PDA

View Full Version : ICQ-SpyMonitor - FP on Dimac Jmail4



BigJacko
2007-07-30, 13:39
Hi Spybot guys - thanks for doing the EXCELLENT job you do!

I just wanted to report (and if possible to confirm) a False Positive detection I'm seeing using the latest ruleset (as of 30th July 2007).

I get warnings for ICQ-SpyMonitor, and am presented with just the following keys:


ICQ-SpyMonitor: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{0C21B3B1-2B11-45F2-8A9E-DCC5032DE98A}

ICQ-SpyMonitor: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{14E61A41-8846-11D2-B7E4-0008C73ACA8F}

ICQ-SpyMonitor: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{1E6D8684-755D-4847-BF40-68EC5E4BC1E9}

ICQ-SpyMonitor: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{3A037057-57F0-4904-A1E0-AD0EA2FB564E}

ICQ-SpyMonitor: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{56930358-AD72-408F-83C4-A2B0DC8037B2}

ICQ-SpyMonitor: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{607A06FE-2FDA-4ADC-854D-D016D98D83DB}

ICQ-SpyMonitor: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{65C53BE7-ED21-4C25-B189-DA0E8FAD5231}

ICQ-SpyMonitor: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{684130B2-2B8A-4E8D-BE71-8F4052882076}

ICQ-SpyMonitor: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{821AAFE5-2F19-47EB-ACA9-3B4C1D64AC27}

ICQ-SpyMonitor: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{952F0B99-50B6-44B3-AE0D-700D5B98B416}

ICQ-SpyMonitor: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{AED3A6B1-2171-11D2-B77C-0008C73ACA8F}

ICQ-SpyMonitor: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{B89D0E7A-0F5B-40EE-8AF3-08FA2ED9534F}

ICQ-SpyMonitor: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{CF2ED965-E0BA-4FE4-ADE2-38BD48F112E8}

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-07-30 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-25 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-07-25 Includes\DialerC.sbi (*)
2007-07-11 Includes\Hijackers.sbi (*)
2007-07-25 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-07-25 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-07-25 Includes\Malware.sbi (*)
2007-07-25 Includes\MalwareC.sbi (*)
2007-07-11 Includes\PUPS.sbi (*)
2007-07-25 Includes\PUPSC.sbi (*)
2007-07-25 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-25 Includes\SecurityC.sbi (*)
2007-07-11 Includes\Spybots.sbi (*)
2007-07-25 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-07-25 Includes\Trojans.sbi (*)
2007-07-25 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

As far as I can tell, I have no ICQ-SpyMonitor infection on that machine, and there are no signs of any executables mentioned in those warnings anyway.

More to the point, I DO have a copy of Dimac Development's Jmail program (an SMTP mailserver), which I personally installed some years ago, but don't use anymore! Jmail, according to http://www.siteadvisor.com/sites/163ns.com/downloads/4239777/ is 'ok' - but I suspect it has possibly been used as the guts of the ICQ-SpyMonitor's mailback routine, which is why it turns up in your detection rules. Trouble is, it appears Jmail is used as a mailcore on other, legitimate apps (judging by the other FP thread on here to do with ICQ-SpyMonitor), and of course, JMail itself is a bona-fide SMTP server application in its own right, and might've been installed intentionally on a user's machine.

The official site for Jmail is at: http://www.dimac.net/Products/w3JMail/start.htm - I think they're on version 4.5 now (but because I don't use it anymore, I never updated mine). The siteadvisor link above also gives details on many other registry settings that are added by a 'proper' install of JMail (the reg-keys listed appear to be for an earlier version of Jmail v4.0, though... but still, many of the GUIDs still match up with the 4.4 version I appear to be using, and may even match with the current 4.5?).

Hopefully this information can enable you to zero in on the ICQ-SpyMonitor malware more effectively, and zero OUT 'pukka' installs of Jmail, or those programs which are using it legitimately.

All the best, and carry on the great work. If you need any more info from me, don't hesitate to ask.

Many thanks.

Neil Jackson

Yodama
2007-07-31, 08:44
Thank you for reporting this and providing information on this. The false positive will be resolved with our next update scheduled for the middle of this week.