Trojan Found HELP NEEDED!!!

Discussion in 'NOD32 version 2 Forum' started by radicalb21, Oct 3, 2003.

Thread Status:
Not open for further replies.
  1. radicalb21

    radicalb21 Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    164
    Location:
    USA
    Can anyone help with this issueo_O? This is what was reported by AMON. This happened during an install of printer software specifically HP PSC 1210 Printer. I choose to quarantine the file then delete it.


    Time   Module   Object   Name   Virus   Action   User   Info
    10/3/2003 5:41:41 AM   AMON   file   C:\Program Files\Hewlett-Packard\hpis\bin\MatcliWrapper.exe   Win32/Flooder.NewsAgent trojan   quarantined - deleted      

    Any and all help would be appreciated. I would appreciate an ESET Moderator or Administrator to contact me as well as an forum member or forum moderator.
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi,

    Can you please download and run DCS's AutostartViewer from

    http://www.diamondcs.com.au/downloads/asviewer.zip

    Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.

    Also, if you have NT/2K/XP, can you please download DCS's OpenPorts program from

    http://www.diamondcs.com.au/downloads/openports.zip

    Unzip openports.exe in your Windows directory, and open up your Command Prompt and type;

    openports > openports.txt

    and then press the Enter key

    Then type;

    openports.txt

    and press the Enter key again, and then copy the contents of the file in Notepad and paste it here for us to review
     
  3. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    Also, send the infected file to samples@eset.com, in case it's a false positive (not infected, but detected).

    Best regards,
    Anders
     
  4. Baayo

    Baayo Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    3
    I've had the exact same problem. I downloaded the trial version of NOD32 v.2 a few days ago. The very first scan I did with the program (all options at default settings; 40,000 files scanned) flagged down the very same file as a trojan, with the message

    C:\Program Files\Hewlett-Packard\hpis\bin\MatcliWrapper.exe Win32/Flooder.NewsAgent trojan

    When I used Windows Explorer to have a look at that file (with AMON being enabled), the program threw up a big red alert screen, repeating the above message and saying that this item cannot be cleaned. Before going any further (e.g. renaming the file or encrypting and quarantining it or sending it as a suspected trojan sample to the NOD32 labs), I decided to investigate a little further.

    First, no information can be found on that trojan "Win32/Flooder.NewsAgent" in the virus/trojan databases of NOD32/ESET, Symantec or MCAfee. A Google search also brings up nothing.

    Second, that MatcliWrapper.exe file (a piece of a client command line interface) appears to be part of a program suite coded by Motive Communications, Inc. and dated 2001 that's used by Hewlett-Packard in their GUI (called Printer Assistant) for setting up and supporting some of their printers. My copy of that file came on the CD included with my HP deskjet 5550. I installed that software in Jan. 2003. Since that date that alleged trojan has been sitting on my hard disk. However, numerous scans with NAV 2002 and several recent scans with NAV 2004, McAfee VS8, Kaspersky AV4.5, Panda Titanium v.2 and Trojan Hunter v3.6, all with the latest malware definitions installed, failed to flag this file.

    Third, I've frequently looked at my open ports and startup programs using such programs as Port Explorer and AutoStartViewer and I've never seen anything suspect that looked like a trojan, certainly not that Matcliwrapper program.

    I fished out the HP CD on which this file came (I presume it resides there in a compressed file named CONTENTS.CAB in the HPIS folder) and scanned the entire CD with NOD32, first straight, then from the DOS command line with the switch \AH which enables advanced heuristics, and then repeated the same thing for just that file alone. None of this produced any result.

    Then I did another standard NOD32 scan of my hard disk, all with the same default settings as used earlier, except that
    in the Setup Tab, in the box "objects to diagnose", runtime packers, archives, and email files were also checked. Without my knowingly having done anything to that MatcliWrapper file, now the scan sailed through the entire 10 GB of data (120,000 files scanned, with those additional options enabled) with "0 viruses found."

