Is netapi32.dll a virus

Discussion in 'NOD32 version 2 Forum' started by chrysty, Jul 10, 2004.

Thread Status:
Not open for further replies.
  1. chrysty

    chrysty Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    2
    Hi NOD has told me that netapi32.dll is a virus. I thought this was a regular windows element.
    Two instances of it were found, one at D:\WINNT\$NtUninstallKB835732$
    and D:\WINNT\servispack files\338\netapi32.dll.
    Can anyone advise,
    Thanks
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Chrysty, please send that file to samples@nod32.com. It may actually be a virus so Eset will need to check it.
     
  3. rdw123

    rdw123 Registered Member

    Joined:
    Mar 2, 2004
    Posts:
    5
    I get netapi32.dll infected

    trojan Exploit.CAN.2003-0533 found in operating memory. NOD32 cannot clean this infiltration. No action can be taken on a memory infiltration.

    How do I get rid of this in window2000, it keeps repairing itself and windows is very unstable?
     
  4. beng

    beng Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    38
    Location:
    Melbourne/Australia
    G'day All,
    Received a shock when I discovered the same trojan in the same files on two fully patched Win2KPRo servers.
    Also receiving: Error occured while scanning operating memory. Operating memory cannot be scanned (an error occured while loading nod32m1.vxd file or during communication with the testing service).
    I really hope this is a False+ as indicated in another post......
    I'll try an send the quarantined files to eset.
    Fingers Crossed.......
    Ben.
     
  5. beng

    beng Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    38
    Location:
    Melbourne/Australia
    rdw123,
    What ServicePack of Windows 2000 are you running? and have you run KB835732, or security rollup "Microsoft Security Bulletin MS04-011 Security Update for Microsoft Windows (835732)" if not, then I suspect that Nod32 is being overprotective and telling us that these files are "vulnerable" but not that they "haven't been patched", If you get the distinction. On 4 Win2K servers/Pro I run they have all been listed as being in the Service Pack and the KB835732.
    I've emailed samples@nod32 with my suspicions and the example files, let's hope they have an answer soon, as tomorrow morning 0900hrs (Aust time) all hell will break loose with those clients who are tardy in applyng their patches....

    Cheers Ben.
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Beng,

    I presume you do mean samples@nod32.com ?

    regards.

    paul
     
  7. beng

    beng Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    38
    Location:
    Melbourne/Australia
    G'day Paul, yes. Too much coffee <grin>.
    I REALLY hope they address this before 0900hrs +10 tomorrow!

    Cheers Ben.
     
  8. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    The w2k server I control also shows this file as infected in both locations:

    F:\WINNT\$NtUninstallKB835732$\netapi32.dll - Exploit.CAN.2003-0533 trojan
    F:\WINNT\ServicePackFiles\i386\netapi32.dll - Exploit.CAN.2003-0533 trojan

    They're coming atcha ESET
     
  9. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    TDS-3 does not report any mischief
     

    Attached Files:

  10. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    Hi all,

    Same thing here on Win2000 SP4. :(

    Send the bugger to samples@nod32.com :D

    rgds,
    Martin
     
  11. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    have done so
     
  12. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    Some info about the bugger:

    netapi32 - netapi32.dll - DLL Information

    DLL File: netapi32 or netapi32.dll
    DLL Name: Microsoft LAN Manager DLL
    Description: File that contains the Windows NET API used by applications to access a Microsoft network.
    Part Of: Microsoft network
    System DLL: Yes
    Common Errors: File Not Found, Missing File, Exception Errors
     
  13. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    Some more info:

    RpcLsa-B

    First Report: 2004-06-08 11:37
    Last Update: 2004-06-30 23:38

    Aliases: Exploit.CAN-2003-0533
    Troj/RpcLsa-B



    Information From AntiVirus Vendors

    Below you find information from different vendors, which have been included in this Secunia Virus Profile.

    Information from the vendors is sorted by the time the information became publicly available at the vendor websites. The first available reports will be displayed first. Please note timestamps are in GMT+1.

    #1 - SOPHOS

    Troj/RpcLsa-B Severity:
    - File Size:
    -

    Reported:
    2004-06-08 11:37 Last Update:
    2004-06-30 23:38

    Description:
    Troj/RpcLsa-B is a malicious executable using the lsasrv.dll RPC buffer overflow exploit vulnerability specified in MS04-011. It is used by hackers to gain remote shell access to target system.

    Full Report From Vendor Removal Tool/Instructions View/Hide ChangeLog

    ChangeLog:


    Changes are listed in chronological order with the latest changes first.

    2004-06-08 12:03 Description was changed.

