this exe file creates a dll in temp folder not detected by D+

Learn about Computer Security Leak Testing/Attacks/Vulnerability Research
#1

i sent the exe file to comodo for analysis.
D+ alerts informed me about some malware analysis heuristic.
the exe file tries to reload itself into memory.
it tries to load some dll named bassmod.dll but the prob is that this dll is created by the exe file and not detected by D+.
what do u think about this file?
password is comodo
it’s trying to execute clbcatq.dll and comres.dll, isnt it strange for a ■■■■■ file software?
virustotal.com replied that 12 scanners on 36 detected some suspicious file, the packer used is one used to bypass AV scanning.
i sent it to kaspersky too.
i don’t really know if it’s a malware or not (maybe some adware) but what i want to know is if people got an alert about the fact that the file is creating a dll in their windows temp folder.
tested on windows xp pro sp3.

[attachment deleted by admin]

#2

I think by default temp folders are not monitored for file creation. U can chang it in the settings and u will get the alert. Let us know how u go.

#3

i added temporary files in my protected files and in image execution control settings.
in fact i added all file groups from the comodo menu in both protected files and image exec control
image control is set to agressive.
running paranoid mode.
got no alert when the dll is created.
the dll is created when i allow the exe file to execute msctfime.ime

got those infos about this file :
http://info.prevx.com/aboutprogramtext.asp?PX5=18E8422E417BD615AFDE012F36AC770053E19B5F

#4

modification of temp files is allowed in the defense+ policy for “All programs (*)”, IIRC

#5

There is an easy way to do that.

[attachment deleted by admin]

#6

ok… thanks for the info ggf31416.

was reading ways to bypass scanners, got the feeling that my AV is completly useless…

in fact my machines are a tool for lamers when i’m connected to the web…

the situation is dramatic, there’s nothing to be sure my machines are not contaminated by all sort of codes…

ok, thanks aigle, i’m going to try that, looks a way better solution… but i doubt about all security tools now, i feel like a sheep in a wolves party :slight_smile:

ok i deleted temp from my file groups, let’s see how it is now…

aaaah great this works, the file creation is detected in temp folder. i think i’m going to change a lot of things in comodo settings.

thanks people for your help.