crypt.tsr.com

I have had manual scan come up with two files marked "probably unknown CRYPT.TSR.COM virus" and NOD32 unable to clean it. I haven't been able to find anything about this file. Is it a virus?

 

Probable unknown Crypt.tsr.com virus is result of heuristic analysis of some file. NOD32 suspects the file could be a virus. Do not hesitate and send the file to ESET for analysis. If the file is really virus, they will let you know.

 

Yep, submit that to samples@nod.com

 

maybe samples@nod32.com is better

 

DiGi,
You've the reason, I had forgave "32".
Thanks.

 

Sorry I recieve the idem problem last night... the name of file is

ws2_32.dll and the location of file is C:\windows\system32\

I check on the internet if this file is a new virus or old... But nothing of this and when the AMON delete the file my connection cannot work anymore..

I try to scan the file with other antivirus such symantec, panda and mcafee.. Noone say me that this is a virus... This is a big problem because the machine that I was tested this is formatted and only windows xp + system updates + nod ....

Please fix this problem soon...

 

Ok thanks Paul for the info... I will set that cannot delete automatically

Cheers and thanks for support

 

Paul,

I guess you're kidding. Either this winsock2 dll is infected by a real malware or a false
positive is triggered by a windows system file. In this case, this is clearly a NOD32 flaw.
Everybody can code without problems a very strong heuristic engine that will detect
100% of malware if 100% of false positive is allowed. Very strong heuristics are
characterized by :
- Very good detection rates ;
- Very low false-positive rates.

According to the latest test from av-test.org, NOD32 heuristics does not comply with
the latter.

Anyway, whatever the AV, it is evident that a false positive on a system file is a scanner flaw.

--
Tweakie

 

They should point to a real infection. Patching winsock export address table used to be a convenient way for intercepting legtimate network trafic (e.g. emails) and appending malware to it. The first mass mailing worm, Happy99 worked this way, hijacking connect() and send() functions. MTX and Hybris did roughly the same. I'm actually quite surprised to see that modern worms do not use this trick anymore. As the things are going, I would not be surprised to see
spywares using it for hooking HTTP requets soon.

Nevertheless, I'm surprised by the generic name given to the malware : I suppose "crypt" means that Nod found something that looks like a decryption routine or portion of binary code that cannot be translated into valid opcodes, "tsr" is likely to mean "terminate and stay resident"(?).
In this particular situation, I cannot see what the "com" means...

A flaw is not necessarily critcal. Moreover,a flaw that is not important for some users might be critical for others. If I had such an alert on my own computer, I would probably check first the file with seral AVs, mail it to their analysis teams, and, if necessary, look at it with an hex. viewer, disassemble it or even copy and/or analyse it with a debugger on a virtual machine or on a test computer (or mail it to people that would do it more efficiently and reliably than me ). That's why, for my own use, I do not consider false positives to be a critical issue.

Many users will just delete this file. For them, it might be critical.

It's not mine either (http://groups.google.com/groups?selm=20040127223005.J88275%40areba.vasb). But NOD certainly isn't my God

Regards,

--
Tweakie

 

Well, there are some "issues" between Mr. Marx and NOD32 people. In science we call it bias to a particular product.

 

If I'm allowed to go a bit off topic:
Wouldn't it be a good idea if people use something like FileChecker from Javacool and add ws2_32.dll to its database?
At least you will then be alerted in case the file is changed....

 

Hi FanJ,

In general I would agree with you, but I would make an exception for people running Windows versions that have System File Protection. I figure that would be overkill.

Regards,

Pieter

 

Hi Pieter,

I only have W 98 SE as you know, so I don't know anything about System File Protection
But if that file was somehow damaged, then it looks to me that System File Protection was not working in the way I understand it: "protecting your system files"...



Cheers, Jan.

