* Home Help Search Login Register  

Welcome, Guest. Please login or register.
Did you miss your activation email?
May 22, 2013, 11:19:09 PM

Login with username, password and session length

663637 Posts
70566 Topics
145225 Members
Latest Member: KentonMcs

more news...
Search:     Advanced search | Tag Cloud
+  Welcome to the Comodo Forum
|-+  Security Products & Services
| |-+  Comodo Internet Security - CIS
| | |-+  News / Announcements / Feedback - CIS
| | | |-+  bypass v5.10.228257.2253 (dll malware, QQ pass)		 « previous next »
Pages: [1] 2 Go Down Print
Author Topic: bypass v5.10.228257.2253 (dll malware, QQ pass)  (Read 8597 times)
a256886572008
Star Group
Comodo's Hero
*****
Offline Offline

Posts: 781
« on: May 11, 2012, 09:20:58 AM »
1. I double click on the photo.exe.

It can terminate the existing  process of QQ IM software.



2.Then, I restart QQ IM and type some words on the window of it.

The photo.exe can connect to the internet.



3.comodo trusts the photo.exe which is injected with the MSDTCTM.dll.





4.The malware creates an autorun entry.



5.environment:

Windows XP SP3 32bit
« Last Edit: May 11, 2012, 06:36:54 PM by a256886572008 » Logged
languy99
Global Moderator
Comodo's Hero
*****
Offline Offline

Posts: 3943
« Reply #1 on: May 11, 2012, 09:40:29 AM »
do you have a virustotal of the photo.exe
Logged
http://www.youtube.com/languy99

Software Reviews for all.

Follow me on Twitter http://twitter.com/#!/languy99
a256886572008
Star Group
Comodo's Hero
*****
Offline Offline

Posts: 781
« Reply #2 on: May 11, 2012, 09:56:36 AM »
MSDTCTM.dll
https://www.virustotal.com/file/4581626dab4a6d00acdc5e98625eb623b281252a4fc5df960ffb214069a011f2/analysis/

https://valkyrie.comodo.com/Result.html?sha1=9c681206752576e9a4a37ade967c4e2c0111105d&&query=1&&filename=msdtctm.dll


photo.exe
https://www.virustotal.com/file/9d35d265a684e67268f63ba245f2c5d4cfec31178743e42153a7b5f967d0fff0/analysis/

https://valkyrie.comodo.com/Result.html?sha1=44e0e5af367432eeacfc1257083bf8605229fed0&&query=1&&filename=photo.exe
« Last Edit: May 11, 2012, 10:05:05 AM by a256886572008 » Logged
languy99
Global Moderator
Comodo's Hero
*****
Offline Offline

Posts: 3943
« Reply #3 on: May 11, 2012, 11:05:05 AM »
can you open up kill switch and show me the active processes and then show me the associated dll's with the photo.exe and QQ?
Logged
http://www.youtube.com/languy99

Software Reviews for all.

Follow me on Twitter http://twitter.com/#!/languy99
Ionel
Comodo Staff
Comodo's Hero
*****
Offline Offline

Posts: 667
« Reply #4 on: May 11, 2012, 11:30:20 AM »
Quote from: a256886572008 on May 11, 2012, 09:20:58 AM
1. I double click on the photo.exe.

It can terminate the existing  process of QQ IM software.

2.Then, I restart QQ IM and type some words on the window of it.

The photo.exe can connect to the internet.


3.comodo trusts the photo.exe which is injected with the MSDTCTM.dll.

4.environment:

Windows XP SP3 32bit

Hi a256886572008,

We are looking into this issue and provide a fix as soon as possible.

Thank you for reporting it!

Regards,
Ionel
Logged
a256886572008
Star Group
Comodo's Hero
*****
Offline Offline

Posts: 781
« Reply #5 on: May 11, 2012, 11:37:14 AM »
1.



2.The malware puts a transparent window on the window of QQ IM.

