you want, I will have one of our guys analyze the executable to see if it is malicious or not. Chances are, if that many antivirus programs find it, it is malicious.

    Good day,
    -Tera Innovations, Incorporated Support Team
     
  16. TeraInnovations

    TeraInnovations Registered Member

    Joined:
    Jan 25, 2006
    Posts:
    91
    Here is a very quick overview of what this sample does (just analyzed)

    Is written in VisualBasic and uses the internal SHDocVW WebBrowser control (basically IE) to visit a website to increase the clicks (http: // ne[BLANKED OUT]oa.com/rankboost.php?[BLANKED OUT] )

    So, the verdict shows that this file is definitely not the legitimate version of the Adobe component, but is, in fact a malicious program.

    Hope that helps :)

    -Tera Innovations, Incorporated Support Team
     
  17. shanijee

    shanijee Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    107
    Location:
    Faisalabad(Pakistan)
    so its harmless what should i do
     
  18. TeraInnovations

    TeraInnovations Registered Member

    Joined:
    Jan 25, 2006
    Posts:
    91
    If you can, try and just delete the file. If that doesnt work, download one of the antivirus programs that found it and run a full system scan. They should clean it properly.

    -Tera Innovations, Incorporated Support Team
     
  19. shanijee

    shanijee Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    107
    Location:
    Faisalabad(Pakistan)
    thanks you Tera Innovations, Incorporated Support Team
    you made future antivirus good luck for support
     
  20. TeraInnovations

    TeraInnovations Registered Member

    Joined:
    Jan 25, 2006
    Posts:
    91
    Always happy to help ;)
    Would you mind if I forward this sample onto other antivirus researchers to get it detected faster?

    -Tera Innovations, Incorporated Support Team
     
  21. shanijee

    shanijee Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    107
    Location:
    Faisalabad(Pakistan)
    ok as you wish :)
     
  22. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Why was this thread moved? It was started specifically because NOD32 was not detecting a certain piece of malware.

    In any case, the information in the Version tab was definitely forged. It seems that malware authors are becoming more clever. :cautious: The real file would not have the Compatability tab, though.

    Going by the Fortinet and Sophos writeups, you should also look for a file named <Temp>\ShowInfo.exe . If it is not there, check your NOD32 logs to see if it was caught at some earlier time.
     
  23. b00ze

    b00ze Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    30
    Location:
    Rhineland
    Hi!

    These are my results of the "Adobe Gamma Loader.exe"-File (Version 1.0.0.1) on virusscan.jotti.org:

    hxxp://www.fileserver.mynetcologne.de/Untitled-2.png
    This file ist definitely clean. For years now. :)

    I have installed the latest Version of Acrobat Reader (7.0.7) and a prehistoric Photoshop 7.01.

    Unfortunately shanijee cropped the MD5-checksum from the image he sent...
     

    Attached Files:

    Last edited by a moderator: Mar 9, 2006
  24. shanijee

    shanijee Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    107
    Location:
    Faisalabad(Pakistan)
    ok gays how about this tool i also install this
    h**p://www.tnk-bootblock.co.uk/getfile.php?id=arsu
    Adobe Reader Speed-Up v1.34
     
  25. Lollan

    Lollan Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    288
    Jotti is showing that it's possibly a sandbox infection.
     
Loading...
Thread Status:
Not open for further replies.