Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!)

Comodo Internet Security - CIS AV False Positive/Negative Detection Reporting
1

Previous Thread

Comodo is constantly improving its whitelist. This makes CIS more user friendly but does, in some circumstances, have some downsides. Some malware may sometimes be trusted because it is signed by a trusted certificate or perhaps the vendor was trustworthy, but then changed their ways. This is rare, but it does happen.

Regardless of how it happens it’s important to take action against this. If you find malware that is whitelisted, but seems suspicious, please report it here. The name of the trusted vendor, or any other information, is also useful.

Upload these files to one of the following services and post a link to the results:

DO NOT attach or link any malware or malicious links to your post.

When coming across a malware signed by Comodo please follow the steps as described in How to report fraudulent or malicious use of certificates issued by Comodo:

Code Signing Certificates

If you have come across malware signed with a Comodo issued Code Signing certificate please send as much detail as possible to:

signedmalwarealert[at]comodo.com

Helpful details include:
link to the signed malware
screenshots of the certificate details showing the signer organization or certificate serial number or other details which will help us identify the certificate
a copy of the actual certificate if possible

This article also describes how to report fraudulent and phishing emails using Comodo SSL/TLS certificates (but this is not pertinent for this topic).

P.S. Comodo Instant Malware Analysis (CIMA) is no longer active and can no longer be used to submit files to Comodo.

2

File is unjustifiably FULLY trusted !!!

Riskware/Adware - Certificate “issued” by VeriSign & “countersigned” by Symantec & Thawte

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Microsoft Visual C++ 8.0 , Packer : aPLib Compresion , File has multiple PE Anomalies ( Digisig is expired: Feb 26 23:59:59 2015 GMT , File ignores DEP , File ignores Code Integrity , The file has 1 shared section , Foreign language identified in PE resource (Chinese) , Imports mutiple sensitve Libaries > Internet Extensions for Win32 , Remote Procedure Call Runtime , Microsoft Trust Verification APIs , Crypto API32 , Process Status Helper , Windows Socket 2.0 32-Bit DLL , Active Accessibility Core Component , IP Helper API ) , Contains ability to lookup the windows account name , Contains ability to download files from the internet , Contains ability to register a top-level exception handler , Contains ability to start/interact with device drivers , Found Anti-VM Strings ( Checks adapter adresses and the amount of Memory ) , Checks if a debugger is present , Creates guarded memory sections , Creates new processes , Reads the active computer name , Reads the cryptographic machine GUID , Reads the registry for installed applications , Reads Windows Trust Settings , References suspicious system modules ( “ntoskrnl.exe” ) , Modifies file/console tracing settings , Looks up many procedures within the same disassembly stream ( Found 20 calls to GetProcAddress[at]KERNEL32.DLL ) , Found dropped filename “l0pjnzj[at]hao123[1].txt” containing a spoofed Windows username , Writes data to a another process ( iexplorer.exe ) , Modifies Software Policy Settings , Modifies proxy settings , Queries sensitive IE security settings , Accesses System Certificates Settings , Opens the Kernel Security Device Driver , Found network releated activity , HTTP request contains Base64 encoded artifacts , File GET data from “103.235.46.64:80” (stat.client.ghk.hao123.com) >>> VirusTotal

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network
Serial: 114841094271573151353369286759355177018
Serial (Hex): 56659719569be07b775a1b2275e2d83a
Valid from: Feb 27 00:00:00 2012 GMT
Valid until: Feb 26 23:59:59 2015 GMT

C (countryName): CN [434E]
CN (commonName): Beijing baidu Netcom science and technology co.ltd
L (localityName): Beijing [4265696A696E67]
O (organizationName): Beijing baidu Netcom science and technology co.ltd
OU (organizationalUnitName): Digital ID Class 3 - Microsoft Software Validation v2
ST (stateOrProvinceName): Beijing [4265696A696E67]

3

Hi,pio

Thank you for your submission.
We’ll check it and if found to be malware detection will be added.

Best regards
Chunli.chen

4

Still fully trusted !!! Please take a look at this !!!

Some additional Infos about this Application >>> [b]https://malwaretips.com/blogs/remove-hao123-virus[/b]

Just trust the Valkyrie Dynamic Analysis verdict !!! :wink:

[quote author=pio link=topic=121280.msg871221#msg871221 date=1515295731]
File is unjustifiably FULLY trusted !!!

Riskware/Adware - Certificate “issued” by VeriSign & “countersigned” by Symantec & Thawte

Thx … !!!

5

File is unjustifiably FULLY trusted !!!

