Results 1 to 4 of 4

Thread: Virtumonde False Positive?

  1. #1
    Junior Member
    Join Date
    Aug 2007
    Posts
    2

    Default Virtumonde False Positive?

    Out of the blue yesterday, S&D on a normal reboot autoscan detected 'Virtumonde' in a dll file in my SYSTEM32 directory. I am suspicious of this as this machine is not used for any unsual activity, I have the current Norton AV w/ subscription running all the time (and has been updated/running for years on this machine), MS WinDefender is running and current, and of course the best, S&D running with immunization and realtime protection options all up.

    I noticed there seems to be an update of some sort for Virtumonde in the latest update file for S&D which was issued around the time of yesterday's curious scan. Looking back in the logs for prior scans, I see the same dll was flagged as 'Virtumonde library' on a scan on the 23rd of the month too, but there was no prompting to fix it as that scan was likely done overnight not on a reboot. Other than some tracking cookie and reg entries, S&D had no other hits.

    I allowed S&D to 'fix' the Virtumonde problem, but it required a reboot as the file could not be deleted.

    Upon reboot and rescan, the dll file was still there. I tried this sequence twice. I then ran the Kaspersky online scan and it did not complain about Virtumonde - only finding the old quarantined macro virus infected word files from years ago. Furthermore, I was able to go into Explorer and simply delete the 'infected' dll file without any problem.

    The filename in question is:
    C:\WINDOWS\SYSTEM32\susrtas.dll
    Size: 31.0 KB (31,747 bytes)
    Created: April 15, 2006, 10:20:17 PM
    Modified: May 21, 1996, 4:28:24 PM
    Accessed: August 30, 2007, 11:48:03 AM <Probably from my manual scan attempts with Kaspersky, NaV, etc.>

    I googled and searched online in several places and found no reference to the filename so I have no idea when it was added and by what. I find it strange that no hits were made for the filename anywhere - usually legit DLL files get posted about somewhere on the web!

    I would be happy to send a copy of the dll to help in figuring out if this is a false hit.

    Thanks for your help.

  2. #2
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    hello,

    please send the file to detections-at-spybot.info (replace -at- with @)
    and please make a scan with the Spybot version 1.5 but do not fix this entry, we will require the scan log to see which detection rule finds this file.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  3. #3
    Junior Member
    Join Date
    Aug 2007
    Posts
    2

    Default Logs & File

    Hi there.

    I have emailed the suspect file to the address you gave.

    Below please find the scan log for S&D 1.4 and 1.5 run this morning. You will note that the suspect file is no longer flagged by 1.5 as a problem despite it being untouched/not fixed. Hence, it looks like it is a false positive with the S&D 1.4 scan engine.

    Please let me know if you need any further information.

    Thanks!

    Scan Log for S&D 1.4:
    04.09.2007 06:44:24 - ##### check started #####
    04.09.2007 06:44:24 - ### Version: 1.4
    04.09.2007 06:44:24 - ### Date: 04/09/2007 6:44:24 AM
    04.09.2007 06:44:25 - ##### checking bots #####
    04.09.2007 06:50:45 - found: VirtuMonde Library
    04.09.2007 07:06:22 - found: HitBox Tracking cookie (Firefox: default)
    04.09.2007 07:06:22 - found: HitBox Tracking cookie (Firefox: default)
    04.09.2007 07:06:23 - found: HitBox Tracking cookie (Firefox: default)
    04.09.2007 07:06:23 - found: HitBox Tracking cookie (Firefox: default)
    04.09.2007 07:06:29 - found: HitBox Tracking cookie (Firefox: default)
    04.09.2007 07:06:29 - found: HitBox Tracking cookie (Firefox: default)
    04.09.2007 07:07:56 - ##### checking usage tracking #####
    04.09.2007 07:07:56 - found: Common Dialogs History 199 files
    04.09.2007 07:07:56 - found: Log Activity: COM+.log COM+.log
    04.09.2007 07:07:56 - found: Log Activity: SchedLgU.Txt SchedLgU.Txt
    04.09.2007 07:07:56 - found: Log Activity: imsins.log imsins.log
    04.09.2007 07:07:56 - found: Log Activity: OEWABLog.txt OEWABLog.txt
    04.09.2007 07:07:56 - found: Log Activity: ntbtlog.txt ntbtlog.txt
    . . . . . . . . .
    04.09.2007 07:08:07 - found: WinZip Destination directory
    04.09.2007 07:08:08 - found: Cookie Cookie (1820)
    04.09.2007 07:08:08 - found: Cache Cache (8188)
    04.09.2007 07:08:08 - found: Cookie Cookie (854)
    04.09.2007 07:08:08 - ##### check finished #####

    Scan Log for S&D 1.5:
    04.09.2007 07:58:11 - ##### check started #####
    04.09.2007 07:58:11 - ### Version: 1.5
    04.09.2007 07:58:11 - ### Date: 04/09/2007 7:58:11 AM
    04.09.2007 07:58:12 - ##### checking bots #####
    04.09.2007 08:19:40 - found: HitBox Tracking cookie (Firefox: default)
    04.09.2007 08:19:40 - found: HitBox Tracking cookie (Firefox: default)
    04.09.2007 08:19:40 - found: HitBox Tracking cookie (Firefox: default)
    04.09.2007 08:19:41 - found: HitBox Tracking cookie (Firefox: default)
    04.09.2007 08:19:43 - found: HitBox Tracking cookie (Firefox: default)
    04.09.2007 08:19:44 - found: HitBox Tracking cookie (Firefox: default)
    04.09.2007 08:20:15 - ##### checking usage tracking #####
    04.09.2007 08:20:15 - found: Common Dialogs History 200 files
    04.09.2007 08:20:18 - found: Log Activity: COM+.log COM+.log
    04.09.2007 08:20:18 - found: Log Activity: SchedLgU.Txt SchedLgU.Txt
    04.09.2007 08:20:18 - found: Log Activity: imsins.log imsins.log
    04.09.2007 08:20:18 - found: Log Activity: OEWABLog.txt OEWABLog.txt
    04.09.2007 08:20:18 - found: Log Activity: ntbtlog.txt ntbtlog.txt
    . . . . . . . . . .
    04.09.2007 08:20:33 - found: WinZip Destination directory
    04.09.2007 08:20:34 - found: Cookie Cookie (1820)
    04.09.2007 08:20:34 - found: Cache Cache (8188)
    04.09.2007 08:20:34 - found: History History (3067)
    04.09.2007 08:20:34 - found: Cookie Cookie (854)
    04.09.2007 08:20:34 - ##### check finished #####

  4. #4
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    Thank you for your information and the file you sent to us.
    The file matches other files which were false positives.
    We are going to check why this occurs with the 1.4 version of Spybot.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •