PDA

View Full Version : FP? (Win32.Viking.j) C:\WINDOWS\system32\dllcache\arp.exe.tmp and at.exe.tmp



Kinobe
2007-06-21, 07:52
My OS is Windows XP Home SP2 with all critical updates installed through the last "Patch Tuesday" (June 12) release from Microsoft.

I downloaded the June 20 Spybot updates today and proceeded to "check for problems".

When I returned to my computer an hour later, I was surprised to discover Spybot had detected the "Win32.Viking.j" worm infected the following files.


Win32.Viking.j: Data (File, nothing done)
C:\WINDOWS\system32\dllcache\arp.exe.tmp

Win32.Viking.j: Data (File, nothing done)
C:\WINDOWS\system32\dllcache\at.exe.tmp

I think this is a FP for several reasons.

There is/are June 20, 2007 Spybot S&D definition(s) added for Win32.Viking.j
I regularly scan my computer with several reputable anti-malware apps (both AV and AS and occasionally anti-rootkit).
The files are located in a Windows protected system files folder and they are the same size as their counterparts that exist in the same folder without the .tmp extension (arp.exe and at.exe).
The files also have the same "Modified" date as the .exe files that don't have the .tmp extension.
The files' Properties indicate they are Microsoft files.
There are several other .exe.tmp files in my dllcache folder with corresponding .exe files that don't have a .tmp extension..
I uploaded both files to Jotti's Online Scan (http://virusscan.jotti.org/) and both appear clean according to Jotti.
(The Jotti Results are shown below.)

==========
Jotti's Online Scan Results

File: at.exe.tmp
Status: OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 9bdf13167fbef8da3a4e9a558b169e5e
Packers detected:
-
Bit9 reports: No threat detected (more info)

Scanner results
Scan taken on 21 Jun 2007 02:24:00 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

==========

File: arp.exe.tmp
Status: OK
MD5: 33f9b0e02d9d93f920605d02fb53f3fd
Packers detected:
-
Bit9 reports: No threat detected (more info)

Scanner results
Scan taken on 21 Jun 2007 02:27:53 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

==========

I suspect if anyone else compares the MD5 hash values for those files in the C:\WINDOWS\system32\dllcache\ folder of their own Windows XP Home SP2 box, they will find the hash values match. It would be nice to have confirmation however. :)

Yodama
2007-06-21, 09:45
hi,

this could be a false positie, unfortunately I have no access to a Windows XP Home Edition system to confirm your post.
Normally the dllcache folder contains the backups of other systemfiles. With Windows XP Professional and Windows 2000 there are no files with exe.tmp in the dllcache folder.


It would be best if you could also post the md5 of the files without the double fileextension or just sent all four of them to detections-at-spybot.info (replace -at- with @).

md usa spybot fan
2007-06-21, 11:47
From another Windows XP Home system:

Neither of these two files exist on my system:
C:\WINDOWS\system32\dllcache\arp.exe.tmp
C:\WINDOWS\system32\dllcache\at.exe.tmp
I do have the following in dllcache:
C:\WINDOWS\system32\dllcache\arp.exe

Size: 19456
Version: 5.1.2600.0
CRC-32: 098BD888
MD5: 33F9B0E02D9D93F920605D02FB53F3FD
SHA1: 4A22E401AD5ADB7B3DE8F819E86D8461D764D195

Time stamp: Wednesday, July 16, 2003 4:24:20 PM
Creation: Wednesday, July 16, 2003 4:24:20 PM
Last access: Thursday, June 21, 2007 4:21:54 AM
Last write: Wednesday, July 16, 2003 4:24:20 PM

File version: 5.1.2600.0 (xpclient.010817-1148)
Company name: Microsoft Corporation
Internal name: arp.exe
Comments:
Legal copyright: © Microsoft Corporation. All rights reserved.
Legal trademarks:
Original filename: arp.exe
Product name: Microsoft® Windows® Operating System
Product version: 5.1.2600.0
File description: TCP/IP Arp Command
The arp.exe and at.exe from C:\WINDOWS\system32\:
C:\WINDOWS\system32\arp.exe

Size: 19456
Version: 5.1.2600.0
CRC-32: 098BD888
MD5: 33F9B0E02D9D93F920605D02FB53F3FD
SHA1: 4A22E401AD5ADB7B3DE8F819E86D8461D764D195

Time stamp: Wednesday, July 16, 2003 4:24:20 PM
Creation: Wednesday, July 16, 2003 4:24:20 PM
Last access: Thursday, June 21, 2007 4:28:46 AM
Last write: Wednesday, July 16, 2003 4:24:20 PM

File version: 5.1.2600.0 (xpclient.010817-1148)
Company name: Microsoft Corporation
Internal name: arp.exe
Comments:
Legal copyright: © Microsoft Corporation. All rights reserved.
Legal trademarks:
Original filename: arp.exe
Product name: Microsoft® Windows® Operating System
Product version: 5.1.2600.0
File description: TCP/IP Arp Command


C:\WINDOWS\system32\at.exe

Size: 25088
Version: 5.1.2600.2180
CRC-32: 74C88633
MD5: 9BDF13167FBEF8DA3A4E9A558B169E5E
SHA1: 9093ADAC07776A7C71B8B795B46A5D9F13F41E95

Time stamp: Wednesday, August 04, 2004 12:56:48 AM
Creation: Wednesday, July 16, 2003 4:24:26 PM
Last access: Thursday, June 21, 2007 4:29:56 AM
Last write: Wednesday, August 04, 2004 12:56:48 AM

File version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Company name: Microsoft Corporation
Internal name: AT.EXE
Comments:
Legal copyright: © Microsoft Corporation. All rights reserved.
Legal trademarks:
Original filename: AT.EXE
Product name: Microsoft® Windows® Operating System
Product version: 5.1.2600.2180
File description: Schedule service command line interface

Yodama
2007-06-21, 12:08
thanks md usa spybot fan,

since the md5 of the corresponding files are identical we will treat this as a false positive and will remove it from detection with the next update.

though I am still wondering why there is a backup of a backup :sad:

Kinobe
2007-06-22, 04:42
Thanks for your prompt feedback, folks. I will do some investigating and let you know what I discover (or not). In any case, I will follow-up to let you know. I really want to get to the bottom if this anomaly if I can.


though I am still wondering why there is a backup of a backup :sad:
I am wondering also. It's also interesting that Google searches for those file names (arp.exe.tmp and at.exe.tmp) came up with no results. :sad:

Spybot S&D flagged the double-extension files but did not flag the arp.exe and at.exe files in the same folder. Could the double-extensions be related somehow to the way the new (June 20) Spybot definitions for Win32.Viking.j are used to detect the trojan?

There are other double-extension files in my dllcache folder (.sys.tmp) that were not flagged by Spybot but that is a possible concern as well. (The arp.exe.tmp and at.exe.tmp files are the only double-extension .exe.tmp files in my dllcache folder.)

I also have perused my dllcache folder on several occasions in the past and I don't recall noticing double extensions there before (which are also hidden as well as the normally-hidden dllcache files).

My first hunch is those files may have been duplicated when I recently used the CA online virus scanner (http://www.ca.com/us/securityadvisor/virusinfo/scan.aspx). Internet Explorer stopped responding on both occasions during the scan (after the ActiveX component had installed and components/definitions were downloaded) so I had to kill the IE process via System Internals' Process Explorer/Windows Task Manager. (I normally use IE only when I have to and I have IE configured to warn me any time an ActiveX component may be downloaded or installed. Firefox 2.0.0.4. is my default browser.)

My first course of action will be to reboot and check to see if the tmp files have disappeared. Then I will run Windows' System File Checker (Start > Run > sfc /scannow) to see if that gives me any useful information in Event Viewer. After that, who knows what I'll think of to try next? :) If anyone has any suggestions, I'm all ears.

Again, I will investigate this and see what I can discover and I will post a follow-up.

Thanks again! :)

Kinobe
2007-06-22, 05:18
BTW, I stated in my first post,

There are several other .exe.tmp files in my dllcache folder with corresponding .exe files that don't have a .tmp extension..

That statement is incorrect.

arp.exe.tmp and at.exe.tmp are the only .exe.tmp files in my dllcache folder. In fact, they are the only .exe.tmp files on both of my hard drives.

