PDA

View Full Version : Q3 and smitfraud-c



Killer
2005-11-01, 08:00
Smitfraud-C False Positive?


Earlier tonight I got my first ever TeaTimer popup notification regarding a detected spyware. The exact log info is below:

10/31/2005 8:39:27 PM Encountered and terminated Smitfraud-C. in D:\fps\Quake III Arena\quake3.exe!

The 1st popup displayed a spyware alert message and blocked the program. Subsequently, I can launch and play the game without receiving an alert message but a new entry is added each time to TeaTimer's log.

I've been playing Quake 3 for 5 years and using Spybot for at least 2 years without issue. So I would like to take this seriously but I'm not sure if I should.

Neither my router firewall or McAfee Enterprise FW yield anything suspicious in the logs or permissions. I've checked my WinXP processes and services without detecting anything.

A complete scan with the latest updated version of Ad-Aware also did not find anything. In addition, I use Spyware Blaster, only use FireFox 1.07, and a complete scan with the latest updated Spybot SD yielded only the results below:

----------
Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Windows Security Center.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-06-09 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-10-28 Includes\Cookies.sbi (*)
2005-10-28 Includes\Dialer.sbi (*)
2005-10-28 Includes\Hijackers.sbi (*)
2005-10-28 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2005-10-28 Includes\Malware.sbi (*)
2005-10-28 Includes\PUPS.sbi (*)
2005-10-28 Includes\Revision.sbi (*)
2005-10-28 Includes\Security.sbi (*)
2005-10-28 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-10-28 Includes\Trojans.sbi (*)
----------

Ignore the Windows Security Center items as I use far better replacement products (McAfee AV 8.0i anf McAfee FW 8.5 Enterprise editions).

No mention about quake3.exe or Smitfraud-C. How is this possible that TeaTimer says it's an issue but Spybot SD indicates no problem?

Consequently, I plan to ignore TeaTimer at this time but watch any further development closely. However, if this is a confirmed false positive, it would be nice if it could be corrected so that TeaTimer doesn't log it.

Yodama
2005-11-02, 12:58
hello Killer,

this definitely looks like a false positive, if possible please submit the file to us, so that we can find out why the quake3.exe is being identified by our teatimer as smitfraud-c

Teatimer and Spybot use some different criteria for detection.
Spybot uses Spywaresignatures edited by our detectives and only detects during scan , while Teatimer works actively and also checks processes and looks for criteria like filesize and checksum.
In case of Quake3 this means, that it is not found by Spybot because we do not consider it to be malicious and thus did not add quake files and paths to our detection rules :D . And Teatimer detects it because it appears to match a malicious process from Smitfraud in some way.
So it would help us if you could submit the file, so we can find out wich criteria was responsible for this false positive.

Killer
2005-11-02, 21:38
hello Killer,

this definitely looks like a false positive, if possible please submit the file to us, so that we can find out why the quake3.exe is being identified by our teatimer as smitfraud-c...

Sure thing Yodama, but I can't attach it to this post (> 39.1kb limit) and I didn't see an option in Spybot to send suspect files for inspection. So, I'm sending it zipped to your email.

Thanks.

Yodama
2005-11-08, 11:04
thank you for submitting the file Killer
we will check it up and find out why it is being detected by teatimer

I will keep you updated as soon as a result comes up

Killer
2005-12-13, 16:31
Hello all,

Last week Yodama contacted me regarding changes to TeaTimer's identification of Smitfraud-C. Since the last update, TeaTimer no longer logs that it detects this signature in Quake 3.

Yodama, thank you for your time and effort.


Killer :bigthumb: