PDA

View Full Version : JMail false positive?



rebthor
2006-03-17, 17:23
Hi,
I have just downloaded Spybot 1.4 after seeing a suspicious entry in HKLM/MS/Windows/Run registry key that turned out to be harmless, but Spybot claims that I am infected with pieces of "NiceSpy." It seems that all of the CLSIDs that it marks as pieces of "NiceSpy" are in fact classes from JMail, a programmable mail class. For example, the key HKEY_CLASSES_ROOT\CLSID\{F812B147-0E26-4222-8EE4-9F753CD2B39C} actually corresponds to a JMail POP3 Object. As far as I can tell, there are no reports of JMail itself being infected with malware, rather it seems that malware manufacturers install JMail to send/receive mail for tracking purposes. For example, I see that W32.Aprilcone.A@mm also uses JMail as does NiceSpy and Email-Worm.Win32.Dushit.a
Please take a look into this issue further. :scratch:

md usa spybot fan
2006-03-17, 17:35
Please post a log of the actual detections you are getting. To do that:
Run another scan.
When the scan completes, right click on the results list, select "Copy results to clipboard".
Then paste those results to a new post in this thread.
Thanks

rebthor
2006-03-22, 21:02
--- Search result list ---
Web-Nexus: Autorun settings (VC5MediaPlayer) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VC5MediaPlayer

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

NiceSpy: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{0D821067-FCF9-4704-9287-0D8F76FE6513}

NiceSpy: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{10E321CC-683E-4060-B938-4F53234D9593}

NiceSpy: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{53DECA78-C334-4235-9165-1FE7D8912A76}

NiceSpy: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{81CA5571-C109-47AE-BE1C-2DF9CB8999FF}

NiceSpy: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{90D0A753-AD45-40FD-8C6E-555600EE5EB4}

NiceSpy: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{A62C8BDB-D1FC-4FDD-A2A2-EEFF73262A41}

NiceSpy: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{AC3F1977-CD10-41B2-9977-7693A4C13377}

NiceSpy: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{AED3A6B3-2171-11D2-B77C-0008C73ACA8F}

NiceSpy: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{B10BF17C-F7EC-4EE2-AD7A-6F42816AEC0F}

NiceSpy: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{B1CC9084-0177-4136-9B1B-C06C061F1E1D}

NiceSpy: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{B3A0ACB9-3D8C-4999-9E6B-3E44372E11DD}

NiceSpy: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{DBAAEA4B-AD29-47BD-8776-C787D5BE28AA}

NiceSpy: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{E5FF9F62-0E7C-4372-8AD5-DA7D2418070C}

NiceSpy: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{F812B147-0E26-4222-8EE4-9F753CD2B39C}

NiceSpy: Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{AED3A6B0-2171-11D2-B77C-0008C73ACA8F}

Netsys: Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{7B87A1E1-481A-47A5-B58F-BB1430DCC930}


...Skipping cookies, log and cache...

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-03-17 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-03-10 Includes\Beta.sbi (*)
2005-02-16 Includes\Beta.uti (*)
2006-03-10 Includes\Cookies.sbi (*)
2006-03-10 Includes\Dialer.sbi (*)
2006-03-10 Includes\Hijackers.sbi (*)
2006-03-10 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-03-10 Includes\Malware.sbi (*)
2006-03-10 Includes\PUPS.sbi (*)
2006-03-10 Includes\Revision.sbi (*)
2006-03-10 Includes\Security.sbi (*)
2006-03-10 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-03-10 Includes\Trojans.sbi (*)

tashi
2006-03-22, 22:19
I will bring this to teams attention. :)

Googling
{F812B147-0E26-4222-8EE4-9F753CD2B39C}

Showed Symantec detection.
http://www.symantec.de/avcenter/venc/data/pf/spyware.nicespy.html

Spyware.NiceSpy
When Spyware.NiceSpy is installed, it performs the following actions:
2. Creates the following registry keys:
<snip>
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Attachment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Attachments
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Headers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.MailMerge
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Message
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Messages
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.PGPDecodeResult
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.PGPDecodeResultCollection
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.PGPDecodeResults
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.POP3
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Recipient
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Recipients
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.SMTPMail
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.SpeedMailer

Yodama
2006-03-23, 11:25
thanks for reporting, it is not unusual for spyware to also install classids from other applications.

the parts which can be associated with jmail have been considered false positives and have been removed from detection

matafagafo
2006-04-02, 17:15
Hello the same happens in my computer, the NiceSpy is reported by the Spybot but the Symantec Antivirus don't find nothing in the computer.
I also locked for the binaries files of the Spyware reported by the Symantec, and I don't find it.
I also have the JMail installed in my computer.
I hope this helps you guys.

Buster
2006-04-03, 09:10
@ matafagafo
please download the latest detection updates to get a fixed detection file.