Fixed: ENCAPI32.dll aka VIRTUMONDE.SDN

[Mega Tornaconto]

hello everybody
the last scan of updated S&D found Virtumonde.sdn on c:\windows\system32\encapi32.dll that was an old file referring to Microsoft Encarta.
The result of the scan is attached.
Well I think it could be a false positive.
Please have a look

Live long and prosper

 

[Yodama]

Thank you for reporting this false positive.
It will be fixed with the next detection update scheduled for Wednesday 2010-04-14.
Until then you can exclude further detection of ENCAPI32.dll if you right click it in the scan result and select to "exclude this detection from further searches".

 

[Mega Tornaconto]

thanks for confirming

Hi Yodama, :thanks:
thanks for Your official confirm, as I wasn't sure at 100% (it's a long time I don't use this old version of Ms Encarta).
Happy, however, to contribute to the correct developing of Spybot
Have a nice weekend

Live long and prosper

 

[Matt]

As far as I know, Virtumonde uses the file "encapi32.dll" as well, but filesize and MD5 are different.

 

[Mega Tornaconto]

filesize and MD5 are different

Hi, Matt
I knew about the use of ENCAPI32 by Virtumonde, so I attached the md5 and filesize information in text file. In the meanwhile I'm waiting to the update of wednsday and I'll try to scan the system again: surely I'll post any new.
Eventually I can attach the zipped ENCAPI32 itself if you need more investigation.
Have a good weekend

LIVE LONG AND PROSPER

 

[Matt]

Have a good weekend

LIVE LONG AND PROSPER

Same to you.

 

[Mega Tornaconto]

new scan: no more false positive

Hello everybody,
its confirmed.
after a new scan with updated S&D files, Your software does not detect the encapi32.dll as Virtumonde anymore.
I can confirm that the problem is fixed.
Tnks for Your continuous work

Live long and prosper