False positive Adware.Cydoor on rundll32.exe

Discussion in 'Trojan Defence Suite' started by FanJ, Jul 23, 2004.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Dee, Pollux and Tuntankamon found a false positive in this thread:
    https://www.wilderssecurity.com/showthread.php?t=42414

    I agree with you guys !
    Kudos to the three of you for finding this one !!! :D

    What is it all about:

    TDS-3 with Radius-file from Friday 23-July-2004 gave a positive warning that rundll32.exe was infected with Adware.Cydoor.

    This is a false positive from TDS-3.

    I too started a full system scan by TDS-3.
    As soon as I saw a warning from TDS-3 on my D-partition, I let it stop scanning D and my other partitions, and let TDS-3 only further scan C.

    My scandump by TDS-3:

    Scan Control Dumped @ 01:25:11 24-07-04
    Positive identification (in archive): Adware.Cydoor
    File: rundll32.exe (In d:\ers9x\zipped\vitalw1.zip)

    Positive identification (in archive): Adware.Cydoor
    File: rundll32.exe (In d:\ers9x\zipped\vitalw2.zip)

    Positive identification: Adware.Cydoor
    File: c:\windows\rundll32.exe

    Positive identification: Adware.Cydoor
    File: c:\program files\greatis\regrunsuite\files\rundll32.exe

    - end scandump -

    Just to tell you a bit more:
    I run W 98 SE.
    ERS9X is a software backup program (giving you the capability to backup the most important parts of your OS on a FAT32-system; Paul and Snap will know what I'm talking about; the program is mentioned on the Wilders-org site ;) ).
    RegRun does not need any further introduction : a great program for your registry.

    The mere fact that TDS-3 gave alerts on rundll32.exe in the "archives" of those programs, proves already more or less that this is a false positive.

    Later I'll run my other scanners to give more prove; but I'm already sure that this is a false positive by TDS-3.
     
    Last edited by a moderator: Jul 23, 2004
  2. FanJ

    FanJ Guest

    OK, I scanned with several of my other scanners (and I do have a lot of them ;)):
    nothing has been found on that file ;)

    Want another prove?
    Here is what my NISFileCheck tells me about it:

    Application: c:\windows\rundll32.exe
    Status: Unchanged
    Version old: 4.10.1998
    Size old: 24576
    Date old: 1999-05-05 22:22:00
    RMD160 Hash old: C09ACD2F85740F06D1BA085D9DBB7263F80F1677

    Never one of my scanners found anything on that file.
    According to NISFileCheck that file hasn't been changed !
    I never ever found anything that could fool my much beloved NISFileCheck !!!
    And it is run with my usual AV and AT resident.
    Later I will do another scan with ADinf32 Pro, using its so-called BIOS-call (completely by-passing Windows !!!), to check again whether that file has been changed. But in fact I'm already sure that it will not find a change on that file.

    Oh, you want let check the CRC32-test in TDS-3 whether that file has been changed: then add it (with its full path) to your file crcfiles.txt in the subdir config of your TDS-3 directory.
     
    Last edited by a moderator: Jul 23, 2004
  3. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    Diamondcs appears to be checking this out. I'd renamed rundll32.exe to rundll32.bak - & today TDS3 said at once that file rundll32.exe didnt exist, but brought up a warning dialogue about File trace trojan filename Worm, please submit, so I did that.

    Now I've renamed the file to what it was originally. And as soon as I started a TDS3 scan, its interface informed me that a background upload of rundll32.exe to DiamondCS Labs had started.
     
  4. FanJ

    FanJ Guest

    Hi Dee,

    Please leave that file rundll32.exe as it was.
    In my humble opinion (but I'm only human and can make mistakes like everyone else) it is a false positive from TDS-3.
    We have to wait for the DiamondCS-guys to jump in.

    You yourself did already a great job !!!
    So please be a little patient and wait for the DiamondCS-guys to give you further advice.

    Regards, Jan.
     
  5. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    OK, I'll keep is as rundll32.exe like it was originally. At least it has already been submitted to DiamondXS as rundll32.exe in that "background upload".
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Just run a full scan here. No alarms - XP Pro SP1 fully patched.
    So is this a W9* problem?