    So what do you make of all of this? I'm inclined to think that NOD32 generated a false positive.

    If you again need to set up or fiddle with your HP printer settings, I wonder if the Printer Assistant software still works properly now that you have deleted that MatcliWrapper.exe file.

    You may want to send that file for examination to ESET if you can still undelete it. Copy the file as an attachment to an explanatory email sent to samples@nod32.com; feel free to include my comments. If you can't, then maybe I'll do it - right now I'm a little tired of wasting any more time on AV program related problems. Good luck! And don't worry much about it, for now!

    BTW, I think NOD32 v.2 is a terrific program. I had my machine clobbered (Windows XP reinstall needed) by installing McAfee VS8 while NAV 2004 was also installed (although with all startup and memory resident functions of NAV disabled). I had wanted the choice of using two different AV programs for alternate scanning. Now, NAV and VS8 (and part of Windows XP) are gone, and I'll probably shell out the $40 for NOD32.

    -----
    ESET's instructions:

    How could I send a sample to Eset?

    When Nod32 detects a virus, it offers several actions. One of them is the "Export the file" button. If you want to send a sample to Eset - you can click on it, save it to the disk and send as an attachment to samples@nod32.com.
     
  5. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    When any AV alerts on a known legit program file, especially when installing something like printer software, I'd first assume a false positve and check things out prior to deleting anything.

    It's not completely unknown that some legit program files from legit sources have come with infections, but it's a very rare occurence. But as noted, it's best to send in to the vendor just to make sure and also to alert the vendor they've got a false positive, when that's the case. Given the number of similar reports here and elsewhere regarding this same file and NOD's alert, I'd put it in the likely false positive category.

    FWIW I've had no NOD alerts on my HP software. But that may be due to different versions of the software.
     
  6. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    That does sound like a False Positive.

    Here are some other links showing Flooder NewsAgent.

    Weekly Update: August-31 - 19:34(UTC+2DST)
    http://www.avp.ch/E/avp-news.stm

    Trojan/Flooder.Win32.NewsAgent.1_06
    http://www.rav.ro/scan/scan-stats.php?top=all

    JAVA/NEWSAGENT FLOODER
    http://support.ca.com/techbases/ilnt/31033a.html

    Flooder.NewsAgent
    (copy and paste in your browser)
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_NEWSAGENT.A
     
  7. Baayo

    Baayo Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    3
    The only reference I've found to that trojan in a Google search, curiously enough is to the NOD32 website in Finland

    http://www.nod32finland.com/updates.asp

    where this trojan is listed as being included in the NOD32 v1.524 (2003-10-02) virus signature update file. I downloaded and installed NOD32 and ran the first scan on that same day, and it flags down an HP program written in 2001 and installed on my hard disk in Jan 2003 as being infected with a trojan the discovery of which is so new that was just included in the most recent update file distributed on the same day that I scanned. This is peculiar. It almost certainly is a false positive but I wonder if NOD32 not just misfired but rather malfunctioned.

    Any comments?
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Baayo,

    Comments? It's aan existing trojan for sure. Could well be a false positive: as you've posted before, just provide a sample to the sample email addres you've mentioned yourself for investignation ;)

    regards.

    paul
     
  9. Baayo

    Baayo Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    3
    I've sent the file in question as a sample to samples@nod32.com. We'll see what they have to say.
     
  10. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hi,

    >Can anyone help with this issueo_O? This is what was reported by AMON. This happened during an install of printer software specifically HP PSC 1210 Printer. I choose to quarantine the file then delete it.
    Time Module Object Name Virus Action User Info
    10/3/2003 5:41:41 AM AMON file C:\Program Files\Hewlett-Packard\hpis\bin\MatcliWrapper.exe Win32/Flooder.NewsAgent trojan quarantined - deleted

    Sorry for the false positive - it was fixed in the today's update - 1.527 .

    Thx., :)

    jan
     
Thread Status:
Not open for further replies.