Win32/VMalum.CIDD infection in sbautoupdate.exe?

Discussion in 'SpywareBlaster & Other Forum' started by Stephen Clark, Mar 28, 2008.

Thread Status:
Not open for further replies.
  1. Stephen Clark

    Stephen Clark Registered Member

    Joined:
    Mar 28, 2008
    Posts:
    1
    Today my CA Anti-Virus detected and quarantined on startup a Win32/VMalum.CIDD infection in sbautoupdate.exe. I can't find any information on what win32/VMalum.CIDD is, other than it is a backdoor trojan. I de-installed and re-installed SpywareBlaster using a fresh install file, but still have the problem.

    Is it a false positive? Has anyone else running SB and CAV seen this?

    Thanks,

    Stephen Clark
     
  2. tremblyj

    tremblyj Registered Member

    Joined:
    Mar 28, 2008
    Posts:
    1
    Location:
    Canada
    My organization's eTrust AV 8.1 detected Win32/VMalum.CIDD in C:\SYSTEM VOLUME INFORMATION\_RESTORE{4568522D-686F-40CA-B59F-0F43604506A5}\RP394\A0025814.EXE.0.AVB.
     
  3. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hello,

    I don't run CA but i'd say it must surely be a FP. Did u submit the file to CA for analysis?

    Seems the file is in System Restore.



    snowbound
     
  4. greenarrow1

    greenarrow1 Registered Member

    Joined:
    Mar 28, 2008
    Posts:
    2
    Location:
    Blue Diamond, NV
    I sent a copy of this file to CA analysis, SpywareBlaster and Blink eEye security to check out this file. Since it is in the auto update area we all need to be positive that this is not a backdoor or a virus. In the mean time I would disable auto update and do any by manual updating.
     
  5. walterzev

    walterzev Registered Member

    Joined:
    Mar 28, 2008
    Posts:
    11
    Location:
    Montevideo, Uruguay
    Same happened to me today. It seems the file had been there for a long time, but CA just detected it today. I deleted it.
    However, I re installed the program some time later and in the process CA warned me again of this virus file.

    I couldn`t find any info about it, not even in CA data base.

    If it is a FP, how come it only shows up today?
     
  6. Jothanan

    Jothanan Registered Member

    Joined:
    Mar 29, 2008
    Posts:
    4
    Last edited by a moderator: Mar 29, 2008
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    That's how false positives work. A detection software (like CA's anti-virus) updates its definitions to include some new threat, but that new detection also ends up flagging files that are not malicious. It's only showing up now because no doubt CA only just added a new detection. Once they get the reports of false positives and the files that are being detected, they can tune their detection so that it doesn't flag non-malicious files while still catching the bad ones.
     
  8. walterzev

    walterzev Registered Member

    Joined:
    Mar 28, 2008
    Posts:
    11
    Location:
    Montevideo, Uruguay
    Thank you for your inpout.
    However. I have just received the following reply from CA:
    _______________________________
    Dear customer,

    Thank you for using CA Security Advisor.

    This is to notify you of the results of your submission, issue number
    1291583. Please keep this issue number for future reference.
    Please see below for the final results of our analysis of your file
    submission.
    We successfully received the following files:

    FILE SIZE CONCLUSION
    ------------------------------------------------------------------------
    sbautoupdate.zip 607217
    ------------------------------------------------------------------------
    sbautoupdate.exe 902696 malware
    ------------------------------------------------------------------------

    This automated scanning service "Virtue" complements our regular
    technical support service. It is not a replacement for it. For
    technical support please visit http://www.ca.com/about/support.htm.
    If you would like to comment on the quality of this automated service,
    please send your suggestion to virtue.feedback@ca.com .

    CA Security Advisor

    _____________________________

    :doubt:
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Did you submit the file as a possible false positive? That email seems to be saying that an automated scan was done on your submission and it reported that the file as malware...

    Of course it does. If they are simply using their own scanner and definitions to check the file, then the results will be the same as what people are seeing on their PCs with CA anti-virus. That does not say that an analyst looked at the file and actually checked to see if it is what their signature detection claims it to be.

    Basically, that email doesn't add anything to the analysis other than to say CA detects the file.
     
  10. walterzev

    walterzev Registered Member

    Joined:
    Mar 28, 2008
    Posts:
    11
    Location:
    Montevideo, Uruguay
    MORE ABOUT IT FROM CA:
    FILE
    ------------------------------------------------------------------------
    sbautoupdate.zip
    ------------------------------------------------------------------------
    This file is being analyzed by our researchers. We will inform you of
    their findings as soon as the analysis is complete.

    FILE
    ------------------------------------------------------------------------
    sbautoupdate.exe
    ------------------------------------------------------------------------
    The Windows PE (I386,EXE) file "sbautoupdate.exe" has been determined
    to be malicious.

    The file is currently detected generically as Win32/VMalum.CIDD. You
    will be notified when our researchers have added specific detection and
    cure.

    Note: A Win32.Malum detection may be reported when CA Antivirus
    solutions use advanced techniques to generically detect a worm or
    trojan that affects the Win32 platform.

