PDA

View Full Version : Virtumonde False Positive?



ElitED
2007-08-30, 22:19
Out of the blue yesterday, S&D on a normal reboot autoscan detected 'Virtumonde' in a dll file in my SYSTEM32 directory. I am suspicious of this as this machine is not used for any unsual activity, I have the current Norton AV w/ subscription running all the time (and has been updated/running for years on this machine), MS WinDefender is running and current, and of course the best, S&D running with immunization and realtime protection options all up.

I noticed there seems to be an update of some sort for Virtumonde in the latest update file for S&D which was issued around the time of yesterday's curious scan. Looking back in the logs for prior scans, I see the same dll was flagged as 'Virtumonde library' on a scan on the 23rd of the month too, but there was no prompting to fix it as that scan was likely done overnight not on a reboot. Other than some tracking cookie and reg entries, S&D had no other hits.

I allowed S&D to 'fix' the Virtumonde problem, but it required a reboot as the file could not be deleted.

Upon reboot and rescan, the dll file was still there. I tried this sequence twice. I then ran the Kaspersky online scan and it did not complain about Virtumonde - only finding the old quarantined macro virus infected word files from years ago. Furthermore, I was able to go into Explorer and simply delete the 'infected' dll file without any problem.

The filename in question is:
C:\WINDOWS\SYSTEM32\susrtas.dll
Size: 31.0 KB (31,747 bytes)
Created: April 15, 2006, 10:20:17 PM
Modified: May 21, 1996, 4:28:24 PM
Accessed: August 30, 2007, 11:48:03 AM <Probably from my manual scan attempts with Kaspersky, NaV, etc.>

I googled and searched online in several places and found no reference to the filename so I have no idea when it was added and by what. I find it strange that no hits were made for the filename anywhere - usually legit DLL files get posted about somewhere on the web!

I would be happy to send a copy of the dll to help in figuring out if this is a false hit.

Thanks for your help.

Yodama
2007-09-04, 16:36
hello,

please send the file to detections-at-spybot.info (replace -at- with @)
and please make a scan with the Spybot version 1.5 but do not fix this entry, we will require the scan log to see which detection rule finds this file.

ElitED
2007-09-04, 23:14
Hi there.

I have emailed the suspect file to the address you gave.

Below please find the scan log for S&D 1.4 and 1.5 run this morning. You will note that the suspect file is no longer flagged by 1.5 as a problem despite it being untouched/not fixed. Hence, it looks like it is a false positive with the S&D 1.4 scan engine.

Please let me know if you need any further information.

Thanks!

Scan Log for S&D 1.4:
04.09.2007 06:44:24 - ##### check started #####
04.09.2007 06:44:24 - ### Version: 1.4
04.09.2007 06:44:24 - ### Date: 04/09/2007 6:44:24 AM
04.09.2007 06:44:25 - ##### checking bots #####
04.09.2007 06:50:45 - found: VirtuMonde Library
04.09.2007 07:06:22 - found: HitBox Tracking cookie (Firefox: default)
04.09.2007 07:06:22 - found: HitBox Tracking cookie (Firefox: default)
04.09.2007 07:06:23 - found: HitBox Tracking cookie (Firefox: default)
04.09.2007 07:06:23 - found: HitBox Tracking cookie (Firefox: default)
04.09.2007 07:06:29 - found: HitBox Tracking cookie (Firefox: default)
04.09.2007 07:06:29 - found: HitBox Tracking cookie (Firefox: default)
04.09.2007 07:07:56 - ##### checking usage tracking #####
04.09.2007 07:07:56 - found: Common Dialogs History 199 files
04.09.2007 07:07:56 - found: Log Activity: COM+.log COM+.log
04.09.2007 07:07:56 - found: Log Activity: SchedLgU.Txt SchedLgU.Txt
04.09.2007 07:07:56 - found: Log Activity: imsins.log imsins.log
04.09.2007 07:07:56 - found: Log Activity: OEWABLog.txt OEWABLog.txt
04.09.2007 07:07:56 - found: Log Activity: ntbtlog.txt ntbtlog.txt
. . . . . . . . .
04.09.2007 07:08:07 - found: WinZip Destination directory
04.09.2007 07:08:08 - found: Cookie Cookie (1820)
04.09.2007 07:08:08 - found: Cache Cache (8188)
04.09.2007 07:08:08 - found: Cookie Cookie (854)
04.09.2007 07:08:08 - ##### check finished #####

Scan Log for S&D 1.5:
04.09.2007 07:58:11 - ##### check started #####
04.09.2007 07:58:11 - ### Version: 1.5
04.09.2007 07:58:11 - ### Date: 04/09/2007 7:58:11 AM
04.09.2007 07:58:12 - ##### checking bots #####
04.09.2007 08:19:40 - found: HitBox Tracking cookie (Firefox: default)
04.09.2007 08:19:40 - found: HitBox Tracking cookie (Firefox: default)
04.09.2007 08:19:40 - found: HitBox Tracking cookie (Firefox: default)
04.09.2007 08:19:41 - found: HitBox Tracking cookie (Firefox: default)
04.09.2007 08:19:43 - found: HitBox Tracking cookie (Firefox: default)
04.09.2007 08:19:44 - found: HitBox Tracking cookie (Firefox: default)
04.09.2007 08:20:15 - ##### checking usage tracking #####
04.09.2007 08:20:15 - found: Common Dialogs History 200 files
04.09.2007 08:20:18 - found: Log Activity: COM+.log COM+.log
04.09.2007 08:20:18 - found: Log Activity: SchedLgU.Txt SchedLgU.Txt
04.09.2007 08:20:18 - found: Log Activity: imsins.log imsins.log
04.09.2007 08:20:18 - found: Log Activity: OEWABLog.txt OEWABLog.txt
04.09.2007 08:20:18 - found: Log Activity: ntbtlog.txt ntbtlog.txt
. . . . . . . . . .
04.09.2007 08:20:33 - found: WinZip Destination directory
04.09.2007 08:20:34 - found: Cookie Cookie (1820)
04.09.2007 08:20:34 - found: Cache Cache (8188)
04.09.2007 08:20:34 - found: History History (3067)
04.09.2007 08:20:34 - found: Cookie Cookie (854)
04.09.2007 08:20:34 - ##### check finished #####

Yodama
2007-09-05, 13:28
Thank you for your information and the file you sent to us.
The file matches other files which were false positives.
We are going to check why this occurs with the 1.4 version of Spybot.