Shadow Defender Worm?

Discussion in 'malware problems & news' started by scitexia, Apr 15, 2010.

Thread Status:
Not open for further replies.
  1. scitexia

    scitexia Registered Member

    Joined:
    Apr 15, 2010
    Posts:
    1
    Had an interesting experience while installing Shadow Defender. Downloaded the file (32-bit) from their site (www.shadowdefender.com) and tried to install it. A-Squared AM told me that it was infected with a worm. Canceled the install and downloaded the file again. Same thing so I figured it was an FP and told it to install anyway.

    After rebooting, Symantec Endpoint Security 12 (i have that installed too) immediately identified the trojan (presumably the same that A-Squared tried to warn me about earlier).

    Sooo, after allowing SEP to quarantine it and uninstalling, I THEN went to cNet (www.download.com) and downloaded THEIR version and installed it. Guess what?? No worm and both A-Squared & SEP were quite happy.

    Strange, huh?:-*
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    what did each software tell you that was infected (file name(s)) and where was it/they located?
     
  3. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    Compare the md5 hash of the files and tell us about the results.
     
  4. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,591
    I've just scanned the Shadow Defender installer (from their website) with Avira Premium and found nothing. I agree it is strange.
     
  5. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,558
    Location:
    Ontario, Canada
    I tried to upload to VT and I keep getting errors so I tried Jotti and 2 scanners pick it as:

    CP secure BackDoor.W32.Hupigon.jrud

    Sophos Sus/Scribble-B

    But that's it and the one from Download.com just Sophos Sus/Scribble-B

    So that's strange! Mind you that jotti is outdated Feb 23 2010

    TH
     
  6. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,591
    I get the same results with Virus Total (errors) and same detections with Jotti. The MD5 and SHA1 are different though with the 2 installers.
     
  7. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Hmmm, SD1.1.0.325_Setup.exe downloaded from authors site and SD1.1.0.325_Setup(2).exe downloaded from download.com?

    SD.JPG
     
  8. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,241
    Hi:

    I scanned it with a-squared and nothing detected. Also I managed to upload and scan it with virustotal the one from the shadow defender web site and virus total only found "1/40" (only Sophos detected). Here is the result of virus total. Must be a false positive.

    ~Virus Total results removed per Policy.~

    ( base data )
    entrypointaddress.: 0x12226
    timedatestamp.....: 0x4987F062 (Tue Feb 3 08:21:06 2009)
    machinetype.......: 0x14C (Intel I386
     
    Last edited by a moderator: Apr 16, 2010
  9. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,485
  10. Woody777

    Woody777 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    485
    I had exactly the same result when I downloaded the file previously. No alerts except with A2. Then I uninstalled. Immediately Threatfire indicated a worm a rootkit. Finally after sometime I got rid of it. I think there is a Worm in ShadowDefender but I can't say so for sure so it could be a FP.
     
  11. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    723
    Location:
    Cumbria, England
  12. Smirs

    Smirs Registered Member

    Joined:
    Mar 24, 2007
    Posts:
    24
    Interesting how Prevx doesn't flag it as 'BackDoor.W32.Hupigon.jrud' or 'Sus/Scribble-B' but straight names it a ' Fraudulent Security Program '.
     
  13. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,558
    Location:
    Ontario, Canada
    Prevx never pick this up as malware? Or are you saying it does for you?

    TH
     
  14. Smirs

    Smirs Registered Member

    Joined:
    Mar 24, 2007
    Posts:
    24
    Yes it picks up Shadow Defender (1.1.0.325) on my computer as malware;
    Defender.exe MD5 69F211FC6E27F9AB715279E5FFC34F6E
     
  15. Smirs

    Smirs Registered Member

    Joined:
    Mar 24, 2007
    Posts:
    24
    I uploaded the file to virus total, Prevx is the only one that flags it, ~ Virus Total Results Removed per Policy ~
     
    Last edited by a moderator: Sep 1, 2010
  16. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,558
    Location:
    Ontario, Canada
    It doesn't on my machine and and VT still shows Sophos Sus/Scribble-B and my setup file is
    SD1.1.0.325_Setup.exe MD5 : 4ed0f50233680ffc37fbe5cf8057c634 Also from my Prevx scan log: (ACTIVE) c:\security programs folder\shadow defender folder\sd1.1.0.325_setup.exe [PX5: E443759160325FB96C54111D18404000A042BF29]
    Capture01-09-2010-6.59.46 PM.jpg Capture01-09-2010-7.01.55 PM.jpg

    So there could something with the setup file that you have because mine is fine! Do you have Prevx installed? If you do send a scan log and the setup file to Prevx as stated in this post: https://www.wilderssecurity.com/showthread.php?t=245129

    TIA,

    TH
     
    Last edited: Sep 1, 2010
  17. Smirs

    Smirs Registered Member

    Joined:
    Mar 24, 2007
    Posts:
    24
    Message sent. Thanks a lot for your support.
     
  18. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This was a false positive but we've corrected it now :) Shadow Defender is indeed legitimate, but the increasing number of rogues makes it hard for researchers to keep the line well defined :)
     
  19. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,558
    Location:
    Ontario, Canada
    Thanks for the confirmation! :thumb:

    TH
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.