TROJANS

Scary_bear · March 16, 2010, 9:35pm

22 trojan files have appeared in windows\temp during CIS4 database update. I have deleted all of them but database was updated successfully. FP???

Chiron494 · March 16, 2010, 11:33pm

What program detected them as Trojans? Was it Comodo?

Scary_bear · March 17, 2010, 5:10am

It was Avira

kail · March 17, 2010, 6:25am

I don’t believe CIS puts anything into Windows\Temp folder. CIS usually uses the user specific Application Data/AppData Temp folders and, as far as I know, always in a Comodo sub-folder.

Scary_bear · March 17, 2010, 12:56pm

I don't believe CIS puts anything into Windows\Temp folder. CIS usually uses the user specific Application Data/AppData Temp folders and, as far as I know, always in a Comodo sub-folder.

It has begun after bases.cav was dowloaded (~ 60%). What does Comodo udater downloads after bases.cav[b]?[/b] (files was named like CB*)

The list of files which have been infected by ‘TR/2ndThought.AA.2’ [trojan]:
CBDB.tmp
CB10D.tmp
CB103.tmp
CBF9.tmp
CBEF.tmp
CBE5.tmp
CBD1.tmp
CBC7.tmp
CBBD.tmp
CBB3.tmp

And some else. 22 in sum

Chiron494 · March 17, 2010, 6:23pm

Could you please upload some of these to virustotal:

Scary_bear · March 17, 2010, 7:29pm

They are deleted. As a minimum - Avira would catch it

kail · March 17, 2010, 8:38pm

Sorry for the delay, since it might have changed since I last looked at it I had to confirm what an AV update actually did using Wireshark & Process Monitor. This is based on CIS 3.14, but I doubt CIS 4 is much different (somebody else would need to confirm that). Folder names differ between OS’s. So, it’s only valid for Vista and Windows 7 (I think XP uses the User AppData folder instead of the ProgramData folder). Default install folder names were used.

CIS’s update downloads a file, or files, called something like BASE_UPD_END_USER_v4297.cav (where 4297 is the update number) directly to C:\ProgramData\Comodo\tmp and these file are directly appended to C:\Program Files\COMODO\COMODO Internet Security\scanners\bases.cav. No other filename or folder is used and at no time does the update make use of any Windows temporary folders (including C:\Windows\Temp).

edit: bad typing…

Scary_bear · March 17, 2010, 8:44pm

I think CIS 4 Updater could change its behaviour per case. This is my theory. I mean update process could be interactive

kail · March 17, 2010, 8:53pm

Theory? Needs confirmation then.

Process Monitor doesn’t even need to be installed. And after recording an AV update, you can use Find on the output to search for any folder or filename that you’re interested in.

edit: Interactive?

Scary_bear · March 17, 2010, 9:14pm

Maybe it happens only during first update.