Riskware/Adware - Certificate “issued” by Symantec & VeriSign & “countersigned” by Symantec & VeriSign

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Borland Delphi 6.0 - 7.0 , File Certificate is expired ( Valid to 06/03/2017 23:59:59 ) , File has multiple PE Anomalies ( PE file contains unusual section name , PE file contains zero-size sections , Entrypoint is outside of first section , File ignores Code Integrity , Contains unknown Resourses , Resources contains 4 different languages , PE file contains unusual section name , Imports sensitive Libaries >>> GDIEXT Client DLL , Shell Folder Service , Internet Extensions for Win32 , Active Accessibility Core Component , MCI API DLL , IP Helper API , Windows Socket 32-Bit DLL ) , Found Anti-VM Strings ( Contains references to WMI/WMIC ) , Found positive Yara Signature match ( Antisb_threatExpert - Anti-Sandbox checks for ThreatExpert , Maldoc_find_kernel32_base_method_1 , DebuggerCheck__QueryInfo , escalate_priv - Escalade priviledges , win_hook - Affect hook table … ) , Contains ability to download files from the internet , Contains ability to retrieve keyboard strokes , Contains ability to register a top-level exception handler , Reads terminal service related keys , Creates a Child process , Reads the memory of another process , Writes bytes to another process , Modifies Windows Service Keys , Modifies windows polices

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Serial: 137081415256287324887931524850362711255
Serial (Hex): 720eb953fb3b3dd5351ff987a4d7cd7
Valid from: Feb 13 00:00:00 2015 GMT
Valid until: Mar 6 23:59:59 2017 GMT

C (countryName): FR [4652]
CN (commonName): AVANQUEST SOFTWARE [4156414E515545535420534F465457415245]
L (localityName): Paris [5061726973]
O (organizationName): AVANQUEST SOFTWARE [4156414E515545535420534F465457415245]
ST (stateOrProvinceName): Ile de France [496C65206465204672616E6365]

This File has a correct Human Expert Verdict as PUA since 8 Days , but the signature is missing . Please create and add a Signature !!! !!! Thx !!!

6

Hi pio,

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Qiuhui.■■■■

7

File is unjustifiably FULLY trusted !!!

Riskware/Adware.Downloader.Variant.Hao123 - Certificate “issued” by Symantec & VeriSign & “countersigned” by Symantec & Thawte

Some suspicious/malicious Indicators : Compiler/Packer/Crypter Signature > Compiler : Microsoft Visual C++ 6.0 & 8.0 , Packer/Cyptor: aPLib compression , File has multiple PE Anomalies ( File ignores Code Integrity , PE file has unusual entropy sections , CRC value set in PE header does not match actual value , The size of the resource is bigger than the max 512000 bytes threshold , The file embeds another file ( type: PKZIP, location: resources ) , Contains unknown resources , Foreign language identified in PE resource (Chinese) ) , Checks if a debugger is present , Contains ability to query CPU information , Found multiple Anti-VM Strings ( Found VM detection artifact “VMware trick” in Offset : “1021906” , Executes multiple WMI queries known to be used for VM detection ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads configuration files , Reads the registry for installed applications , Contains ability to lookup the windows account name , Checks for an ADS , Drops system driver , References suspicious system modules ( “ntoskrnl.exe” ) , Drops multiple executable files , Runs shell commands , Tries to delay the anaylsis , Creates a hidden Window , Creates a windows hook to log keyboard input , Creates or sets a registry key to a long series of bytes , possibly to store a binary or malware config , Deletes its orginal binary form disk , Opens the Kernel Security Device Driver , File queried details from the computer were then used in a network or crypto API call indicative of command and control communications/preperations , Modifies proxy settings , Queries sensitive IE security settings , The file references a URL pattern ( h***s://www.hao123.com ) , Found network releated activity , HTTP request contains Base64 encoded artifacts , File GET data from “123.125.114.215:80” (opensoft.hao123.com) , “103.235.46.234:80” (orange.hao123.com) , “103.235.46.111:80” (update.123juzi.net) , “47.89.58.141:80” (tongji.juzi1234567.com >>> VirusTotal

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Serial: 42300730919024834505941748264773407599
Serial (Hex): 1fd2d30e260fc289cfaf11518f2cd36f
Valid from: Dec 15 00:00:00 2015 GMT
Valid until: Feb 06 23:59:59 2018 GMT

C (countryName): CN [434E]
CN (commonName): BeiJing Baidu Netcom Science Technology Co., Ltd
L (localityName): Beijing [4265696A696E67]
O (organizationName): BeiJing Baidu Netcom Science Technology Co., Ltd
OU (organizationalUnitName): Engineering Excellence [20456E67696E656572696E6720457863656C6C656E6365]
ST (stateOrProvinceName): Beijing [4265696A696E67]

EDIT :

This File was recognized via signature detection from CAV on VT and also from Valkyrie ! But there is NO signature detection with CIS ! I´ve checked it with TVL ON and OFF .