 

Hi FanJ,

How the WFP Feature Works:
The WFP feature provides protection for system files using two mechanisms. The first mechanism runs in the background. This protection is triggered after WFP receives a directory change notification for a file in a protected directory. After WFP receives this notification, WFP determines which file was changed. If the file is protected, WFP looks up the file signature in a catalog file to determine if the new file is the correct version. If the file is not the correct version, WFP replaces the new file with the file from the cache folder (if it is in the cache folder) or from the installation source.

From: http://support.microsoft.com/?kbid=222193

WFP uses the file signatures and catalog files that are generated by code signing to verify if protected system files are the correct Microsoft versions.

Certainly any event where FileChecker would notice something that Windows didn't, could be a blessing and I do believe in a layered defense. But this looks like doing the same thing twice.

Hey, file-checkers are one of your specialties. I could be way out here.

Regards,

Pieter

 

Hi Pieter

Big thanks for your link and kind words !

I had a quick look at that MS-page you mentioned.
What I saw there, was (among other things) this:

- Begin quote -

WFP searches for the correct file in the following locations, in this order:
The cache folder (by default, %systemroot%\system32\dllcache).
The network install path, if the system was installed using network install.
The Windows CD-ROM, if the system was installed from CD-ROM.
If WFP finds the file in the cache folder or if the installation source is automatically located, WFP silently replaces the file. If WFP cannot automatically find the file in any of these locations, you receive one of the following messages, where file_name is the name of the file that was replaced and product is the Windows product you are using:


Windows File Protection
Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. Insert your product CD-ROM now.


Windows File Protection
Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. The network location from which these files should be copied, \\server\share, is not available. Contact your system administrator or insert product CD-ROM now.
NOTE: If an administrator is not logged on, WFP cannot display either of these dialog boxes. In this case, WFP displays the dialog box after an administrator logs on. WFP also records an event to the system event log, noting the file replacement attempt. If an administrator cancels the WFP file replacement, an event noting the cancellation is logged. Note that WFP is not a replacement for having properly restricted user accounts and appropriate security policies.

-End quote -

So what I see there, is (quoting it again):
If an administrator is not logged on, WFP cannot display either of these dialog boxes. In this case, WFP displays the dialog box after an administrator logs on. WFP also records an event to the system event log, noting the file replacement attempt. If an administrator cancels the WFP file replacement, an event noting the cancellation is logged.

So, it seems to me that, depending on whether a user is usually logged in as an administrator or not, it might be a good idea also to use a real-time or near-real-time (as FileChecker) File-Integrity-checker.

And add to its database important system files (and other files).
Because if you are not logged in as admin, how long could it take before you see such warning?


Well, I hope I understood that MS-page right.
And, as I said, I myself have not any experience with NT-2000-XP-2003


Cheers, Jan

 

Hi FanJ,

If WFP finds the file in the cache folder or if the installation source is automatically located, WFP silently replaces the file.

Just tested this on Win2k (deleted iexplore.exe) No warning, no message. It just came back within a second.
FYI: this is not an Admin account, but a Power User.

My point being, where do you stop adding files to be checked?

Although I must say this kind of worries me:

I can imagine some possibilities to sneak in there.

Regards,

Pieter

 

Hi Pieter,

~grin~ thanks !

Shouldn't that then not also have happened with that file ws2_32.dll from the poster PnP?

Some possibilities:
1- We do not know whether PnP got any warning from WFP about that file ws2_32.dll .
2- WFP could not find that file in the cache folder or could not locate the installation source automatically.
3- Which was one was first in this occasion:
WFP or NOD32? I really don't know.
4- ?

Indeed a good point
I myself use three on-demand file-integrity-checkers; each doing its job, when fired up, in its own way.
One of them checks every file on my system for changes (whether changed, deleted or added)
But everyone has to make his/her own choices.

Cheers, Jan.

 

Yes IMO it should have.
4- because someone used a way to fool WFP?
5- WFP was not running

I found this excellent article: http://www.techspot.com/tweaks/wfp/wfp3.shtml

(I linked to page three because it shows how to check if the service is enabled, but if you are using WFP it is certainly worth reading completely)

Regards,

Pieter