Confirmed: False Positive on Virtumonde in zipfldr.dll?

C

CyberGuardian

New member
Greetings.

On a SBS&D scan this evening, Virtumonde was identified as being present on one of my computers in the following DLL (only):

c:\Windows\system32\zipfldr.dll

The machine is not misbehaving in any noticeable manner, in ways I have seen documented on this trojan or otherwise. The creation and modification date on the file is the same. I ran a scan on two other computers in my home: one using the same version and build of the program, and another using a newer version but the same build again... and no such infection was found on either of them. A complete scan with Kaspersky Anti-Virus 7.x on the system in question found no infection either.

I am wondering if this is a comparable situation that was reported last month and even one from last summer, both of which turned out to be false positives. To this possible end, I emailed a copy of the file in question to your Detections email address with reference to this thread.

Below is the log report generated associated with this alert; please note that the first entry is related to Kaspersky's presence. Thanks in advance for your assistance.

--- Report generated: 2009-02-23 20:57 ---

Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

Virtumonde: [SBI $92386332] Library (File, nothing done)
C:\WINDOWS\system32\zipfldr.dll


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-04-02 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-10-22 Tools.dll (2.1.6.8)
2009-01-22 Includes\Adware.sbi (*)
2009-01-22 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-01-06 Includes\Dialer.sbi (*)
2009-01-22 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-02-10 Includes\Hijackers.sbi (*)
2009-02-10 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2009-02-17 Includes\KeyloggersC.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2009-02-17 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-02-10 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-02-10 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-01-28 Includes\Spyware.sbi (*)
2009-01-28 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2009-02-18 Includes\Trojans.sbi (*)
2009-02-17 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
 
Thank you for the speed response, Sandra.

I had considered that as a possibility myself but had ruled it out when, as noted, another computer of mine -- also running the same version and build of SpyBot as the computer system in question -- did not indicate the same. What likely/probable reasons could cause this discrepancy?
 
hello,

it is possible that your other computer has a different version of the zipfldr.dll.
Spybot S&D does not detect this file because of its name, files have different attributes and in case of your version of zipfldr.dll there appears to be a detection rule that causes in combination with the outdated version of Spybot S&D a false positive.

Spybot S&D 1.5.2 is also a lot less effective against many threats and you should upgrade.
 
I'd already thought of and investigated that possibility, Yodama, but thanks nonetheless for the thought. I didn't note so before, but the version of 'zipfldr.dll' on both computers of mine is the same.
 
I am having the same issue as mentioned above. I updated the files and ran another scan and it still detected

Virtumonde: [SBI $92386332] Library (File, nothing done)
C:\WINDOWS\system32\zipfldr.dll

Can you please confirm that this is false positive as none of the other programs like Malwarebytes, HijackThis, Norton Antivirus seems to detecte or report on this.

As far as my PC is concerned, there are no popups etc as described in some other post related to virtumonde.

Thanks
Juzer
 
hello juzer,

it is a false positive in your case too. Did you upgrade Spybot S&D to version 1.6.2? This false positive only seems to occur with Spybot S&D 1.5.2.
 
Thanks for the quick response. I have 1.5.2.20, but will upgrade to 1.6.2 as suggested and see if the message goes away.

Thanks
Juzer
 
you probably can't zip

If spybot removed that file you'll likely be unable to zip or unzip (unless you have a 3rd party tool).

It sent mine to the recycle bin and for a couple of days i coudln't figure out why i couldn't zip or unzip...

then i found the .dll file in the recycle bin

replacing it in the proper windows/system32 folder solved the problem

when i ran spybot again...sure enough..it tried to delete it again. and, yes, i had the latest version.
 
dsbsnag said:
If spybot removed that file you'll likely be unable to zip or unzip (unless you have a 3rd party tool).

It sent mine to the recycle bin and for a couple of days i coudln't figure out why i couldn't zip or unzip...

then i found the .dll file in the recycle bin

replacing it in the proper windows/system32 folder solved the problem

when i ran spybot again...sure enough..it tried to delete it again. and, yes, i had the latest version.
Click to expand...

ok..i lied...i didn't have the latest version. I did have the latest updates...

but, it didn't alert me to updating to a new version. I now have the newest version and as you already knew it didn't try to delete that file.
 
You must log in or register to reply here.
Back
Top