File is unjustifiably FULLY trusted !!!

Riskware/Adware - Certificate “issued” by Symantec & VeriSign & “countersigned” by Symantec & VeriSign

8

Hi,pio

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

9

Unfinished and still no signature recognition via CIS ! Please take a look at this ! Thank you !

10

Hi,pio

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Deepak PV

11

File is unjustifiably FULLY trusted !!!

PUA.Adware.Variant.OpenCandy - Certificate “issued” by VeriSign & “countersigned” by Symantec & Thawte

Some suspicious/malicious Indicators : Compiler/Packer/Crypter/Scrambler Signature > Packer/Scrambler : UPX Compressor 3.0 , File has multiple binary anomalies ( File ignores Code Integrity , PE file has unusual entropy sections , PE file is packed with UPX , CRC value set in PE header does not match actual value , Entrypoint in PE header is within an uncommon section , Contains zero-size sections , The file has “2” writable and executable sections ) , Spawns a file that was identified as malicious at VT ( 33/73 Antivirus vendors marked dropped file “uttC133.tmp” as “Adware.OpenCandy” ) , Uses Windows APIs to generate a cryptographic key , Found a dropped file containing the Windows username , Uses a User Agent typical for browsers, although no browser was ever launched ( Found user agents : Mozilla/4.0 ) , Found potentially Anti-VM Strings ( Queries the Disk Size , Checks adapter Addresses , Detects the presence of Wine emulator via Registry ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads configuration files , Reads Windows Trust Settings , Scanning for window names , Reads the registry for installed applications , Queries volume information of an entire harddrive , Writes data to another process ( “rundll32.exe”) , Creates or modifies windows services , Opens the Kernel Security Device Driver , Modifies Software Policy Settings , Modifies proxy settings , Queries sensitive IE security settings , Accesses and Modifies System Certificates Settings , Found malicious network releated activity , Sends UDP traffic to various IP´s , POSTs files to a webserver , HTTP request contains Base64 encoded artifacts , Contacts 32 domains and 143 hosts

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/CN=VeriSign Class 3 Code Signing 2010 CA
Serial: 115906371898387214641412410377105632520
Serial (Hex): 5732c1574e6af828e1b4f93abb34ed08
Valid from: Jun 5 00:00:00 2013 GMT
Valid until: Sep 3 23:59:59 2016 GMT

C (countryName): US [5553]
CN (commonName): BitTorrent Inc
L (localityName): San Francisco
O (organizationName): BitTorrent Inc
OU (organizationalUnitName): Digital ID Class 3 - Microsoft Software Validation v2
ST (stateOrProvinceName): California

12

Hello pio,
Thanks for your submission, we’ll check the files and take appropriate measures.

Best regards,
Andrei Savin

13

File is unjustifiably FULLY trusted !!!

Generic.PUA - Certificate “issued” by VeriSign & Symantec & “countersigned” by WoSign

Some suspicious/malicious Indicators : Compiler/Packer/Crypter/Scrambler Signature > Compiler : Microsoft Visual C++ 6.0 , Packer : aPLib Compresion , File has multiple binary anomalies ( File ignores DEP , File ignores Code Integrity , PE file has unusual entropy sections , Contains unknown resources , Imports sensitive Libaries (Windows Socket 2.0 32-Bit DLL , Internet Extensions for Win32 , Active Accessibility Core Component , IP Helper API ) , Checks if a Debugger is present , Tries to delay the Analysis , Found potentially Anti-VM Strings ( Queries the Disk Size , Checks adapter Addresses ) , Uses a User Agent typical for browsers, although no browser was ever launched ( Found user agent: Mozilla/4.0 ) , Found strings in conjunction with a procedure lookup that resolve to a known API export symbol ( Found reference to API InitCommonControls[at]COMCTL32.DLL ) , Makes a code branch decision directly after an API that is environment aware ( Found API call GetVersionExA[at]KERNEL32.dll ), Reads the active computer name , Reads the cryptographic machine GUID , Modifies file/console tracing settings , Queries volume information of an entire harddrive , Queries kernel debugger information , Queries the internet cache settings , Opens the Kernel Security Device Driver , Found a Windows Hook ( spawned process “netsh.exe” wrote bytes to “MPRMSG.DLL” ) , Accesses sensitive information from local browsers ( LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\index.dat" , %APPDATA%\Microsoft\Windows\Cookies\index.dat") , Modifies proxy settings , Queries sensitive IE security settings ( “HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY”; Key: “DISABLESECURITYSETTINGSCHECK” ) , Found malicious network releated activity >>> HTTP request contains Base64 encoded artifacts >>> Found Info Generic Suspicious POST to Dotted Quad with Fake Browser to Host > “121.207.250.58”