    *\winnt\system32\rundll32.exe 31KB, Version 5.1.2600.0

    06:08:55 [Init] • Systems Initialised [36097 references - 14238 primaries/10056 traces/11803 variants/other]
    06:08:55 [Init] Radius Systems loaded. <Databases updated 23-07-2004>
     
    Last edited: Jul 24, 2004
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Maybe when it is located in windows\system in stead of system32 :) or in windows.
    I got the alarm as well on win98se, so let's await other comments of not-98 users.
     
  8. pollux

    pollux Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    84
    Location:
    Grenoble, France
    Well, I must say that it's interesting to have encountered this potential false positive during my very first use of TDS-3.

    rundll32.exe is located in different directories in different versions of Windows. See Merijn's collection of backup Windows system files, for example:

    I compared file size of the XP version of rundll32.exe (downloaded from Merijn.org) with that of my own Windows 98 version. The XP version is 31,744 bytes; the Windows 98 version is 24,576 bytes.

    Since rundll32.exe file is both in a different location and of a different size in different versions of Windows, it would not be surprising to me if the possible false positive were detected only in a particular version, in this case Windows 9x.

    pollux
     
  9. pollux

    pollux Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    84
    Location:
    Grenoble, France
    Addendum:

    As I said in my post in the other thread, when TDS-3 flagged rundll32.exe as adware.Cydoor, I replaced the file from my Windows 98 installation disks (after renaming the original version). I then immediately scanned the brand new rundll32.exe file, and it was once again detected as adware.Cydoor.

    That's what makes me think it is a false positive, along with the fact that TDS-3 and the rest of my secuity layers show nothing amiss. I don't think dee needs to worry about having replaced that particular file (although rundll32.exe could be involved somehow in the other truly nasty thing dee's encountered - here's another article about the Hackarmy trojan).

    pollux
     
    Last edited: Jul 24, 2004
  10. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    OH dear, someone tell me what to think!

    My machine booted normally after I'd renamed that file. Now that the file has been uploaded to DiamondCS, I feel I should again rename the file just in case. I'm only a garden-variety computer user after all.
     
  11. pollux

    pollux Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    84
    Location:
    Grenoble, France
    dee, anyone who's as involved in keeping their computer secure as you obviously are is more than "garden-variety user"! :)

    I didn't say what I intended very clearly, even after editing my post. Here's my opinion on your situation (and it's just an opinion!) :

    I think it would be useful for you to separate the Hackarmy detection from the rundll32.exe detection at this point. (In fact, I think FanJ was implying the same idea when he made this new thread, and I'm sorry if I muddied the waters). It is clear that the Hackarmy detection is not good; it seems like the rundll32.exe detection is a false positive.

    Concerning the Hackarmy detection, there are some things you can do, as Jooske has already indicated in your other thread (I'm going to go post over there in a minute myself). Concerning rundll32.exe, I don't think there's anything more to be done. As I understand it, you've already replaced rundll32.exe with a fresh copy of the file. It seems that now we'll just need to wait and see if we receive confirmation that the adware.Cydoor is a false positive.

    Sorry if I added to the confusion. (See you over in your other thread!)

    pollux
     
    Last edited: Jul 24, 2004
  12. FanJ

    FanJ Guest

    I've seen both Wayne and Jason in the meanwhile logged on here on the board.

    May I ask an explanation?

    Thanks, Jan.
     
  13. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    Just thought I'd mention - TDS3 updated this arvo, still shows "File trace:default Trojan file name - Worm, please submir - C:\Rundll32.exe"

    So that part hasn't changed. But I just received an email from DiamondCS saying -

    "Re YDS3 File submission from Scan console
    Hi,

    This was probably created by Execution Protection, a 0 byte file cant be anything
    Just delete it or ignore the alarm"
     
  14. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    This is an interesting thread from the point of view that not many others have reported thiso_O

    I completed a scan last night [Sunday night here] and still had Fri 23/07 data base.

    I got no alerts at all apart from my usual 3 "dual extensions" and the GRC's LeakTest app.

    @ dee... have you looked in your TDS folder and deleted the 0 bytes files? then rescan.

    Cheers, TAS
     
  15. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    The only 0KB file in any of the TDS folders is scanregw, 0KB, last modified 25/07/04.

    Can I safely delete this?
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Jan, the Radius databases are Gavin's field.

    In a windows search/find i found several rundll32.exe files of 0 bytes in various locations and of different dates, those indeed one can ignore, but TDS alarmed on the real original files only, of course.

