NSIS.Library.RegTool

Discussion in 'other security issues & news' started by Dazed_and_Confused, Jul 18, 2005.

Thread Status:
Not open for further replies.
  1. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Has anyone ever seen this (NSIS.Library.RegTool) before? o_O Located in my Win32 subdirectory. One of my faithful security sentinels (DCS WormGuard) spotted this one trying to execute today. Happened when restarting my PC just after installing FileAnt (which by the way is a nice appy). Not sure if the two are related or not, but the file had a date of Sept 2004, which makes me think it's not. Just thought I would check. Google was not much help. Thanks in advance! :)
     
  2. boogie2

    boogie2 Guest

    ;Advance counter

    StrCpy $R0 0
    ReadRegDWORD $R0 HKLM "Software\NSIS.Library.RegTool.v2\UpgradeDLLSession" "count"
    IntOp $R0 $R0 + 1
    WriteRegDWORD HKLM "Software\NSIS.Library.RegTool.v2\UpgradeDLLSession" "count" "$R0"

    ;------------------------
    ;Setup RegTool

    ReadRegStr $R3 HKLM "Software\Microsoft\Windows\CurrentVersion\RunOnce" "NSIS.Library.RegTool.v2"
    IfFileExists $R3 +3

    File /oname=$R2\NSIS.Library.RegTool.v2.exe "${NSISDIR}\Bin\RegTool.bin"
    WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\RunOnce" \
    "NSIS.Library.RegTool.v2" '"$R2\NSIS.Library.RegTool.v2.exe" /S'

    ;------------------------
    ;Add RegTool entry

    WriteRegStr HKLM "Software\NSIS.Library.RegTool.v2\UpgradeDLLSession" "$R0.file" "$R1"
    WriteRegStr HKLM "Software\NSIS.Library.RegTool.v2\UpgradeDLLSession" "$R0.mode" "${mode}"

    Pop $R3
    Pop $R2
    Pop $R1
    Pop $R0
     
  3. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Very funny! Was that supposed to answer my question?
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
    Hi Daisey.

    NSIS is an installer program used by some programmers. As far as the entries, maybe we can get Rumpstah to fill us in.

    http://nsis.sourceforge.net/
     
  5. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Hi Ron! So it's not malware, right?
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
    Daisey,

    I'll have to defer to Rumpstah on that question. He will be through here soon. :)
     
  7. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Hi Dazed_and_Confused:

    Yes, the file in question can be considered malware (installed by FileAnt). It is attempting to install the begin2search toolbar.

    I hope this helps. ;)


     
    Last edited: Jul 19, 2005
  8. FanJ

    FanJ Guest

    Hi Daisey, Boogie2, Ron, Rumpstah,

    I am a little bit puzzling about this.

    First for your info:
    I guess that the posting from Boogie2 was (maybe only part of ?) that NSIS.Library.RegTool.
    See for example :
    http://cvs.sourceforge.net/viewcvs.py/nsis/NSIS/Include/UpgradeDLL.nsh?rev=1.5

    As Ron posted, it is an installer program used by some programmers.
    It could be that it is also used by some malware.
    As I understood, a related file NSISDl.dll is used by some malware, but that doesn't have to mean that the file itself is malicious.
    See for example discussion:
    http://forums.winamp.com/showthread.php?threadid=209232

    I have not tried that program FileAnt.

    Rumpstah,
    Are you sure about what you wrote about it:
    "Yes, the file in question can be considered malware (installed by FileAnt). It is attempting to install the begin2search toolbar."
    Sorry for asking; I do have great respect for you !

    Daisey,
    Have you perhaps WormGuard set up to log its warnings?
    If so, is there perhaps a log entry describing why and about what WormGuard was giving a warning about? Maybe you could copy that log entry?


    Well, sorry for all the questions. I was just trying to understand it ;)

    PS:
    I saw a thread at the Gladiator forum about FileAnt:
    http://gladiator-antivirus.com/forum/index.php?showtopic=16758
    In case there is something wrong with it, we should let our friends at Gladiator know about it.
     
  9. toadbee

    toadbee Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    123
    I have just now installed FileAnt - and NO such file was installed :eek:
     
  10. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Hi FanJ:

    I downloaded FileAnt and ran it. ;)

    Then I took the file in question (which was installed to the Registry RunOnce key) and ran it.

     
  11. FanJ

    FanJ Guest

    Hi toadbee and rumpstah,

    Thanks to both of you for looking at it and for your info !

    Just to make sure we're all talking about the same FileAnt, here is the MD5 checksum of the install file:
    MD5 - 301F431233ED933E5179C690549C6599

    Due to problems with my own far too old machine, I can't make backups at the moment....
    That was the reason that I was hesitating to test it myself; sorry for that!

    Cheers, Jan.
     
  12. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Hi FanJ:

    Same here:

    301F431233ED933E5179C690549C6599 *fileant.exe = rumpstah
    301F431233ED933E5179C690549C6599 *FanJ

    Additional MD5 from another malware install with the same NSIS file.

