False positive?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Okay, this is a new one.

(I'm running 98 SE)

On a whim, I decided to do the Symantec online virus scan. The message:

Your computer is infected with at least one known virus or Trojan horse.

c:\WINDOWS\SYSTEM32\msmsgre.dll is infected with Trojan Horse

---------------------------------------------------------------

Interestingly, there's no mention *anywhere* on symantec.com of
msmsgre.dll!

I then decided to visit http://virusscan.jotti.org/ for more opinions.
The results:

Service load:  0%        100%

File:  msmsgre.dll
Status:  INFECTED/MALWARE
MD5  32883c56a4cb283d06cfb1f03f003b26
Packers detected:  -

Scanner results
Scan taken on 08 Apr 2007 17:20:06 (GMT)
AntiVir  Found ADSPY/Agent.o.1
ArcaVir  Found Adware.Agent.O
Avast  Found nothing
AVG Antivirus  Found Generic.NDP
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
F-Secure Anti-Virus  Found not-a-virus:AdWare.Win32.Agent.o (4, 1, 400)
Fortinet  Found W32/Agent
Kaspersky Anti-Virus  Found not-a-virus:AdWare.Win32.Agent.o
NOD32  Found nothing
Norman Virus Control  Found W32/Agent.VIC
Panda Antivirus  Found nothing
Rising Antivirus  Found nothing
VirusBuster  Found nothing
VBA32  Found AdWare.Win32.Agent.o

---------------------------------------------------------------

Right-clicking to get this file's Properties:

Type: Application Extension
Location: C:\WINDOWS\SYSTEM32
Size: 136 KB (139,264 bytes), 139,264 bytes used
MS-DOS name: MSMSGRE.DLL
Created: Monday, January 01, 2001 8:51:25 AM
Modified: Monday, January 01, 2001 8:51:26 AM
Attributes: Archive
File Version: 5, 1, 2600, 0
Desccription: Messenger Service Extension Module

Copyright: Copyright 2000

---------------------------------------------------------------

Opening the .dll file in Wordpad yielded some clues (amidst characters
which were illegible):

Software\SourceSafe.0

http://safe.w2kserver2.com /

Content type: application/x-www-form-urlencoded

MyOverlayIcon\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIc
onOverlayIdentifiers

CorExitProcess

mscoree.dll

Messenger ServiceExt Extension

Microsoft Visual C++ Runtime Library

buffer overrun has been detected which has corrupted the program's
internal state.  The program annot safely continue execution and must
now be terminated.

Unknown security failure detected!

R6029
This application cannot run using the active version of the Microsoft
.NET Runtime

c:\Install Ads\igal\Random job\Messenger Service\Release\adw.pdb

InitializeCriticalSectionAndSpinCount

HeapDestroy
HeapFree

AVout_of_range

CLSID = s ''
CurVer = s 'Messenger Service.Messenger ServiceExt.1'

NoRemove ShellIconOverlayIdentifiers
ForceRemove MyOverlayIcon1 = s ''

---------------------------------------------------------------

Finally, a Web search yielded:

http://kichik.net /

Even more evil files
Dec 15th, 2006 by kichik

While searching for the complete list of registry keys used by NSIS
Media, I found yet another update server for an even older version. Only
this server seems a bit different, it's for removal of NSIS Media. Its
output contains a URL for an installer that removes a lot of files and
registry keys I haven't ever seen.

auole4.dll
aviprope.dll
brwe042.dll
cabext32.dll
cagt041.dll
cryptdbe.dll
direjmod.dll
dobj01e.dll
dspmode.dll
dsq052e.dll
edk052.dll
iccext.dll
icmmext.dll
mail052e.dll
msgetm.dll
msgsple.dll

  *  msmsgre.dll    *

mssfdr.dll
ntext052.dll
ntfssetx.dll
prtmde3.dll
shllimgd.dll
slpube03.dll
splsrv4.dll
syncmte.dll
tragte.dll
vidcpl2.dll
vlcx052.dll
wint042e.dll

Expect a complete NSIS Media remover very soon

---------------------------------------------------------------

Weird, huh?! Any ideas? False positive? TIA.

--
Dave



Re: False positive?

Daave wrote:
Quoted text here. Click to load it
MyOverlayIcon\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIc
Quoted text here. Click to load it





Addendum:

Created by MIDL version 6.00.0361 at Mon Jan 01 17:20:40 2001



Re: False positive?

Daave - 08.04.2007 22:37 :

why unnecessaerly fullquoting your own again?

--

by(e) PS

spam will be killfiled

Re: False positive?


| Okay, this is a new one.
|
| (I'm running 98 SE)
|
| On a whim, I decided to do the Symantec online virus scan. The message:
|
| Your computer is infected with at least one known virus or Trojan horse.
|
| c:\WINDOWS\SYSTEM32\msmsgre.dll is infected with Trojan Horse
|

< snip >

The findings are too consistent top be a False Positive.
It is very likely an AdWare Trojan, Win32.Agent.o

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: False positive?

On Sun, 8 Apr 2007 16:28:02 -0400, Daave wrote:

Quoted text here. Click to load it
<Snip>

I would say it is very likely there is a problem due to the fact that
Windows Messenger is very susceptible to buffer overflow problems.

From http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=26347

"Microsoft Windows Messenger Service contains a vulnerability that can
allow an attacker to cause a denial of service or possibly execute
arbitrary code. The vulnerability is due to the Messenger service failing
to validate the size of a message before processing it. Attackers can
exploit the vulnerability by sending a carefully constructed message to the
Messenger Service to overflow the allocated buffer."

From http://secunia.com/advisories/10012/ which lists this vulnerability
as "Highly Critical":

"Microsoft has issued patches for Microsoft Windows to fix a buffer
overflow vulnerability in Messenger Service, which could lead to execution
of arbitrary code.

The problem is that the Messenger Service doesn't verify the length of
messages. This allows malicious people to send messages, which causes a
buffer overflow that may allow execution of arbitrary code.

The vulnerability only affects systems where the Messenger Service is
enabled.

The Messenger Service is disabled by default on Microsoft Windows 2003."

This could be a real problem with Windows 98 no longer being supported, as
(according to this site) patches are only available for newer systems.  

However, F-Secure AV website has info on how to block this vulnerability:

"How to block buffer overflow attack
Solution / Workaround
1) Create a service definition for the Windows messaging service.
- open the IS/DFW advanced GUI
- click on the "Services" tab
- click on "Add..."
- Write description: Windows Messenger Service
- click "Next"
- Choose protocol: UDP (17)
- check "Allow broadcasts" and "Allow multicasts"
- Edit the initiator ports (click "Edit...")
- click on the entry that says 1024-65535
- in the "Range" starting field, change start value to 1.
- click "Add to list"
- remove the 1024-65535 entry, leaving only the new one
- click "OK"
- Edit the responder ports (click "Edit...")
- write 135 in the "Single" input field
- click "Add to list" and

2) Create a deny service to block this traffic:
- click on the "Rules" tab
- click the "Add..." button
- choose "Deny"
- define a rule name, e.g. Inbound Windows Messenger traffic
- click "Next"
- make sure "Any IP address" is checked and click "Next"
- check the Windows Messenger Service you created in 1)
- mark it as inbound (by clicking the question mark until the inbound arrow
is shown)
- click "Next"
- choose "No alert" (or alerting if you want) and press "Next"
- click "Finish"

You are now protected."

I hope the little bit of info I've provided helps in some way.

--
Posted via a free Usenet account from http://www.teranews.com


Re: False positive?


Quoted text here. Click to load it


Most definitely. Thank you much!


Site Timeline