    On a win9x system 0 bytes files are always 0 bytes, only on XP/NT/2000/2003 systems there might be a doubt if they are really 0 bytes or contain possible invisible NTFS ADS Streams.

    So you can delete them occasionally. The only annoynance such 90 bytes files create that the system might not do all you want it to do:
    for instance, many users see a notepad.exe and/or wordpad.exe of 0 bytes in the TDS directory. When you try to use notepad or wordpad windows looks in the path back from where you are, say you try to run a notepad function in TDS, so windows (which created those 0 bytes file itself in the first place for reason unknown) tries to start that 0 bytes version in the TDS directory, which doesn't run of course. It seems to forget notepad and wordpad are global files which should work everywhere, but ok, one can delete the 0 bytes version each time again, or copy the original notepad.exe and wordpad.exe files --which are only small anyway-- into the TDS directory and now windows can create as many times 0 bytes copies as it wants, your notepad and wordpad keep functioning.
    So with that you don't need to hunt for 0 bytes files all time, just occasionally when you feel to.


    How a scanreg 0 bytes comes in the TDS directory? Can only that you had TDS running and tried to run scanreg i guess?
     
    Last edited: Jul 26, 2004
  17. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Sorry I didn't get a chance to report here sooner, yes as posted by Jan (thanks!) this is a false alarm. The detection has been completely removed and a new database will be available by the time most read this
     
  18. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72

    I have an extra rudll32.exe file, 0KB, modified 24/07/04, in C:\windows, maybe to do with TDS3's false positive?

    I never do a manual scanregw before everything else is shut down, so dunno how the 0KB one came to be in TDS folder. I think I'll leave those 0KB files alone!
     
  19. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Remember you changed the name and back to the original name on that day?
    Gavin removed detection from the radius, so it won't bother us win9x users anymore, even though it's most probably one of the worst windows secrets of all times. :D

    Look in your autostart, didn't you have there an entry for scanning your registry for intigrity on a daily basis or at each reboot so in case of failure the last working registyry is put back? Didn't you never look in the system properties and check for registry intigrity or errors or asking it for an extra save copy?
     
  20. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    I kinda guessed that might have had a bit to do with me renaming the file after that false positive.

    You're blinding a lamer with science, Jooske! A little free DOS utility, WRP, runs a batchfile so that I always have 10 registry backups. As long as Win98 boots, I do nothing, but if it doesn't, I can choose which of the 10 to restore. WRP doen't check for integrity, & as long as Win boots, I'm happy, also WRP backs up certtain files [natch I'm not sure which, though it does display them]. I look in WRP's folder each day to check whether system.dat & user.dat are the same size as before.

    Occasionally I restart in MS-DOS, & fix/opt the registry, that's about my limit, sorry, but I prefer not to confuse my ambitions with my capabilities.

    Now that I'm sure my computer's clean [if that's confirmend in my other thread re were these trojans], I'll tidy up a few unnecessaries on this machine, & image Windows again, cos I can handle imaging/restoring, whereas the registry scares me!
     
  21. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Dee & Jooske, Amazing, you must keep your PC's very tidy, most ppl I know running W98 have to reformat every 6 - 12 months just to get rid of all the rubbish! :D
     
  22. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    Jooske's smart & experienced & knows far far more than me, I just follow instructions.

    Nearly 2 yrs ago I decided that I never ever wanted to do another clean install again, so I wrestled with fdisk [several times to get it right!] then I progressed to imaging/restoring.

    I do custom installs of everything, & these are monitored with the free Total uninstall, & I do a tiny bit with the free Regclnr.exe - Plus regular imaging! My win98 registry's just above 5MB. No BSOD's since that last clean install.
     
  23. FanJ

    FanJ Guest

    Thanks a lot Gavin ! :)

    Keep up the good work !

    Most warmest regards, Jan.
     
  24. pollux

    pollux Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    84
    Location:
    Grenoble, France
    Hello, all.

    I've finally had the opportunity to download the new database and completely scan my Windows 98 system. I'm happy to confirm that the adware.Cydoor rundll32.exe false positive has been fixed.

    Thanks for your quick response!

    pollux
     
  25. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    I'm still waiting for this to happen! though it's not worrying me now, I thought someone might be interested to know that, despite daily radius updates, TDS3 still gives the same message -

    "File Trace: Default Trojan filename Worm pease submit C\:Rundll32.exe
     
Thread Status:
Not open for further replies.