Kanguru encrypted drive false + trojan

Discussion in 'ewido anti-spyware forum' started by giwatcher, Apr 6, 2008.

Thread Status:
Not open for further replies.
  1. giwatcher

    giwatcher Registered Member

    Joined:
    Apr 6, 2008
    Posts:
    7
    I have installed a kanguru AES encrypted drive to my computers, all w/ win xp,sp2.
    AVG antispyware 7.5 finds a trojan that is in fact part of the drive encryption software. If I allow the program to quarantine the files, the jump drive won't work. If i restore the quarantined files, the drive begins working.

    Here is a log from AVG;
    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 8:22:58 AM 4/5/2008

    + Scan result:



    C:\WINDOWS\system32\MsMsSrv.DLL -> Trojan.Zapchast.bd : No action taken.
    C:\WINDOWS\system32\drivers\Kanguru_SAP\RunSrv.Exe -> Trojan.Zapchast.bd : No action taken.
    [944] C:\WINDOWS\system32\MsMsSrv.DLL -> Trojan.Zapchast.bd : No action taken.


    ::Report end

    How does one get this checked out and corrected?
     
  2. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
    Please send us a copies of these two detected files (MsMsSrv.DLL and RunSrv.Exe) or the whole installation package that installs these files (if it is not too big for an email attachment):
    http://www.ewido.net/en/malware/
     
  3. giwatcher

    giwatcher Registered Member

    Joined:
    Apr 6, 2008
    Posts:
    7
    I have sent the 2 files as you requested. Any news?
     
  4. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
    Hi,

    sorry for the delay, but please check your Private Messages of your Wilders Security User account. Thank you.
     
  5. gmane

    gmane Registered Member

    Joined:
    Apr 17, 2008
    Posts:
    3
    Wait, so was the file malicious or not?

    I'm dealing with the exact same issue and would like to know. Thanks!
     
  6. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
    It was a false detection and has been fixed with one of the last Updates for the AVG Anti-Spyware.
     
  7. giwatcher

    giwatcher Registered Member

    Joined:
    Apr 6, 2008
    Posts:
    7
    Interesting. My avg antispyware is up to date as of yesterday, but it still detects the kanguru as a trojan. Also, windows defender has the same issue, but adaware and spybot do not.
     
  8. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
    Then please send us your copies of the detected files to submit at ewido dot net. Thanks.
     
  9. gmane

    gmane Registered Member

    Joined:
    Apr 17, 2008
    Posts:
    3
    I'm confused... didn't he already send you the files?
     
  10. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    You may have different files.
     
  11. gmane

    gmane Registered Member

    Joined:
    Apr 17, 2008
    Posts:
    3
    I just ran "msmssrv.dll" through VirusTotal and the results were 24/32 (75%)!

    ~Link removed per Policy. - Ron

    Luckily, I see from the results that Ewido (with the latest signature updates) is no longer improperly flagging this file as malicious. However, for some reason a LOT of other AV and AS vendors are still generating false positives with this file.

    For some reason, this file is matching an incorrect malware signature that all of these vendors are apparently using. I guess they all must have gotten this bad signature from the same source? This false positive might have something to do with the fact that a section of this DLL's code is UPX packed (which is a common malware trait), but it's hard to say.
     
    Last edited by a moderator: Apr 21, 2008
Thread Status:
Not open for further replies.