False positive?

False positive?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Anti-Virus Software    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
False positive? Daave 04-08-2007
Posted by Daave on April 8, 2007, 4:28 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Okay, this is a new one.

(I'm running 98 SE)

On a whim, I decided to do the Symantec online virus scan. The message:

Your computer is infected with at least one known virus or Trojan horse.

c:\WINDOWS\SYSTEM32\msmsgre.dll is infected with Trojan Horse

---------------------------------------------------------------

Interestingly, there's no mention *anywhere* on symantec.com of
msmsgre.dll!

I then decided to visit http://virusscan.jotti.org/ for more opinions.
The results:

Service load: 0% 100%

File: msmsgre.dll
Status: INFECTED/MALWARE
MD5 32883c56a4cb283d06cfb1f03f003b26
Packers detected: -

Scanner results
Scan taken on 08 Apr 2007 17:20:06 (GMT)
AntiVir Found ADSPY/Agent.o.1
ArcaVir Found Adware.Agent.O
Avast Found nothing
AVG Antivirus Found Generic.NDP
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.Agent.o (4, 1, 400)
Fortinet Found W32/Agent
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Agent.o
NOD32 Found nothing
Norman Virus Control Found W32/Agent.VIC
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found AdWare.Win32.Agent.o

---------------------------------------------------------------

Right-clicking to get this file's Properties:

Type: Application Extension
Location: C:\WINDOWS\SYSTEM32
Size: 136 KB (139,264 bytes), 139,264 bytes used
MS-DOS name: MSMSGRE.DLL
Created: Monday, January 01, 2001 8:51:25 AM
Modified: Monday, January 01, 2001 8:51:26 AM
Attributes: Archive
File Version: 5, 1, 2600, 0
Desccription: Messenger Service Extension Module

Copyright: Copyright 2000

---------------------------------------------------------------

Opening the .dll file in Wordpad yielded some clues (amidst characters
which were illegible):

Software\SourceSafe.0

http://safe.w2kserver2.com/

Content type: application/x-www-form-urlencoded

MyOverlayIcon\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIc
onOverlayIdentifiers

CorExitProcess

mscoree.dll

Messenger ServiceExt Extension

Microsoft Visual C++ Runtime Library

buffer overrun has been detected which has corrupted the program's
internal state. The program annot safely continue execution and must
now be terminated.

Unknown security failure detected!

R6029
This application cannot run using the active version of the Microsoft
.NET Runtime

c:\Install Ads\igal\Random job\Messenger Service\Release\adw.pdb

InitializeCriticalSectionAndSpinCount

HeapDestroy
HeapFree

AVout_of_range

CLSID = s ''
CurVer = s 'Messenger Service.Messenger ServiceExt.1'

NoRemove ShellIconOverlayIdentifiers
ForceRemove MyOverlayIcon1 = s ''

---------------------------------------------------------------

Finally, a Web search yielded:

http://kichik.net/

Even more evil files
Dec 15th, 2006 by kichik

While searching for the complete list of registry keys used by NSIS
Media, I found yet another update server for an even older version. Only
this server seems a bit different, it's for removal of NSIS Media. Its
output contains a URL for an installer that removes a lot of files and
registry keys I haven't ever seen.

auole4.dll
aviprope.dll
brwe042.dll
cabext32.dll
cagt041.dll
cryptdbe.dll
direjmod.dll
dobj01e.dll
dspmode.dll
dsq052e.dll
edk052.dll
iccext.dll
icmmext.dll
mail052e.dll
msgetm.dll
msgsple.dll

* msmsgre.dll *

mssfdr.dll
ntext052.dll
ntfssetx.dll
prtmde3.dll
shllimgd.dll
slpube03.dll
splsrv4.dll
syncmte.dll
tragte.dll
vidcpl2.dll
vlcx052.dll
wint042e.dll

Expect a complete NSIS Media remover very soon

---------------------------------------------------------------

Weird, huh?! Any ideas? False positive? TIA.