    CA products address this malware as follows:
    --------------------------------------------
    CA Anti-Virus
    Engine Update version Last Update
    31.3.0 31.3.5653 29 Mar
    Please check for the latest signature updates.

    ==========================================================
    :doubt: :doubt:
     
  11. walterzev

    walterzev Registered Member

    Joined:
    Mar 28, 2008
    Posts:
    11
    Location:
    Montevideo, Uruguay
    Yes, I did. I suggested it might be a FP, but that I wanted to be sure, so I was submiting the file to them to be checked.

    Should I write back insisting on the FP possibility? :rolleyes:
     
  12. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    If your file has an MD5 of 0d5e4768c82d69256e6ec6e53e0a62bd, it's clean. There are 6 wrong detections at Virustotal (CA, Ikarus, Norman, Panda, Sophos and Webwasher)
    Maybe they're detecting the packer (Armadillo)
     
  13. walterzev

    walterzev Registered Member

    Joined:
    Mar 28, 2008
    Posts:
    11
    Location:
    Montevideo, Uruguay
    I just emailed CA again asking to re-check the file and reminding them of the FP chance.
    :)
    Let us wait.
     
  14. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Download HashTab and install it. Go to the SpywareBlaster folder (usually in Program Files\SpywareBlaster), right-click the sbautoupdate.exe file and compare the MD5 checksum with the one I've provided above.
     
  15. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Hi,

    This detection is a false-positive. Unfortunately, these problems seem to crop up every once in a while, especially after a new release.

    Please contact your anti-virus company and alert them to the false positive.

    Information on the legitimate sbautoupdate.exe file:

    File name: sbautoupdate.exe
    Default path: C:\Program Files\SpywareBlaster\
    MD5 checksum: 0D5E4768C82D69256E6EC6E53E0A62BD

    Best regards,

    -Javacool
     
  16. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Javacool,
    There are 6 AV companies detecting sbautoupdate.exe at Virustotal :)
     
  17. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Hi,

    Do you happen to have any direct contacts within those companies? (If yes, please PM me.)

    I've gone through the normal routes in the past, but it often takes too long.

    Best regards and thanks,

    -Javacool
     
  18. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    No, I've just scanned sbautoupdate.exe to help in the troubleshooting of this FP :)
    I have the mail addresses of the viruslabs of some of the AVs which are having the FP:
    - CA/eTrust: virus [at] ca [dot] com
    - Norman: analysis [at] norman [dot] no
    - Panda: virussamples [at] pandasoftware [dot] com
    - Sophos: samples [at] sophos [dot] com
    Yep, some AV vendors are slow at fixing FPs :(
     
  19. walterzev

    walterzev Registered Member

    Joined:
    Mar 28, 2008
    Posts:
    11
    Location:
    Montevideo, Uruguay
    I just did it. It looks fine as you said.
    :thumb:
     
  20. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Then, you have nothing to worry about :)
    Greetings from the other side of the river :D
     
  21. walterzev

    walterzev Registered Member

    Joined:
    Mar 28, 2008
    Posts:
    11
    Location:
    Montevideo, Uruguay
    Thank U, Lucas. I`m glad there was no virus in my PC. :D

    The only thing that worries me now is that I can`t use the autoupdate feature in SP, because when CA AV is on, the file is quarantined.

    I´ll have to manual uddate it until CA takes notice of this FP then. No big deal though.
     
  22. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Can't you exclude the file(s) from being scanned? I would be surprised if CA's eTrust does not have a file exclusion feature.
     
  23. walterzev

    walterzev Registered Member

    Joined:
    Mar 28, 2008
    Posts:
    11
    Location:
    Montevideo, Uruguay
    Yes, CA has that feature. I tried it several times to no avail. I tried exclusions from real time scanning, from on demand scanning, from both, but after a while the file is sent to quarantine again. It might be a terrible strong fatal virus :eek: :eek: :cool:

    I will leave there for the time being and update the software manually, no problem. Just being on the safe side.

    Thanks for your advice anyway.
     
  24. Jothanan

    Jothanan Registered Member

    Joined:
    Mar 29, 2008
    Posts:
    4
    Yup, had exactly the same experience!:rolleyes:

    Seems like some applications have user options as FPs (False Pacifiers)! :D
     
  25. walterzev

    walterzev Registered Member

    Joined:
    Mar 28, 2008
    Posts:
    11
    Location:
    Montevideo, Uruguay
    GOOD NEWS!:D :argh: :thumb:
    I just received the following reply from CA:
    _________________

    Dear customer,

    Thank you for using CA Security Advisor.

    This is to notify you of the results of your submission, issue number
    1291583. Please keep this issue number for future reference.

    With regards to the file "sbautoupdate.exe" submitted by you on 29 Mar
    15:18:18 (Australian Eastern Standard Time), we have updated our
    signature files to resolve the false positive problem.

    The Windows PE (I386,EXE) file "sbautoupdate.exe" has been determined
    to be clean. Our researchers have analyzed the file and found nothing
    suspicious.


    ......
    CA Security Advisor

    ______________________

    I checked and CE A doesn`t detect it as malware now. It works fine.
     
Thread Status:
Not open for further replies.