So,  it can connect to the internet, after the user types some words on that.
« Last Edit: May 11, 2012, 06:07:00 PM by a256886572008 » Logged
Hause
Comodo's Hero
*****
Offline Offline

Posts: 962
« Reply #6 on: May 12, 2012, 04:31:03 AM »
Quote from: Ionel on May 11, 2012, 11:30:20 AM
We are looking into this issue and provide a fix as soon as possible.
Thank you for reporting it!
Regards,
Ionel
Аlmost half a year has passed since the first reports of this problem.
https://forums.comodo.com/news-announcements-feedback-cis/allegation-of-comodo-defence-plus-byapssed-by-zeroaccess-rootkit-t79079.0.html
Seems will have to wait another six months, up to version CIS 6...
Logged
fake5
Comodo Loves me
****
Offline Offline

Posts: 101
« Reply #7 on: May 12, 2012, 04:39:45 AM »
Quote from: Ionel on May 11, 2012, 11:30:20 AM
Hi a256886572008,

We are looking into this issue and provide a fix as soon as possible.

Thank you for reporting it!

Regards,
Ionel


 Thumb Up Thumb Up Thumb Up
plz fix it as soon as possible, thx!
Logged
Seany007
Comodo's Hero
*****
Offline Offline

Posts: 1899


Comodo Commando
« Reply #8 on: May 12, 2012, 08:52:13 AM »
Quote from: Hause on May 12, 2012, 04:31:03 AM
Аlmost half a year has passed since the first reports of this problem.
https://forums.comodo.com/news-announcements-feedback-cis/allegation-of-comodo-defence-plus-byapssed-by-zeroaccess-rootkit-t79079.0.html
Seems will have to wait another six months, up to version CIS 6...

Oh well... The chances of you walking into such malware is low same as ransom...
Logged
Proud Comodo User (CIS, CD, CID and CMS)
OmeletGuy
Back for a while.
Global Moderator
Comodo's Hero
*****
Offline Offline

Posts: 2905


Dragon Theme Maker
« Reply #9 on: May 12, 2012, 06:03:05 PM »
Current CIS can likely be made to stop this with D+ rules... will it cut into compatibility and stability? maybe.
Logged
Comodo Dragon themes, including windows Aero options. Download  Here

System Details: W7-64bit | 4GB DDR2 | Intel Core 2 Extreme X6800 | CIS 5.10 | Geforce 560 GTX 1
a256886572008
Star Group
Comodo's Hero
*****
Offline Offline

Posts: 781
« Reply #10 on: May 13, 2012, 10:24:36 AM »
Automatically sandbox process whose modules contain unrecognized files ?
Logged
OmeletGuy
Back for a while.
Global Moderator
Comodo's Hero
*****
Offline Offline

Posts: 2905


Dragon Theme Maker
« Reply #11 on: May 13, 2012, 10:41:40 AM »
Quote from: a256886572008 on May 13, 2012, 10:24:36 AM
Automatically sandbox process whose modules contain unrecognized files ?



Well maybe not like that with the current version thats more 6.0. I mean I could make a custom rule for Photo.exe to prevent it from getting infected.
Logged
Comodo Dragon themes, including windows Aero options. Download  Here

System Details: W7-64bit | 4GB DDR2 | Intel Core 2 Extreme X6800 | CIS 5.10 | Geforce 560 GTX 1
jay2007tech
Malware Research Group
Global Moderator
Comodo's Hero
*****
Offline Offline

Posts: 1795
« Reply #12 on: May 13, 2012, 02:55:27 PM »
In Defence+, Would changing from "partially limited" to "limited" solve this?
Logged
It's hard being a crooked Admin when the files won't pass an md5checksum test.  But like any other good crooked Admin it can be done, it just takes time(and lots of it) and a few aspirins
a256886572008
Star Group
Comodo's Hero
*****
Offline Offline

Posts: 781
« Reply #13 on: May 13, 2012, 11:37:59 PM »
Quote from: jay2007tech on May 13, 2012, 02:55:27 PM
In Defence+, Would changing from "partially limited" to "limited" solve this?

comodo would  still trust the malware.
Logged
pykko
Computer Security Testing Group
Comodo's Hero
*****
Offline Offline

Posts: 519



WWW
« Reply #14 on: May 16, 2012, 12:38:57 PM »
This is a very serious issue. Is any Deve looking into it ?
Logged
IT Security blog
Tags:
Pages: [1] 2 Go Up Print 
« previous next »
Jump to:  

SSL Certificate Free Virus Removal Firewall
Page created in 0.15 seconds with 21 queries.
Powered by SMF 1.1.18 | SMF © 2006, Simple Machines Design by 7dana.com