--
Dave



Posted by Daave on April 8, 2007, 4:37 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Daave wrote:
> Okay, this is a new one.
>
> (I'm running 98 SE)
>
> On a whim, I decided to do the Symantec online virus scan. The
> message:
>
> Your computer is infected with at least one known virus or Trojan
> horse.
>
> c:\WINDOWS\SYSTEM32\msmsgre.dll is infected with Trojan Horse
>
> ---------------------------------------------------------------
>
> Interestingly, there's no mention *anywhere* on symantec.com of
> msmsgre.dll!
>
> I then decided to visit http://virusscan.jotti.org/ for more opinions.
> The results:
>
> Service load: 0% 100%
>
> File: msmsgre.dll
> Status: INFECTED/MALWARE
> MD5 32883c56a4cb283d06cfb1f03f003b26
> Packers detected: -
>
> Scanner results
> Scan taken on 08 Apr 2007 17:20:06 (GMT)
> AntiVir Found ADSPY/Agent.o.1
> ArcaVir Found Adware.Agent.O
> Avast Found nothing
> AVG Antivirus Found Generic.NDP
> BitDefender Found nothing
> ClamAV Found nothing
> Dr.Web Found nothing
> F-Prot Antivirus Found nothing
> F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.Agent.o (4, 1,
> 400) Fortinet Found W32/Agent
> Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Agent.o
> NOD32 Found nothing
> Norman Virus Control Found W32/Agent.VIC
> Panda Antivirus Found nothing
> Rising Antivirus Found nothing
> VirusBuster Found nothing
> VBA32 Found AdWare.Win32.Agent.o
>
> ---------------------------------------------------------------
>
> Right-clicking to get this file's Properties:
>
> Type: Application Extension
> Location: C:\WINDOWS\SYSTEM32
> Size: 136 KB (139,264 bytes), 139,264 bytes used
> MS-DOS name: MSMSGRE.DLL
> Created: Monday, January 01, 2001 8:51:25 AM
> Modified: Monday, January 01, 2001 8:51:26 AM
> Attributes: Archive
> File Version: 5, 1, 2600, 0
> Desccription: Messenger Service Extension Module
>
> Copyright: Copyright 2000
>
> ---------------------------------------------------------------
>
> Opening the .dll file in Wordpad yielded some clues (amidst characters
> which were illegible):
>
> Software\SourceSafe.0
>
> http://safe.w2kserver2.com/
>
> Content type: application/x-www-form-urlencoded
>
>
MyOverlayIcon\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIc
> onOverlayIdentifiers
>
> CorExitProcess
>
> mscoree.dll
>
> Messenger ServiceExt Extension
>
> Microsoft Visual C++ Runtime Library
>
> buffer overrun has been detected which has corrupted the program's
> internal state. The program annot safely continue execution and must
> now be terminated.
>
> Unknown security failure detected!
>
> R6029
> This application cannot run using the active version of the Microsoft
> .NET Runtime
>
> c:\Install Ads\igal\Random job\Messenger Service\Release\adw.pdb
>
> InitializeCriticalSectionAndSpinCount
>
> HeapDestroy
> HeapFree
>
> AVout_of_range
>
> CLSID = s ''
> CurVer = s 'Messenger Service.Messenger ServiceExt.1'
>
> NoRemove ShellIconOverlayIdentifiers
> ForceRemove MyOverlayIcon1 = s
> ''
>
> ---------------------------------------------------------------
>
> Finally, a Web search yielded:
>
> http://kichik.net/
>
> Even more evil files
> Dec 15th, 2006 by kichik
>
> While searching for the complete list of registry keys used by NSIS
> Media, I found yet another update server for an even older version.
> Only this server seems a bit different, it's for removal of NSIS
> Media. Its output contains a URL for an installer that removes a lot
> of files and registry keys I haven't ever seen.
>
> auole4.dll
> aviprope.dll
> brwe042.dll
> cabext32.dll
> cagt041.dll
> cryptdbe.dll
> direjmod.dll
> dobj01e.dll
> dspmode.dll
> dsq052e.dll
> edk052.dll
> iccext.dll
> icmmext.dll
> mail052e.dll
> msgetm.dll
> msgsple.dll
>
> * msmsgre.dll *
>
> mssfdr.dll
> ntext052.dll
> ntfssetx.dll
> prtmde3.dll
> shllimgd.dll
> slpube03.dll
> splsrv4.dll
> syncmte.dll
> tragte.dll
> vidcpl2.dll
> vlcx052.dll
> wint042e.dll
>
> Expect a complete NSIS Media remover very soon
>
> ---------------------------------------------------------------
>
> Weird, huh?! Any ideas? False positive? TIA.





Addendum:

Created by MIDL version 6.00.0361 at Mon Jan 01 17:20:40 2001



Posted by Peter Seiler on April 9, 2007, 3:22 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Daave - 08.04.2007 22:37 :

why unnecessaerly fullquoting your own again?