    New:
    "Troj/RpcLsa-B is a malicious executable using
    the lsasrv.dll RPC buffer overflow exploit
    vulnerability specified in MS04-011. It is
    used by hackers to gain remote shell access
    to target system."

    Old:
    "A detailed analysis will be published here
    shortly. Please check again later."

    More info:

    http://www.sophos.com/virusinfo/analyses/trojrpclsab.html
     
    Last edited: Jul 11, 2004
  14. rdw123

    rdw123 Registered Member

    Joined:
    Mar 2, 2004
    Posts:
    5
    beng was correct, I had not installed "Microsoft Security Bulletin MS04-011 Security Update for Microsoft Windows (835732)" :D
    Once installed no more alerts!!

    One of the best ways of checking, suggested by spy1 BelArc Advisor from here: BelArc Advisor d/l site . in thread https://www.wilderssecurity.com/showthread.php?t=30699

    I think an alert warning, not a virus warning should be showing! I've got better things to do than chase a non existant virus.

    Anyhow I would vote 1 for any political party that proposes the eletric chair or gas chamber for virus writers!
     
  15. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    I had installed the "patch" and reinstalled it and still getting the same "virus warning", so i guess there is something else going on here.

    rgds,
    Martin
     
  16. rdw123

    rdw123 Registered Member

    Joined:
    Mar 2, 2004
    Posts:
    5
    Have you checked that it has been installed correctly with BelArc Advisor? Quite a handy free utility.

    Instead of saying that there is a virus, it should say is undeniable proof of weponds of mass destruction. We must destroy netapi32 it has WMD's, for your own security destroy now.
     
  17. rdw123

    rdw123 Registered Member

    Joined:
    Mar 2, 2004
    Posts:
    5
  18. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    Are you refering to "eEye Digital Security "??

    rgds,
    Martin
     
  19. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    I experienced the netapi.dll problem too (see other thread). I deleted netapi.dll from two places and will be able to restore them from a ghost image if/when Eset confirms it was a false positive.

    I'm posting here to report that, in the meantime, I downloaded (a version of) netapi.dll from www.dll-files.com and placed it in the appropriate folders. NOD32 doesn't seem to have a problem with this file. Did I do the sensible thing?
     
  20. beng

    beng Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    38
    Location:
    Melbourne/Australia
    G'day Guys,
    I should point out that RDW123's problem was slightly different, the file NOD32 was finding was in /system32/ not /ServicePackFiles/i386 etc.
    Hence my suggestion to apply the Hotfix.

    If anyone is finding the problem in a netapi32.dll OTHER than in /System32/ then it is either an archived file (most likely) or an infiltration.

    I echo ,RDW123's comment, it should be a warning to update, rather than display the Virus Alert and delete the file.

    This could really disable a users Windows 2000 pro, and give Nod32 a bad Rap.

    Only if you trust www.dll-files.com, I would advise you apply the hotfix rather than download a single DLL, unless of course the files you deleted were not in /System32. <grin>.

    I've seen other posts suggesting turning off AMON until this issue is resolved, imho I think thats a very BAD idea and leaves you open to attack.
    My approach is to add the various netapi32.dll files to the exclusion list in AMON, that's what it is there for, and is a far more secure way of dealing with this issue, until we get the word from Eset.
    My 2 cents anyway.

    Cheers Ben.
     
    Last edited: Jul 11, 2004
  21. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Thanks for the reply. My machine is fully patched, netapi32.dll was not flagged in /System32.

    I agree, turning off Amon is not a wise option. Exclusion is a good choice. Even still, don't know if there's much point in restoring netapi.dll from my ghost image since I found the file elsewhere o_O
     
  22. shade91

    shade91 Registered Member

    Joined:
    Aug 23, 2003
    Posts:
    26
    This is most definitely a false positive. The only machines at work reporting this violation are Windows 2000 machines. XP machines are not. The machines reporting this also have NO network access. They pull all their updates from a LAN SUS server.

    NOD32 isn't a stranger to false positives. This has happened before.
     
    Last edited: Jul 11, 2004
  23. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Don't turn of AMON. I said you have to turn of AMON to email the files. Then I tuned it back on. trojan or no, emailing them isn't going to infect me.

    Once you have emailed the files (or trust that the million copies ESET is going to get is already enough) leave the files alone, then AMON won't complain. These files are not needed for normal operation of windows unless you roll back a service pack/hotfix.

    @optigrab, it has been my experience that grabbing dlls ifor w2k server almost never works unless you get the exact version you need. I would not have deleted those file if I were you. Delete first ask questions later usually does more damage than the virus/trojan itself.
     
  24. bsilva

    bsilva Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    238
    Location:
    MA, USA
    So did they fix it with the new update?
     
  25. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Last edited: Jul 11, 2004
Thread Status:
Not open for further replies.