crypt.tsr.com

Discussion in 'NOD32 version 2 Forum' started by Pat Brady, Feb 26, 2004.

Thread Status:
Not open for further replies.
  1. Pat Brady

    Pat Brady Guest

    I have had manual scan come up with two files marked "probably unknown CRYPT.TSR.COM virus" and NOD32 unable to clean it. I haven't been able to find anything about this file. Is it a virus?
     
  2. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    Probable unknown Crypt.tsr.com virus is result of heuristic analysis of some file. NOD32 suspects the file could be a virus. Do not hesitate and send the file to ESET for analysis. If the file is really virus, they will let you know.
     
  3. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Yep, submit that to samples@nod.com
     
  4. DiGi

    DiGi Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    114
    Location:
    in the middle of nowhere
    maybe samples@nod32.com is better :D
     
  5. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    DiGi,
    You've the reason, I had forgave "32".
    Thanks. ;)
     
  6. PnP

    PnP Registered Member

    Joined:
    Jun 12, 2003
    Posts:
    194
    Location:
    Italy
    Sorry I recieve the idem problem last night... the name of file is

    ws2_32.dll and the location of file is C:\windows\system32\

    I check on the internet if this file is a new virus or old... But nothing of this and when the AMON delete the file my connection cannot work anymore..

    I try to scan the file with other antivirus such symantec, panda and mcafee.. Noone say me that this is a virus... This is a big problem because the machine that I was tested this is formatted and only windows xp + system updates + nod ....

    Please fix this problem soon...
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    PnP,

    As stated above, this detection is due to heuristics. For that reason the result display starts with "Probable....found - and that's not a full certain flag.

    For that reason one should never delete files etc. as a result from heuristics, but rather submit the file for further investigation to Eset. This is by no means a NOD32 flaw - it's the result from a very strong heuristic engine.

    regards.

    paul
     
  8. PnP

    PnP Registered Member

    Joined:
    Jun 12, 2003
    Posts:
    194
    Location:
    Italy
    Ok thanks Paul for the info... I will set that cannot delete automatically :)

    Cheers and thanks for support
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    My pleasure, PnP ;)

    regards.

    paul
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I've seen quite a few instances of this ws2_32.dll in XP systems recently causing problems

    It is named after a genuine 95/98 file it's a winsock2 update for 95/98 first edition

    XP uses it as well , but if that file is installedby something bad it takes over the XP genuine entry and if removed loses internet connection


    you can try LSPfix to restore it, it might work or run sfc /scannow to reinstall the genuine version from the windows dllcache


    If it shows as running in a hjt log, then it's likely a bad overwritten version, as it normally doesn't show in the logs

    there is suspicion that that entry is a new CWS hijack entry so send it to Nod for analysis they will tell you for sure or PM to Pieter, who will know more, he keeps up to date withn new CWS hijackers more than the rest of us
     
  11. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    Paul,

    I guess you're kidding. Either this winsock2 dll is infected by a real malware or a false
    positive is triggered by a windows system file. In this case, this is clearly a NOD32 flaw.
    Everybody can code without problems a very strong heuristic engine that will detect
    100% of malware if 100% of false positive is allowed. Very strong heuristics are
    characterized by :
    - Very good detection rates ;
    - Very low false-positive rates.

    According to the latest test from av-test.org, NOD32 heuristics does not comply with
    the latter.

    Anyway, whatever the AV, it is evident that a false positive on a system file is a scanner flaw.

    --
    Tweakie
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    tweakie,

    Nope - I'm not kidding. Indeed heuristics can point to a a real infection. A false positive is by no means a NOD32 flaw. If this would be the case, one should trash DrWeb totally for example - and I for one don't.

    I'n practice, it's a matter of compromise - as you are well aware of. NOD32 does this job very well.

    A matter of opinion: personally, Andreas Marx bible isn't mine ;)


    regards.

    paul
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK

    I would have thought it unlikely to be a false positive and a NOD flaw or bug, otherwise a lot, if not all of the Nod users with XP would experience the same problem.

    Something has obviously changed that file for NOD to flag it, whether bad or good is debatable but it looks like it's been changed

    Other legitimate programs shouldn't change that winsock 2 entry as they add there own additional entries so by process of elimination it suggests a malware problem
     
  14. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    They should point to a real infection. Patching winsock export address table used to be a convenient way for intercepting legtimate network trafic (e.g. emails) and appending malware to it. The first mass mailing worm, Happy99 worked this way, hijacking connect() and send() functions. MTX and Hybris did roughly the same. I'm actually quite surprised to see that modern worms do not use this trick anymore. As the things are going, I would not be surprised to see
    spywares using it for hooking HTTP requets soon.

    Nevertheless, I'm surprised by the generic name given to the malware : I suppose "crypt" means that Nod found something that looks like a decryption routine or portion of binary code that cannot be translated into valid opcodes, "tsr" is likely to mean "terminate and stay resident"(?).
    In this particular situation, I cannot see what the "com" means...

    A flaw is not necessarily critcal. Moreover,a flaw that is not important for some users might be critical for others. If I had such an alert on my own computer, I would probably check first the file with seral AVs, mail it to their analysis teams, and, if necessary, look at it with an hex. viewer, disassemble it or even copy and/or analyse it with a debugger on a virtual machine or on a test computer (or mail it to people that would do it more efficiently and reliably than me ;) ). That's why, for my own use, I do not consider false positives to be a critical issue.

    Many users will just delete this file. For them, it might be critical.