--

by(e) PS

spam will be killfiled

Posted by David H. Lipman on April 8, 2007, 6:33 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| Okay, this is a new one.
|
| (I'm running 98 SE)
|
| On a whim, I decided to do the Symantec online virus scan. The message:
|
| Your computer is infected with at least one known virus or Trojan horse.
|
| c:\WINDOWS\SYSTEM32\msmsgre.dll is infected with Trojan Horse
|

< snip >

The findings are too consistent top be a False Positive.
It is very likely an AdWare Trojan, Win32.Agent.o

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by Bullseye on April 9, 2007, 1:50 am
If you were  Registered and logged in, you could reply and use other advanced thread options
On Sun, 8 Apr 2007 16:28:02 -0400, Daave wrote:

> Okay, this is a new one.
>
> (I'm running 98 SE)
>
> On a whim, I decided to do the Symantec online virus scan. The message:
>
> Your computer is infected with at least one known virus or Trojan horse.
>
> c:\WINDOWS\SYSTEM32\msmsgre.dll is infected with Trojan Horse
>
> ---------------------------------------------------------------
<Snip>

I would say it is very likely there is a problem due to the fact that
Windows Messenger is very susceptible to buffer overflow problems.

From http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=26347

"Microsoft Windows Messenger Service contains a vulnerability that can
allow an attacker to cause a denial of service or possibly execute
arbitrary code. The vulnerability is due to the Messenger service failing
to validate the size of a message before processing it. Attackers can
exploit the vulnerability by sending a carefully constructed message to the
Messenger Service to overflow the allocated buffer."

From http://secunia.com/advisories/10012/ which lists this vulnerability
as "Highly Critical":

"Microsoft has issued patches for Microsoft Windows to fix a buffer
overflow vulnerability in Messenger Service, which could lead to execution
of arbitrary code.

The problem is that the Messenger Service doesn't verify the length of
messages. This allows malicious people to send messages, which causes a
buffer overflow that may allow execution of arbitrary code.

The vulnerability only affects systems where the Messenger Service is
enabled.

The Messenger Service is disabled by default on Microsoft Windows 2003."

This could be a real problem with Windows 98 no longer being supported, as
(according to this site) patches are only available for newer systems.

However, F-Secure AV website has info on how to block this vulnerability:

"How to block buffer overflow attack
Solution / Workaround
1) Create a service definition for the Windows messaging service.
- open the IS/DFW advanced GUI
- click on the "Services" tab
- click on "Add..."
- Write description: Windows Messenger Service
- click "Next"
- Choose protocol: UDP (17)
- check "Allow broadcasts" and "Allow multicasts"
- Edit the initiator ports (click "Edit...")
- click on the entry that says 1024-65535
- in the "Range" starting field, change start value to 1.
- click "Add to list"
- remove the 1024-65535 entry, leaving only the new one
- click "OK"
- Edit the responder ports (click "Edit...")
- write 135 in the "Single" input field
- click "Add to list" and

2) Create a deny service to block this traffic:
- click on the "Rules" tab
- click the "Add..." button
- choose "Deny"
- define a rule name, e.g. Inbound Windows Messenger traffic
- click "Next"
- make sure "Any IP address" is checked and click "Next"
- check the Windows Messenger Service you created in 1)
- mark it as inbound (by clicking the question mark until the inbound arrow
is shown)
- click "Next"
- choose "No alert" (or alerting if you want) and press "Next"
- click "Finish"

You are now protected."

I hope the little bit of info I've provided helps in some way.

--
Posted via a free Usenet account from http://www.teranews.com


Similar ThreadsPosted
False Positive? September 10, 2005, 8:22 am
False Positive on Keylogger??? June 10, 2006, 11:38 am
Malwarebytes false positive July 14, 2008, 10:22 am
False Positive, Posssible / Likely? July 24, 2008, 1:20 pm
Spybot 1.4 Smitfraud-C False Positive? July 29, 2005, 11:23 pm
New False Positive from Spyware Doctor? February 1, 2007, 8:41 pm
Win32:Mhtplo-10 - False positive? November 30, 2007, 3:27 pm
PCANDIS5.sys Trojan or False Positive? June 28, 2008, 5:04 am
AVG false positive reported on user32.dll November 19, 2008, 1:01 am
likely semi-false positive"intrusion" nav05 April 8, 2006, 1:30 am

The site map in XML format XML site map

Contact Us | Privacy Policy