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Serial: 116568472950842497590935532675032082742
Serial (Hex): 57b2457179c8ef440e31be225a26e936
Valid from: May 24 00:00:00 2016 GMT
Valid until: Jul 23 23:59:59 2019 GMT

C (countryName): CN [434E]
CN (commonName): Fujian NetDragon Computer Network Information Technology Co.,Ltd
L (localityName): Fuzhou
O (organizationName): Fujian NetDragon Computer Network Information Technology Co.,Ltd
OU (organizationalUnitName): Research and development department
ST (stateOrProvinceName): Fujian [46756A69616E]

14

Hi,pio

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

15

File is unjustifiably FULLY trusted !!!

PUA.Adware.Variant.InstallCore - Certificate “issued” by Thawte & “countersigned” by Comodo & USERTrust

Some suspicious/malicious Indicators : Compiler/Packer/Crypter/Scrambler Signature > Compiler : Nullsoft PiMP Stub , File has multiple binary anomalies ( Embeds another file ( type : Nullsoft , location : overlay ) , File ignores DEP , File ignores Code Integrity , CRC value set in PE header does not match actual value , Imports a anonymous function ) , Tries to delay the Analysis , Contains ability to open the clipboard , Found potentially Anti-VM Strings ( Checks amount of System Memory , Queries the Disk Size , Checks Adapter Addresses ) , References Windows built-in privileges , Creates guarded memory sections , Sets the process error mode to suppress error box , Writes a PE file header to Disc , Opens a file in a system directory , Reads system information using WMIC , Reads the active computer name , Reads the cryptographic machine GUID , Reads configuration files , Spawns a lot of processes , Runs shell commands , Duplicates the process handle of an other process to obtain access rights to that process , Makes a code branch decision directly after an API that is environment aware ( Found API call GetVersionExA[at]KERNEL32.DLL ) , Opens the MountPointManager , Opens the Kernel Security Device Driver , Modifies proxy settings , Queries sensitive IE security settings , Accesses sensitive information from local browsers , Found malicious network releated activity >>> HTTP request contains Base64 encoded artifacts , File GETS Data from >>> "148.251.68.18:80 (fetch.jdcdn.org) " > VirusTotal & “85.131.130.148:80” (installer.jdownloader.org) > VirusTotal

Certificate Details :

Algorithm: rsaEncryption
Version: 3
Issuer: /C=US/O=Thawte, Inc./CN=Thawte Code Signing CA - G2
Serial: 754879579763311850463317485396909484
Serial (Hex): 91626fd168636edd78a174e8b75dac
Valid from: Aug 15 00:00:00 2014 GMT
Valid until: Aug 15 23:59:59 2015 GMT

C (countryName): DE
CN (commonName): Appwork GmbH
L (localityName): Fuerth
O (organizationName): Appwork GmbH
ST (stateOrProvinceName): Bayern

16

Hi, pio

Thank you for your submission.
We’ll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

17

Still unprocessed , please take a look at this !!! Thank you !!!

The File has correct and positive detection from Valykrie as PUA , but still NO Signature !!!

18

Hi,pio

Thank you for your submission.
We’ll check these.

Best regards
Chunli.chen

19

Thank you for reviewing the Files !!! Unfortunately , not everything is right after 5 days . :a0

VT : Correctly detected from Comodo as ApplicUnwnt.Win32.InstallCore.~
Valkyrie : NOT detected
CIS : Still NO Signature Detection

PUA.Adware.Variant.InstallCore - Certificate “issued” by Thawte & “countersigned” by Comodo & USERTrust

VT : Correctly detected from Comodo as ApplicUnwnt.Win32.Adware.OpenCandy.
Valkyrie : Detected correctly as PUA - ApplicUnwnt.Win32.Adware.OpenCandy.
CIS : Still NO Signature Detection

PUA.Adware.Variant.OpenCandy - Certificate “issued” by VeriSign & “countersigned” by Symantec & Thawte

20

Hi pio,

Thank you for your submission.
We’ll recheck them and if found to be malware detection will be added.

Best regards
Qiuhui.■■■■