PDA

View Full Version : Confirmed: False Positive on Virtumonde in zipfldr.dll?


CyberGuardian
2009-02-24, 04:14
Greetings.

On a SBS&D scan this evening, Virtumonde was identified as being present on one of my computers in the following DLL (only):

c:\Windows\system32\zipfldr.dll

The machine is not misbehaving in any noticeable manner, in ways I have seen documented on this trojan or otherwise. The creation and modification date on the file is the same. I ran a scan on two other computers in my home: one using the same version and build of the program, and another using a newer version but the same build again... and no such infection was found on either of them. A complete scan with Kaspersky Anti-Virus 7.x on the system in question found no infection either.

I am wondering if this is a comparable situation that was reported last month (http://forums.spybot.info/showthread.php?t=43547) and even one from last summer (http://forums.spybot.info/showthread.php?t=17407), both of which turned out to be false positives. To this possible end, I emailed a copy of the file in question to your Detections email address with reference to this thread.

Below is the log report generated associated with this alert; please note that the first entry is related to Kaspersky's presence. Thanks in advance for your assistance.

--- Report generated: 2009-02-23 20:57 ---

Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

Virtumonde: [SBI $92386332] Library (File, nothing done)
C:\WINDOWS\system32\zipfldr.dll


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-04-02 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-10-22 Tools.dll (2.1.6.8)
2009-01-22 Includes\Adware.sbi (*)
2009-01-22 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-01-06 Includes\Dialer.sbi (*)
2009-01-22 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-02-10 Includes\Hijackers.sbi (*)
2009-02-10 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2009-02-17 Includes\KeyloggersC.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2009-02-17 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-02-10 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-02-10 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-01-28 Includes\Spyware.sbi (*)
2009-01-28 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2009-02-18 Includes\Trojans.sbi (*)
2009-02-17 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
spybotsandra
2009-02-24, 11:35
Hello,

You seem to be using a dated version of Spybot-S&D.
Please download our current version Spybot - Search & Destroy 1.6.2. That should fix it.
You will find links to several download locations for this new version on our web site:
http://www.safer-networking.org/en/mirrors/index.html

Best regards
Sandra
Team Spybot
CyberGuardian
2009-02-24, 15:24
Thank you for the speed response, Sandra.

I had considered that as a possibility myself but had ruled it out when, as noted, another computer of mine -- also running the same version and build of SpyBot as the computer system in question -- did not indicate the same. What likely/probable reasons could cause this discrepancy?
Yodama
2009-02-25, 07:20
hello,

it is possible that your other computer has a different version of the zipfldr.dll.
Spybot S&D does not detect this file because of its name, files have different attributes and in case of your version of zipfldr.dll there appears to be a detection rule that causes in combination with the outdated version of Spybot S&D a false positive.

Spybot S&D 1.5.2 is also a lot less effective against many threats and you should upgrade.
CyberGuardian
2009-03-02, 19:49
I'd already thought of and investigated that possibility, Yodama, but thanks nonetheless for the thought. I didn't note so before, but the version of 'zipfldr.dll' on both computers of mine is the same.
juzer
2009-03-04, 19:04
I am having the same issue as mentioned above. I updated the files and ran another scan and it still detected

Virtumonde: [SBI $92386332] Library (File, nothing done)
C:\WINDOWS\system32\zipfldr.dll

Can you please confirm that this is false positive as none of the other programs like Malwarebytes, HijackThis, Norton Antivirus seems to detecte or report on this.

As far as my PC is concerned, there are no popups etc as described in some other post related to virtumonde.

Thanks
Juzer
Yodama
2009-03-05, 07:16
hello juzer,

it is a false positive in your case too. Did you upgrade Spybot S&D to version 1.6.2? This false positive only seems to occur with Spybot S&D 1.5.2.
juzer
2009-03-05, 17:21
Thanks for the quick response. I have 1.5.2.20, but will upgrade to 1.6.2 as suggested and see if the message goes away.

Thanks
Juzer
dsbsnag
2009-03-26, 16:59
If spybot removed that file you'll likely be unable to zip or unzip (unless you have a 3rd party tool).

It sent mine to the recycle bin and for a couple of days i coudln't figure out why i couldn't zip or unzip...

then i found the .dll file in the recycle bin

replacing it in the proper windows/system32 folder solved the problem

when i ran spybot again...sure enough..it tried to delete it again. and, yes, i had the latest version.
dsbsnag
2009-03-26, 17:13
If spybot removed that file you'll likely be unable to zip or unzip (unless you have a 3rd party tool).

It sent mine to the recycle bin and for a couple of days i coudln't figure out why i couldn't zip or unzip...

then i found the .dll file in the recycle bin

replacing it in the proper windows/system32 folder solved the problem

when i ran spybot again...sure enough..it tried to delete it again. and, yes, i had the latest version.

ok..i lied...i didn't have the latest version. I did have the latest updates...

but, it didn't alert me to updating to a new version. I now have the newest version and as you already knew it didn't try to delete that file.