DCOMbobulator: False Positive

Discussion in 'NOD32 version 2 Forum' started by MarsVenus, Jan 28, 2004.

Thread Status:
Not open for further replies.
  1. MarsVenus

    MarsVenus Registered Member

    Joined:
    Jan 25, 2004
    Posts:
    8
    I’m using NOD32 v2.000.9, Virus Signature1.611 (20040127).
    It is detecting GRC’s DCOMbobulator (dcombob.exe) as
    Win32/Exploit.DComRpc.A trojan.

    http://www.grc.com/dcom/

    Is this a False Positive?
     
  2. dos

    dos Registered Member

    Joined:
    Oct 17, 2003
    Posts:
    43
    Hmm tricky, but I dont think it is in my opinion. The program exploits DCOM, and NOD32 detects it as a program that exploits DCOM. No legitimate program should exploit this vulnerability, other than a diagnostic utility to check for it such as this, which does exactly the same as a worm would do to help propagate itself (Obviously this diagnostic tool doesnt propagate itself though before anyone points it out. ;)).

    Hard to make it clear, but if I installed a program that worked exactly the same as subseven, even with some of the same code, to check whether my system was vulnerable to subseven, and NOD32 picked it up as subseven, I wouldnt call it a false positive, because it is exactly what subseven is, just under a different name perhaps.
     
  3. Waindwops

    Waindwops Registered Member

    Joined:
    Jan 28, 2004
    Posts:
    1
    Hi guys,

    I've been a Wilders visitor for some time, but only recently came across this board.

    Having just read this thread I'd thought I'd say that I have had DCOMbob.exe on my system for some months and it hasn't been flagged previously. I used the recently acquired shell extension (well done for that too btw) to do an adv hueristic scan of the file and once again it wasn't highlighted.
    I'm running NOD32 v2.0.8 & Virus Signature1.611 (20040127).
    DCOMbob.exe is v2.0 (29,184 bytes) and compares precisely with a duplicate that I just d/l from grc.com.

    2.000.9 the only difference here, or perhaps your file has become infected ?
     
  4. MarsVenus

    MarsVenus Registered Member

    Joined:
    Jan 25, 2004
    Posts:
    8
    I let NOD delete the file, I wasn’t using it anyway.
    I believe I had the original file that GRC made available.
    It doesn’t detect the current DCOMbob.exe but it did detect the previous one.

    I just got a NOD update to v1.612 (2004012:cool:.

    No big deal.
     
  5. MarsVenus

    MarsVenus Registered Member

    Joined:
    Jan 25, 2004
    Posts:
    8
    Cancel
     
  6. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    OK, I've had Gibson's DCOM thingy on my PC for a long time and only just now is AMON having fits over it. I just happened to run my mouse over a shortcut and AMON went off. Ditto when I checked to see if it borked the app itself. Don't have to open the app at all, just mousing over the icon sets off AMON.

    I would have thought one would have to open the app before one got a response from the resident monitor. Is it now just responding to the word "DCOM" in the app's name? This seems a new detection/behavior on AMON's part.

    I haven't updated to newer program components so I'm running 2.000.6 with the latest virus defs.

    Edited to add, I just saw a post in the other thread that it is a new detection as of 1/27. Still, AMON's detecting DeCOMbobulator evidently based on the name when the app hasn't even been opened.
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    "Hasn't even been opened"? What version of Windows are you running there sig? On XP, Windows accesses files for all sorts of reasons. I mouse over a file and it tries to pull all the version info out of it, so it reads the whole file at that moment. Or perhaps it's opening it just to draw out the icon...

    Also, you can certainly check to see if it is just name based recognition or not - change the name and run over it again.
     
  8. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Ah, it's XP. See what you mean. Yeah, I considered changing the name and will try that as soon as I temporarily squash AMON. Now it squeals (if it could) when I just open the folder where the shortcut is.
     
  9. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Renamed file and shortcut. AMON now doesn't react to a mouseover on the shortcut, but when I open the folder that contains various Gibson's utilities AMON alerts on the dcom app. So it's not hitting on the name only.

    So with XP, executing the file (I should have said) is not always necessary for detection since XP in effect reads the file to identify it and give out info about it. Hmn...
     
  10. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Sig, what VERSION of DCOMbobulator do you have? I have version 2 which I downloaded last November when I got this new XP box. I just tried running my mouse over the application, then opened it, ran it....did everything I could think of ...scanned it with command line adv. heuristics, regular NOD32 scanning, etc. and nothing I did could get AMON to peep. I have the 1/29 definitions and have version 2.000.6.

    I also have this same version 2 of DCOMbobulator on my W98SE box...I have had it there for ages. I just ran my mouse over it, opened it, ran it and AMON remained silent the entire time.

    I think you have something else going on or you have a different version of DCOMbobulator.
     
  11. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    This is the info on the one I had (no warnings from Amon or NOD32 itself anytime, ever, including today with 2.000.8 and DB 1.614) - notice that the exe name is all lower-case):

    dcombob.exe
    Size: 28.5KB (29,184 bytes)
    Size on disk: 32.0KB (32,768 bytes)
    Product Version: 2.00
    File Version: 2.0.0.0
    Created: Tuesday, Nov 11, 2003 3:51:44 AM
    MD5: 96bbaf5c624ebbee275dec7c4cf87c74 dcombob.exe

    Deleted that one and re-d/l'ed a fresh copy, info below (no warnings from anything after hovering and both right-click scans):

    DCOMbob.exe
    Size: 28.5KB (29,184 bytes)
    Size on disk: 32.0KB (32,768 bytes)
    Product Version: 2.00
    File Version: 2.0.0.0
    Created: Today February 02, 2004 10:07;34 AM
    MD5: 96bbaf5c624ebbee275dec7c4cf87c74 DCOMbob.exe

    (Notice uppercase in new exe).

    So, at least we know that nothing has changed size, size on disk, product version, file version or MD5-wise - the only difference I'm seeing is some (probably irrelevant) upper-vs-lowercase stuff in the exe name.

    And I haven't gotten any warnings on either with v2.000.8.

    HTH Pete
     
  12. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    OK, I have version 1.0 of DCOMbob. Hmn....maybe that's it.... I'll give the new version a try and see what's up.

    Good thing AMON doesn't come with the famous KAV pig squeal or I would have jumped out of my chair last night. :D
     
  13. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    AMON doesn't alert on DCOMbob version 2. But did on version 1. OK. :D
     
Thread Status:
Not open for further replies.