I also have three .sys.tmp files in my dllcache folder.

C:\WINDOWS\system32\dllcache\arp1394.sys.tmp
C:\WINDOWS\system32\dllcache\asyncmac.sys.tmp
C:\WINDOWS\system32\dllcache\atapi.sys.tmp


I searched my hard drives for *.exe.tmp and *.sys.tmp and the five files I have identified in this thread are the only ones found.

Since all five of the double-extension files identified in this thread begin with "a", that fact seems to further substantiate my suspicion they might have been created during the CA online virus scans. That may be as far as the CA scan proceeded when IE crashed.

My hunch also seems to make sense because it seems a virus scanner would have to create copies of files currently in use to access them properly with their detection routines.

I will look in Event Viewer to see what details I might find about the IE crash events.

Kinobe
2007-06-22, 08:32
I found only two other double-extension dllcache .tmp files (before shutting down the computer) via searching for *.tmp on my C:\ drive.

C:\WINDOWS\system32\dllcache\asctrls.ocx.tmp <--I expect this is an ActiveX control.
C:\WINDOWS\system32\dllcache\asferror.dll.tmp


Then I shut down the computer and booted.

All the aforementioned double extension *.tmp files apparently disappeared from my dllcache folder. My search for *.tmp turned up nothing in the dllcache folder. I suppose that's good.

However, I realized (too late) maybe I should have saved renamed copies of all those files before shutting down. Yodama, I also forgot to send them to spybot. :oops: I'm very sorry. :sick:

Anyway, I ran sfc /scannow after booting and there are no problems listed in Event Viewer's "System" section between "Windows File Protection" Event 64016 (SFC started) and Event 64017 (SFC finished).

Then I ran the CA online virus scan again to see if I could reproduce the IE crash and double-extension .tmp files in my dllcache folder.

Fortunately, IE7 did crash again so it appears I can consistently reproduce the IE7 crash and further investigate that issue if I wish.

However, the IE7 crash did NOT produce any .tmp files in my dllcache folder. :sad: Therefore, it appears it may remain a mystery about how those .tmp files ended up there in the first place.

Looks like we might have to just chalk this issue up as a "glitch: cause unknown". I will do some Googling on the filenames to see if I can discover anything.

I am still very curious about why Spybot flagged those two files I named in the title of this thread. Therefore, if someone familiar with the inner workings of Spybot S&D can provide some details, I would greatly appreciate it. If that is privileged information, I will understand that too.

Spybot S&D flagged the double-extension files but did not flag the arp.exe and at.exe files in the same folder. Could the double-extensions be related somehow to the way the new (June 20) Spybot definitions for Win32.Viking.j are used to detect the trojan?

If I discover what caused those double-extension files to appear in my dllcache folder, then I'll post a follow-up about it.


BTW, here are the Event Viewer Application error details for the identical IE7 crashes I mentioned earlier (and tonight's crash) in case the information might be useful for someone.

==========

Internet Explorer Crash (during CA online virus scan) Events:

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 6/19/2007
Time: 9:18:19 PM
User: N/A
Computer: KINOBE
Description:
Hanging application iexplore.exe, version 7.0.6000.16473, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 65 78 70 6c 6f iexplo
0018: 72 65 2e 65 78 65 20 37 re.exe 7
0020: 2e 30 2e 36 30 30 30 2e .0.6000.
0028: 31 36 34 37 33 20 69 6e 16473 in
0030: 20 68 75 6e 67 61 70 70 hungapp
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 30 et 00000
0050: 30 30 30 000

==========

Here's what Microsoft's "Help and Support Center at http://go.microsoft.com/fwlink/events.asp" had to say.

Product: Windows Operating System
ID: 1002
Source: Application Hang
Version: 5.2
Symbolic Name: ER_HANG_LOG
Message: Hanging application %1, version %2, hang module %3, version %4, hang address 0x%5.

Explanation
The indicated program stopped responding. The message contains details on which program and module stopped responding. A matching event with EventID 1001 might also appear in the event log. This matching event displays information about the specific error that occurred.

User Action
No user action is required.