    It's not mine either (http://groups.google.com/groups?selm=20040127223005.J88275%40areba.vasb). But NOD certainly isn't my God :)

    Regards,

    --
    Tweakie
     
  15. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    Well, there are some "issues" between Mr. Marx and NOD32 people. In science we call it bias to a particular product. :(
     
  16. FanJ

    FanJ Guest

    If I'm allowed to go a bit off topic:
    Wouldn't it be a good idea if people use something like FileChecker from Javacool and add ws2_32.dll to its database?
    At least you will then be alerted in case the file is changed.... :rolleyes:
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi FanJ,

    In general I would agree with you, but I would make an exception for people running Windows versions that have System File Protection. I figure that would be overkill. ;)

    Regards,

    Pieter
     
  18. FanJ

    FanJ Guest

    Hi Pieter,

    I only have W 98 SE as you know, so I don't know anything about System File Protection :rolleyes:
    But if that file was somehow damaged, then it looks to me that System File Protection was not working in the way I understand it: "protecting your system files"...

    ;)

    Cheers, Jan.
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi FanJ,

    How the WFP Feature Works:
    The WFP feature provides protection for system files using two mechanisms. The first mechanism runs in the background. This protection is triggered after WFP receives a directory change notification for a file in a protected directory. After WFP receives this notification, WFP determines which file was changed. If the file is protected, WFP looks up the file signature in a catalog file to determine if the new file is the correct version. If the file is not the correct version, WFP replaces the new file with the file from the cache folder (if it is in the cache folder) or from the installation source.

    From: http://support.microsoft.com/?kbid=222193

    WFP uses the file signatures and catalog files that are generated by code signing to verify if protected system files are the correct Microsoft versions.

    Certainly any event where FileChecker would notice something that Windows didn't, could be a blessing and I do believe in a layered defense. But this looks like doing the same thing twice.

    Hey, file-checkers are one of your specialties. I could be way out here. :)

    Regards,

    Pieter
     
  20. FanJ

    FanJ Guest

    Hi Pieter ;)

    Big thanks for your link and kind words !

    I had a quick look at that MS-page you mentioned.
    What I saw there, was (among other things) this:

    - Begin quote -

    WFP searches for the correct file in the following locations, in this order:
    The cache folder (by default, %systemroot%\system32\dllcache).
    The network install path, if the system was installed using network install.
    The Windows CD-ROM, if the system was installed from CD-ROM.
    If WFP finds the file in the cache folder or if the installation source is automatically located, WFP silently replaces the file. If WFP cannot automatically find the file in any of these locations, you receive one of the following messages, where file_name is the name of the file that was replaced and product is the Windows product you are using:


    Windows File Protection
    Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. Insert your product CD-ROM now.


    Windows File Protection
    Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. The network location from which these files should be copied, \\server\share, is not available. Contact your system administrator or insert product CD-ROM now.
    NOTE: If an administrator is not logged on, WFP cannot display either of these dialog boxes. In this case, WFP displays the dialog box after an administrator logs on. WFP also records an event to the system event log, noting the file replacement attempt. If an administrator cancels the WFP file replacement, an event noting the cancellation is logged. Note that WFP is not a replacement for having properly restricted user accounts and appropriate security policies.

    -End quote -

    So what I see there, is (quoting it again):
    If an administrator is not logged on, WFP cannot display either of these dialog boxes. In this case, WFP displays the dialog box after an administrator logs on. WFP also records an event to the system event log, noting the file replacement attempt. If an administrator cancels the WFP file replacement, an event noting the cancellation is logged.

    So, it seems to me that, depending on whether a user is usually logged in as an administrator or not, it might be a good idea also to use a real-time or near-real-time (as FileChecker) File-Integrity-checker.

    And add to its database important system files (and other files).
    Because if you are not logged in as admin, how long could it take before you see such warning?


    Well, I hope I understood that MS-page right.
    And, as I said, I myself have not any experience with NT-2000-XP-2003 :oops:


    Cheers, Jan :)
     
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi FanJ,

    If WFP finds the file in the cache folder or if the installation source is automatically located, WFP silently replaces the file.

    Just tested this on Win2k (deleted iexplore.exe) No warning, no message. It just came back within a second.
    FYI: this is not an Admin account, but a Power User.

    My point being, where do you stop adding files to be checked?

    Although I must say this kind of worries me:
    I can imagine some possibilities to sneak in there.

    Regards,

    Pieter
     
  22. FanJ

    FanJ Guest

    Hi Pieter,

    ~grin~ thanks ! :)

    Shouldn't that then not also have happened with that file ws2_32.dll from the poster PnP?

    Some possibilities:
    1- We do not know whether PnP got any warning from WFP about that file ws2_32.dll .
    2- WFP could not find that file in the cache folder or could not locate the installation source automatically.
    3- Which was one was first in this occasion:
    WFP or NOD32? I really don't know.
    4- ?

    Indeed a good point ;)
    I myself use three on-demand file-integrity-checkers; each doing its job, when fired up, in its own way.
    One of them checks every file on my system for changes (whether changed, deleted or added)
    But everyone has to make his/her own choices.

    Cheers, Jan.
     
  23. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Yes IMO it should have.
    4- because someone used a way to fool WFP?
    5- WFP was not running

    I found this excellent article: http://www.techspot.com/tweaks/wfp/wfp3.shtml

    (I linked to page three because it shows how to check if the service is enabled, but if you are using WFP it is certainly worth reading completely)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.