KLICK.DAT is not a rootkit

Discussion in 'malware problems & news' started by ankur16, Oct 18, 2009.

Thread Status:
Not open for further replies.
  1. ankur16

    ankur16 Registered Member

    Joined:
    Aug 2, 2009
    Posts:
    3
    While analyzing one of the DDS logs, I came across this file KLICK.DAT. Googling it shows many results, with prevx file investigation report at the top.I was surprised to see that Prevx file investigation report says its a rootkit..I use windows xp and I too have that very file in my system.When I uploaded that file to virustotal, nothing was detected by any of the scanners as expected.It was all neat.

    I would like to have a explanation from concerned individual on this false report of klick.dat.My apology if its not posted in the correct forum.

    http://www.prevx.com/filenames/X3797458585609047999-X1/KLICK.DAT.html

    Regards
    Ankur
     
  2. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    I don't know what klick.dat is, but I've seen reports like that before. That klick.dat one is not even bad. How about this one: http://www.prevx.com/filenames/X1656666729177842598-X1/EXPLORER.EXE.html

    "EXPLORER.EXE" "Cloaked Malware" and "Malicious Software"? Yeah, okay... Reports based on filenames are pointless, since files can be named anything, and reports like this will mislead people. Sure, explorer.exe could be malware - lots of malware is named like that. But it also could be, say, perhaps something from this little company called Microsoft that might be present on rather many systems. :D I complained about this issue recently, but apparently it's not been fixed.

    For an explanation, all you're likely to get is: "We've seen a malicious file called klick.dat, and this is what our report is based on, to inform users who are searching for information about a suspect file with that name. The report does not mean that all files with that name are rootkits [although it sure looks that way to me - Windchild]."
     
    Last edited: Oct 18, 2009
  3. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    klick.dat is usually a part of Kaspersky AV. But there could be (bad) files going by the same name too.
     
  4. ankur16

    ankur16 Registered Member

    Joined:
    Aug 2, 2009
    Posts:
    3
    @windchild

    Through your report how will a normal user understand that whether a given file is legit or not.

    I do not completely agree with you.Whenever we analyze any security log,we also take care of the location of legit processes running.Filename and its location help us to differentiate b/w a legit and rogue process.Let us take the very example you gave me.Rogue Explorer.exe which is added by Bancban-HJ is located in \%WINDIR%\System32 but the legit one is located in \%WINDIR%\.

    So filename along with location do have a significant importance for malware fighters like us.We can't just ask our users to upload each and every file to virustotal and provide us the results.

    Much appreciated.

    Regards
    Ankur
    Security Moderator,PCHF
     
  5. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    I'm not sure I understand the question. The report I linked to is not mine, it's from Prevx. But understanding whether a given file is legit or not requires more sophisticated means than just looking at filenames. The Prevx report certainly isn't enough to tell whether a file is legit; but the report is enough to mislead people into thinking pretty much any file, even many of those included in Windows, is malicious.

    Yes, certainly knowing the path or location of the file is important. But please note that in that comment of mine that you quoted, I didn't say that reports based on "path" or "filename and location" are pointless. I said reports that are based on just "filenames" are pointless. An important distinction. ;) Trying to determine whether a file is legit by its filename alone is laughably unreliable, which is why those Prevx reports are so misleading to people who read them. If you have the full path, like C:\Windows\somefile.exe, that is obviously worth much more, but still unreliable. It's obvious that C:\qwerty\explorer.exe is probably something malicious because that file should not be in that location, but even an explorer.exe file in the right location could be malicious - who is to say the legit file in that location has not been infected by, say, Virut or any other file infector malware?

    My point in short is that the Prevx reports are dangerously misleading, because they only provide the filename and don't even bother with the path and any such things that would be important, and because they outright label the filename malicious even though bazillions of legit files use that name.
     
Loading...
Thread Status:
Not open for further replies.