Prevx identifying malware as "good"

Discussion in 'Prevx Releases' started by Baz_kasp, Aug 10, 2010.

Thread Status:
Not open for further replies.
  1. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    Whats up with this guys?

    Prevx Scan Log - Version v3.0.5.185
    Log Generated: 10/8/2010 23:25, Type: 1,8192

    Windows XP Professional Service Pack 3 (Build 2600) 32bit|1033
    Hostname: your-a97ec67e86

    Some non-malicious files are not included in this log.
    Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)

    Last Scan: Tue 2010-08-10 23:22:37 GMT Daylight Time. Number of Scans: 8. Last Scan Duration: 7 seconds.

    [G] (ACTIVE) c:\documents and settings\username\local settings\temp\tmp8c28ae1d\old.exe [PX5: 691082C300B9B37586F201EFEE7C62009F0F0A9B]

    :(
     
  2. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    In much the same way that Prevx requests FPs be sent by sending a scan log as described in this thread, I'd imagine sending the FN by the same method would also be appreciated.
     
  3. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London

    This isn't a post regarding the addition of a malware sample, more why a malware was specifically marked as "good" in the prevx log- as far as I am aware "good" ( [g] marked in log) files have been specifically checked by prevx and are deemed safe. This is pretty worrying and something must have gone wrong, I am just curious as to what exactly went wrong and get some input from Prevx on the forum. :)
     
  4. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Are you sure it's malicious? Can you Upload to VT and just give the info as to how many scanners detect it? http://www.virustotal.com/

    TIA,

    TH
     
  5. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London

    MD5 1658fda781dd847e91307c3c81aa83ba

    26/40
     
  6. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Thank You for the report Baz_kasp!

    Send a scan log and the file as stated in this post: https://www.wilderssecurity.com/showthread.php?t=245129 with the link to this thread to get it fixed and detected ASAP!

    HTH,

    TH
     
  7. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London

    Just to update a little bit, it seems there was some sort of rootkit at work here as there were files on the computer not even visible in the prevx log, that were picked up by combofix (zbot related)....which are detected after they have been removed by combofix, but not when active on the system.

    I knew there was something wrong because there would be sporadic notification from prevx that it had blocked a malware infiltration from stuff like this:

    [BP] c:\documents and settings\\local settings\temp\tmpe3b2e518\winamp.exe [PX5: 25884CACE8C54D3791FE0190DBEB8C004E9296A2] Malware Group: Medium Risk Malware
    c:\documents and settings\\local settings\temp\tmp67a61cb2\avp.exe [PX5: 1D8ABA0600AD0E7052FA00B9996880009BC3956C] Malware Group: Medium Risk Malware
    [BP] c:\documents and settings\\local settings\temp\tmp5926eaf8\winamp.exe [PX5: 25884CACE8C54D3791FE0190DBEB8C004E9296A2] Malware Group: Medium Risk Malware
    c:\documents and settings\\local settings\temp\tmpc6e71d9a\avp.exe [PX5: 000FD68F00465F96522600C07124FD00D57BE128] Malware Group: Medium Risk Malware


    I've sent a message to support to get a remote session with an engineer to make sure its all been discovered and added to detections, as I am not convinced the infection has been entirely removed (hence do not want to log into email)
     
    Last edited: Aug 10, 2010
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    If you search for 1658fda781dd847e91307c3c81aa83ba on VT you see this

    no-p.gif

    No Prevx was used for the scan ?

    If you look at their list of vendors they are listed

    p.gif

    ?


    @ Baz_kasp

    Good catch :thumb: did you get infected, if so how, or were you just testing etc ?
     
  9. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London

    It's a relatives computer that has recently had some malware problems. I'm trying to clean it up but also to get prevx sorted with these nasties as it seems strange that prevx wasn't even listing the zbot in the scan logs- combofix picked up 8ca67ffaf371452ac8804e6eba7bdb55 and 1ccecdd8b06c0c5e2737063ea70001be (funnily enough the px scanner on VT lists this as a high risk threat, but nothing happens when scanning on the actual computer)
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Baz_kasp

    Good not you then :thumb: Any ideas what www etc they got it from, and how, drive by, fake AV etc ? Also what OS and browser version and AV ?

    Yes wierd all round, be interesting to see how this pans out.
     
  11. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London

    I think the only relevant fact here was that the computer was AV-less when I was called to "save" it... :doubt:
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Baz_kasp

    AV-less = Oops, sounds like a real nasty, and those zbot's just keep on coming :(

    Hopefully you can show the relatives what not to do etc :thumb: for the future
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Actually thinking about it, if they were on W7 with IE8, and fully patched, then that would cause for concern i believe.
     
  14. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Are you going to keep Prevx on that machine if so get it with SafeOnline to protect there online activities!

    TH
     
  15. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London

    It's already running paid up 3.0 with safeonline.
     
  16. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Great I have contacted Joe (PrevxHelp) about this issue for he can keep an eye on the progress!

    TH
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I've taken a look in our central database and the file is definitely U, not G... I'm not entirely sure why it would be sent down as G but I'm going to leave it as-is until our research team takes a look at it.

    Thanks for the heads up! :)
     
Thread Status:
Not open for further replies.