Shadow Defender Worm?

Discussion in 'malware problems & news' started by scitexia, Apr 15, 2010.

Thread Status:
Not open for further replies.
  1. scitexia

    scitexia Registered Member

    Joined:
    Apr 15, 2010
    Posts:
    1
    Had an interesting experience while installing Shadow Defender. Downloaded the file (32-bit) from their site (www.shadowdefender.com) and tried to install it. A-Squared AM told me that it was infected with a worm. Canceled the install and downloaded the file again. Same thing so I figured it was an FP and told it to install anyway.

    After rebooting, Symantec Endpoint Security 12 (i have that installed too) immediately identified the trojan (presumably the same that A-Squared tried to warn me about earlier).

    Sooo, after allowing SEP to quarantine it and uninstalling, I THEN went to cNet (www.download.com) and downloaded THEIR version and installed it. Guess what?? No worm and both A-Squared & SEP were quite happy.

    Strange, huh?:-*
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    what did each software tell you that was infected (file name(s)) and where was it/they located?
     
  3. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    Compare the md5 hash of the files and tell us about the results.
     
  4. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    I've just scanned the Shadow Defender installer (from their website) with Avira Premium and found nothing. I agree it is strange.
     
  5. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    I tried to upload to VT and I keep getting errors so I tried Jotti and 2 scanners pick it as:

    CP secure BackDoor.W32.Hupigon.jrud

    Sophos Sus/Scribble-B

    But that's it and the one from Download.com just Sophos Sus/Scribble-B

    So that's strange! Mind you that jotti is outdated Feb 23 2010

    TH
     
  6. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    I get the same results with Virus Total (errors) and same detections with Jotti. The MD5 and SHA1 are different though with the 2 installers.
     
  7. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Hmmm, SD1.1.0.325_Setup.exe downloaded from authors site and SD1.1.0.325_Setup(2).exe downloaded from download.com?

    SD.JPG
     
  8. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    Hi:

    I scanned it with a-squared and nothing detected. Also I managed to upload and scan it with virustotal the one from the shadow defender web site and virus total only found "1/40" (only Sophos detected). Here is the result of virus total. Must be a false positive.

    ~Virus Total results removed per Policy.~

    ( base data )
    entrypointaddress.: 0x12226
    timedatestamp.....: 0x4987F062 (Tue Feb 3 08:21:06 2009)
    machinetype.......: 0x14C (Intel I386
     
    Last edited by a moderator: Apr 16, 2010
  9. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
  10. Woody777

    Woody777 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    484
    I had exactly the same result when I downloaded the file previously. No alerts except with A2. Then I uninstalled. Immediately Threatfire indicated a worm a rootkit. Finally after sometime I got rid of it. I think there is a Worm in ShadowDefender but I can't say so for sure so it could be a FP.
     
  11. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    722
    Location:
    Cumbria, England
  12. Smirs

    Smirs Registered Member

    Joined:
    Mar 24, 2007
    Posts:
    24
    Interesting how Prevx doesn't flag it as 'BackDoor.W32.Hupigon.jrud' or 'Sus/Scribble-B' but straight names it a ' Fraudulent Security Program '.
     
  13. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Prevx never pick this up as malware? Or are you saying it does for you?

    TH
     
  14. Smirs

    Smirs Registered Member

    Joined:
    Mar 24, 2007
    Posts:
    24
    Yes it picks up Shadow Defender (1.1.0.325) on my computer as malware;
    Defender.exe MD5 69F211FC6E27F9AB715279E5FFC34F6E
     
  15. Smirs

    Smirs Registered Member

    Joined:
    Mar 24, 2007
    Posts:
    24
    I uploaded the file to virus total, Prevx is the only one that flags it, ~ Virus Total Results Removed per Policy ~
     
    Last edited by a moderator: Sep 1, 2010
  16. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    It doesn't on my machine and and VT still shows Sophos Sus/Scribble-B and my setup file is
    SD1.1.0.325_Setup.exe MD5 : 4ed0f50233680ffc37fbe5cf8057c634 Also from my Prevx scan log: (ACTIVE) c:\security programs folder\shadow defender folder\sd1.1.0.325_setup.exe [PX5: E443759160325FB96C54111D18404000A042BF29]
    Capture01-09-2010-6.59.46 PM.jpg Capture01-09-2010-7.01.55 PM.jpg

    So there could something with the setup file that you have because mine is fine! Do you have Prevx installed? If you do send a scan log and the setup file to Prevx as stated in this post: https://www.wilderssecurity.com/showthread.php?t=245129

    TIA,

    TH
     
    Last edited: Sep 1, 2010
  17. Smirs

    Smirs Registered Member

    Joined:
    Mar 24, 2007
    Posts:
    24
    Message sent. Thanks a lot for your support.
     
  18. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This was a false positive but we've corrected it now :) Shadow Defender is indeed legitimate, but the increasing number of rogues makes it hard for researchers to keep the line well defined :)
     
  19. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Thanks for the confirmation! :thumb:

    TH
     
Loading...
Thread Status:
Not open for further replies.