==========

There were not any EventID 1001 ERRORS listed in Event Viewer near the times of these two consecutuve Application errors.

The closest "EventID 1001" event prior to those IE crashes is

Event Type: Information
Event Source: UPHClean
Event Category: None
Event ID: 1001
Date: 6/19/2007
Time: 8:09:01 PM
User: N/A
Computer: KINOBE
Description:
User profile hive cleanup service version 1.6.30.0 started successfully.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

==========

As I suspected would be the case, the information provided by Microsoft's "Help and Support Center" does not help me understand the IE7 crashes much. :)

Yodama
2007-06-25, 16:57
thanks for all your info.
don't mind that you did not sent the files, with the info you and md usa spybotfan provided were enough to tell that this was a false positive.

the false positive was a result of a to generously made detection rule :oops:

about the IE7 issue,
for the time beeing I am afraid I can't say much about that :sad:

Kinobe
2007-06-27, 03:07
Yodama, thanks for your follow-up! I am relieved.

I was going to try copying the at.exe and arp.exe files into my dllcache folder with the .exe.tmp extensions and scan with Spybot to see if I could reproduce the FP. Turns out I didn't have to do that because all 7 of the double-extension files I described earlier are back in my dll cache! :) They all have MD5 and SHA-1 hash values that match the files without the double-extensions so it appears they are identical in every way apart from the file name. (And, yes, Spybot S&D with the June 20 definitions flagged the same two files.)

I booted my computer today so perhaps that will help me figure out what causes those double-extension files to be placed in my dllcache. I can recall a little better what I have done since the boot. :) I'll try to repeat those actions to see if I can nail the culprit.

If I discover the trigger, I'll follow up.

==========

BTW, md usa spybot fan, I like the format of your hash value results and the helpful additional details provided. :)

I use Karen's Hasher to compute hash values. When I paste a Karen's Hasher report into a forum post, I have to edit the post to make the results look clean. Here is how the Karen's Hasher output looks when I paste from my clipboard.

Karen's Hasher v2.3
http://www.karenware.com

Date: 6/26/2007 7:50:50 PM
Computer: KINOBE
User: me

Files Hashed: 4

File Name MD5 Hash SHA-1 Hash
C:\WINDOWS\system32\dllcache\arp.exe 33F9B0E02D9D93F920605D02FB53F3FD 4A22E401AD5ADB7B3DE8F819E86D8461D764D195
C:\WINDOWS\system32\dllcache\arp.exe.tmp 33F9B0E02D9D93F920605D02FB53F3FD 4A22E401AD5ADB7B3DE8F819E86D8461D764D195
C:\WINDOWS\system32\dllcache\at.exe 9BDF13167FBEF8DA3A4E9A558B169E5E 9093ADAC07776A7C71B8B795B46A5D9F13F41E95
C:\WINDOWS\system32\dllcache\at.exe.tmp 9BDF13167FBEF8DA3A4E9A558B169E5E 9093ADAC07776A7C71B8B795B46A5D9F13F41E95

Does your hash utility automatically format hash reports as shown in your post above (http://forums.spybot.info/showpost.php?p=96969&postcount=3) or did you manually format your post after pasting the report?

If your hasher automatically formats your results as you have shown, please let me know what utility you use.

md usa spybot fan
2007-06-27, 07:07
BTW, md usa spybot fan, I like the format of your hash value results and the helpful additional details provided. :)

...

Does your hash utility automatically format hash reports as shown in your post above (http://forums.spybot.info/showpost.php?p=96969&postcount=3) or did you manually format your post after pasting the report?

If your hasher automatically formats your results as you have shown, please let me know what utility you use.
It is an edited version of the output but most of the formating is already done. The program is Patrick Kolla's FileAlyzer, from:
Downloads - The home of Spybot-S&D!
http://www.spybot.info/en/download/index.html
This item:
FileAlyzer 1.5.5.0 - product description
md5: 5B6A85F0B84A1979BF00A81095D4F148

A tool to analyse and display file contents.
For advanced users.
Direct download:
http://www.safer-networking.org/files/filealyz.exe

Kinobe
2007-06-28, 05:28
Heh! I should have guessed it would be available from spybot.info. :rolleyes:

Thanks for the links!