Need analysis of this malware, sent to Boclean 2 days ago no reply yet.

[Guest]

[tempnexus]

I found those on a clients' PC they get picked up as a Win32 Virus by NOD32 however they are fine by Symantec AND it comes as a software package on a USB drive. (Also Kanguru is a legit app). So the question is: WAs the USB drive infected at the manufacturer or is this a FP?
Please take a look especially at the MsMsSrv.dll and RunSrv.exe
Password: Malware

P.S.
What is the current Boclean E-mail addy?
I tried:
boclean <bocleansubmissions[ at ]comodo.com>,
boclean[ at ]comodo.com,
boclean <bocleansubmissions[ at ]comodogroup.com>,
malwaresubmit[ at ]avlab.comodo.com,

And I know that [ at ]NSCLEAN is dead.

[SiberLynx]

What is the current Boclean E-mail addy?

Hi tempnexus ,

the address is malwaresubmit[ at ]comodo.com

as I found recently in
https://forums.comodo.com/comodo_boclean_antimalware/fp_flashdisinfector-t22106.0.html
but that was FP by BOClean.
My regards

P.S.
and I just noticed: is that rar file contains what you are suspecting to be malware?
if so...woW!!! Please read the rules how to submit.
It must be passworded archive. Password supplied in the e-mail body

[tempnexus]

Yeap that is how I submitt to all my AV mailing lists.  Password protected.
Side note:
Why the hell did ComodBoclean e-mail submission had to change 3 times before going stable?  It gets a bit annoying to have to resubmit the same file 3 times or rehunt the valid e-mail addy.
I am a creature of comfort and miss the day when I could just e-mail Kevin at NSclean and have things done in 10 hours or less.

[Rednose]

Hi tempnexus


Please remove the attachment of the malware file, it is against the forum rules to post such :

it is not the appropriate place to attach or link live malware (viruses, trojans, rootkits, etc) to posts.

From here :

http://forums.comodo.com/new_member_information/forum_policy-t1516.0.html


Than follow this procedure  :

Email the file to: malwaresubmit [ at ] comodo.com .
Specify in the subject line "Positive ?".
Zip and password protect it with "infected" and include that information in the body.

Thanks m8

Greetz, Red.

[tempnexus]

Day 5 still not a peep.

[Kevin McAleavey]

Day 5 still not a peep.

Did anyone get back to you yet?

[tempnexus]

Did anyone get back to you yet?

Not yet.
And just today the Network Admin for that company told me that he is reconnecting the system back to the network since:
1) Some of that code came with their USB drives so it's "clean"...yeah USB Pictures Frames during XMASS trojan ring a bell??? I guess not to him.
2) McAffee and Symantec Don't flag it as a threat then it's not a threat.

Now I wanted to avoid disaster but looks like the IT dept got impatient.  I know that the Kanguru is a NIST sanctioned code but the MsMsSrv.dll and the RunSrv.exe are extremely fishy.

If you need me to resend the code then I will do so.

[Kevin McAleavey]

Not yet.
And just today the Network Admin for that company told me that he is reconnecting the system back to the network since:
1) Some of that code came with their USB drives so it's "clean"...yeah USB Pictures Frames during XMASS trojan ring a bell??? I guess not to him.
2) McAffee and Symantec Don't flag it as a threat then it's not a threat.

Now I wanted to avoid disaster but looks like the IT dept got impatient.  I know that the Kanguru is a NIST sanctioned code but the MsMsSrv.dll and the RunSrv.exe are extremely fishy.

If you need me to resend the code then will do so.

Just IM'd ya ...

[LirvA]

you should upload the file/files to www.virustotal.com ... just for feces and laughters.

[tempnexus]

you should upload the file/files to www.virustotal.com ... just for feces and laughters.

Oh I did, that was the 3rd thing I did.  And it did give HITS about 10/30 for the .exe and 20/30 for the DLL HOWEVER none of the big names gave hits aka Kaspersky, Symantec, Mcaffee, Sophos, AVG, Avast, e-trust.  So it needed professional look over before the company decides to scrub the systems.   Hence I turned to Kevin.  I have dealt with Kevin for many years (I think Circa 2001...name changed it used to be Operation IvyMike) and I know that he is a professional at these type of things...and if it indeed was a true baddie, I wanted him to add it to his Boclean repertoire and upstage the bignames.

[Kevin McAleavey]

Oh I did, that was the 3rd thing I did.  And it did give HITS about 10/30 for the .exe and 20/30 for the DLL HOWEVER none of the big names gave hits aka Kaspersky, Symantec, Mcaffee, Sophos, AVG, Avast, e-trust.  So it needed professional look over before the company decides to scrub the systems.   Hence I turned to Kevin.  I have dealt with Kevin for many years (I think Circa 2001...name changed it used to be Operation IvyMike) and I know that he is a professional at these type of things...and if it indeed was a true baddie, I wanted him to add it to his Boclean repertoire and upstage the bignames.

Hiya ... emailed you earlier tonight after testing all of those files, and will just pook in here and say that despite the primary DLL being a "known name of a nasty" (Zapchast) the files in question actually ARE the legitimate files which are part of that Kanguru USB encryption thingy. I suppose our criminals out there saw the filenames and as usual, figured it'd be a good idea to use those same filenames for their nasties in hopes of getting ignored when spotted. Alas, they chose some really obscure filenames. 

But they're clean ... that's why the lab guys didn't go bonkers on them. Sorry nobody got back - when things are busy unfortunately, the folks can be inadvertently rude sometimes. My PERSONAL apologies and THANKS for the heads-up just the same! You've always been a great help to BOClean over the years in winning the "spot the nasty" game.   

[Tags:]