Winrar SFX files gets reported as Backdoors
Backdoor.Win32.Heur.~G@919447 E:\Drivers\Software\FileUtilities\DiffMerge\zWebPage1.exe
Backdoor.Win32.Heur.~H@919448 E:\Drivers\Software\Office\PhotoScape\zWebPage2.exe
[attachment deleted by admin]
Your own CIMA does not report this as virus/malware
Malware Analysis Report
Print the report.
Print Report
WaitForProcess Time-Out
[Keys Created]
[Keys Changed]
[Keys Deleted]
[Values Created]
[Values Changed]
[Values Deleted]
[Directories Created]
C:\Documents and Settings\User\Local Settings\Temp\RarSFX0|2008.11.11 15:03:54.203|2008.11.11
15:03:54.187|2008.11.11 15:03:54.203|0x10
[Directories Changed]
[Directories Deleted]
[Files Created]
C:\Documents and Settings\User\Local Settings\Temp\RarSFX0\WebPage.url|131|2008.07.25
14:40:23.906|2008.11.11 15:03:54.203|2008.11.11 15:03:54.203|0x20
[Files Changed]
[Files Deleted]
[Directories Hidden]
[Files Hidden]
[Drivers Loaded]
[Drivers Unloaded]
[Processes Created]
0x36c|IEXPLORE.EXE|C:\Program Files\Internet Explorer\iexplore.exe
[Processes Terminated]
[Threads Created]
0x2ac|lsass.exe|0x2d8|0x7c810856|MEM_IMAGE|0x77e76bf0|MEM_IMAGE
0x348|svchost.exe|0x2b0|0x7c810856|MEM_IMAGE|0x7c910760|MEM_IMAGE
0x36c|IEXPLORE.EXE|0xe8|0x7c810867|MEM_IMAGE|0x402451|MEM_IMAGE
0x3f8|svchost.exe|0x7b0|0x7c810856|MEM_IMAGE|0x77e76bf0|MEM_IMAGE
[Modules Loaded]
[Windows Api Calls]
[DNS Queries]
sourcegear.com IN A +
[HTTP Queries]
sourcegear.com GET /diffmerge/index.html HTTP/1.1
[Verdict]
Not Rated as Suspicious
[Description]
Not Available
[Mutexes Created or Opened]
0x2e8|C:\TEST\sample.exe|0x7472245b|CTF.Asm.MutexDefaultS-1-5-21-1606980848-115176313-839522115-1003
0x2e8|C:\TEST\sample.exe|0x7472245b|CTF.Compart.MutexDefaultS-1-5-21-1606980848-115176313-839522115-1003
0x2e8|C:\TEST\sample.exe|0x7472245b|CTF.LBES.MutexDefaultS-1-5-21-1606980848-115176313-839522115-1003
0x2e8|C:\TEST\sample.exe|0x7472245b|CTF.Layouts.MutexDefaultS-1-5-21-1606980848-115176313-839522115-1003
0x2e8|C:\TEST\sample.exe|0x7472245b|CTF.TMD.MutexDefaultS-1-5-21-1606980848-115176313-839522115-1003
0x2e8|C:\TEST\sample.exe|0x7472245b|CTF.TimListCache.FMPDefaultS-1-5-21-1606980848-115176313-839522115-1003MUTEX.DefaultS-1-5-21-1606980848-115176313-839522115-1003
0x2e8|C:\TEST\sample.exe|0x77f76e78|_SHuassist.mtx
0x2e8|C:\TEST\sample.exe|0x7c81a838|ShimCacheMutex
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x7472245b|CTF.Asm.MutexDefaultS-1-5-21-1606980848-115176313-839522115-1003
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x7472245b|CTF.Compart.MutexDefaultS-1-5-21-1606980848-115176313-839522115-1003
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x7472245b|CTF.LBES.MutexDefaultS-1-5-21-1606980848-115176313-839522115-1003
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x7472245b|CTF.Layouts.MutexDefaultS-1-5-21-1606980848-115176313-839522115-1003
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x7472245b|CTF.TMD.MutexDefaultS-1-5-21-1606980848-115176313-839522115-1003
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x7472245b|CTF.TimListCache.FMPDefaultS-1-5-21-1606980848-115176313-839522115-1003MUTEX.DefaultS-1-5-21-1606980848-115176313-839522115-1003
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x7472245b|MSCTF.Shared.MUTEX.AJH
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x76ee3a34|RasPbFile
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x771ba3ae|!MSFTHISTORY!
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x771bc21c|WininetConnectionMutex
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x771bc23d|WininetProxyRegistryMutex
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x771bc2dd|WininetStartupMutex
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x771d9710|c:!documents
and settings!user!cookies!
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x771d9710|c:!documents
and settings!user!local settings!history!history.ie5!
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x771d9710|c:!documents
and settings!user!local settings!temporary internet files!content.ie5!
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x777904d3|WininetStartupMutex
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x77f76e78|Shell.CMruPidlList
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x7c81a838|ShimCacheMutex
[Events Created or Opened]
0x2e8|C:\TEST\sample.exe|0x769c4ec2|Global\userenv: User Profile setup event
0x2e8|C:\TEST\sample.exe|0x77a89422|Global\crypt32LogoffEvent
0x2e8|C:\TEST\sample.exe|0x7ca66917|ShellCopyEngineRunning
0x2e8|C:\TEST\sample.exe|0x7ca66957|ShellCopyEngineFinished
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x7473d2a8|CTF.ThreadMIConnectionEvent.00000790.00000000.00000005
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x7473d2a8|CTF.ThreadMarshalInterfaceEvent.00000790.00000000.00000005
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x7473d2a8|MSCTF.SendReceive.Event.AJH.IC
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x7473d2a8|MSCTF.SendReceiveConection.Event.AJH.IC
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x769c4ec2|Global\userenv:
User Profile setup event
0x36c|C:\Program Files\Internet Explorer\iexplore.exe|0x77de5f48|Global\SvcctrlStartEvent_A3752DX
Top Print Report
I was just about to post the same item…
I have submitted the file to the labs
This must have come with the latest updates…
This is my first Possible false positive with CIS… (:CLP)
This already happened with the web scanner, and it was fixed after I submitted it.
Thanks for your attention,Problem has been resolved.