    01434B348B145909F434B94151252F3A *NSIS.Library.RegTool.exe

    From the one installed by FileAnt:
    01434B348B145909F434B94151252F3A *NSIS.Library.RegTool.exe

    It is not limited to FileAnt. ;)

     
  13. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    FanJ - Sorry it took me so long to get back to you. I don't think the forum email alerts are not working very good. In any case, to answer your question above, this is an exact extract from the log (personal info removed ***). Between the two events below, I restarted my PC.

    FILE: C:\Documents and Settings\My Documents\fileant.exe
    CLASS: Application
    PARAMS:
    FOLDER:
    FILE EXECUTION - 13:56:11 07/18/2005 by user ***** on computer *****
    ---
    FILE: C:\WINDOWS\system32\NSIS.Library.RegTool.exe
    PARAMS:
    FOLDER:
    FILE EXECUTION - 13:58:14 07/18/2005 by user ***** on computer *****
    MULTIPLE EXTENSION EXECUTION 13:58:14 07/18/2005 by user ***** on computer *****
    BLOCKED EXECUTION! 13:59:07 07/18/2005 by user ***** on computer ****


    I have not noticed any other signs of infection. I've manually scanned PC with all my defences, including TDS and RootkitRevealer - all negative.

    Thanks everyone for their responses! :D
     
  14. FanJ

    FanJ Guest

    Thanks all sofar !

    I call everyone involved to come with the most exact info to prove their statements that:

    1.
    NSIS.Library.RegTool might be malicious or not.

    2.
    FileAnt might be malicious or not.


    This issue has to be solved once and for all !!!

    Thanks,
    Jan (retired global moderator of this board).
     
    Last edited by a moderator: Jul 20, 2005
  15. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Hello Rumpstah! :)

    I also appreciate your efforts. :-*

    I'm not sure I understand everything you and FanJ are talking about, but I used Cryptosuite to calculate the MD5 for my NSIS.Library.RegTool.exe file, and it ws exactly the same as yours above (whatever that means). :doubt:

    MD5 - 01434B348B145909F434B94151252F3A
     
  16. toadbee

    toadbee Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    123
    Hi again -
    That is the same MD5 checksum I have for Fileant.

    I did just download it again, installed it - And it creates no such file for me.

    I emailed the author and pointed him to this thread for clarification.
     
  17. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Hello, Toadbee! :)

    Thanks for all your help. Pardon what might be a stupid question, but how can the NSIS.Library.RegTool file have the same checksum as your Fileant file (I assume you mean Fileant.exe)? I thought that ONLY exactly identical files can have the same checksum. o_O
     
  18. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Hi Dazed_and_Confused:

    Toadbee can not find the NSIS.Library.RegTool.exe.

    Since we are unsure of his security configuration, it is probably running when he reboots (the file erases itself after running).

    Toadbee can probably give us more insight if this is his procedure and his configuration.

     
  19. FanJ

    FanJ Guest

    Hi,

    First I have to say sorry because I think that I sounded too unfriendly in my previous posting.

    Well, to add to the confusion, this posting is going into another direction.
    Don't hold your breath.....

    I decided (although I cannot make backup images at the moment) to have a look at it myself.
    System W98SE.

    I ran file integrity checkers NIS File Check and ADinf32 Pro before installing FileAnt, with the purpose to do that after installing but before rebooting, and to do it after rebooting.
    Things went another way....

    Installed FileAnt (as usually all running programs closed near the clock and in Ctrl-Alt-Delt except Explorer and Systray).

    Installation went OK.
    Had a very quick look at FileAnt that had now an icon near the clock.
    Closed FileAnt.
    Did not reboot (was not even asked to do it).
    Ran NIS File Check and ADinf32 Pro.

    Rebooted.
    Opened FileAnt.
    As usually I first wanted to have a look at About in FileAnt.
    And now comes the "surprise"....
    There was a little window, that gave an option to "Remove Protection"...
    Eh, remove protection, what does that mean.....?
    Well, I clicked on it to remove that protection (whatever that meant).

    WHAM BOClean immediately jumped up


    PS:
    - FileAnt uninstalled.
    - lots of checking will be done.
    - Kevin/Nancy will be informed.

    Guys, I'm taking a pause (was already the purpose to do so) ;)

    Cheers, Jan.
     
  20. FileAnt

    FileAnt Guest

    The NSIS files are self contained in the install and update.exe.
    They are not viral.
    There are some viruses that use names from files in NSIS.

    eSellerate is not a trojan, it helps me get a few dollars which keeps the web site and some components paid for. http://www.esellerate.net/

    regards, will
     
  21. FileAnt

    FileAnt Guest

    just to add
    the
    NSIS.Library.RegTool and the DL
    should be deleted when the setup finishes (maybe after a reboot sometimes).

    I will check they do this weekend and get FileAnt to clean them up if they do not.

    thx toadbee for pointing me here ;o)
     
  22. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Wow. That was great work, FanJ. :) I have deleted the NSIS.LIBRARY.REGTOOL file from my Win32 directory, and the C:\WINDOWS\ESELLE~1.DLL file as well.

    Based on FileAnt's comments, I am going to hang onto the FileAnt app until I complete my evaluation, unless FanJ (or others) feel strongly that it's a security threat.

    FileAnt - Hello. I appreciate you visiting to clear up the issue. Although I stopped using your app after this problem arose, I will jump right back into it because my first impressions of it were positive. Thanks again. :)
     
Thread Status:
Not open for further replies.