Trojan.VB.VZO

[mickey megabyte]

Well, I have been reluctant to do anything that might remotely trigger the potential malware, not even opening the archive with Winzip (I actually have a license, how anal is that!) until I have a better handle on the sitch.

very understandable, DJG. one thing i don't understand is why people still use winzip? i gave it up years ago ever since windows (was it xp) starting supporting zip's 'out of the box'.

don't get me wrong, i'm not criticising you using it, just wondering what advantages winzip has over windows explorer in dealing with zip files.

 

[darkassain]

Well, I have been reluctant to do anything that might remotely trigger the potential malware, not even opening the archive with Winzip (I actually have a license, how anal is that!) until I have a better handle on the sitch.

ok there shouldnt be any problem extracting the file...

And unfortunately it appears my false positive gone experience wasn't quite true. What happened is I did a file-specific right-click / Scan for malware, and apparently that works different, or possible doesn't work as expected in Win 7 which is still in beta trim for this release. I just did another full system scan and they (I have two copies currently) showed up again.

hmm interesting

The good news? The same sig showed up this time three times, the two zip archives, and an OCX in my 7232 partition's SysWOW64, mswinsck.ocx which is a skimpy 106KB. And it matches what might have been installed by that installation ZIP. I'll send that and see what happens now.

BTW, the right-click / Scan for malware gives positive on the OCX file, but not on the ZIP that seems to contain it.

since its a OCX file its not executable by default...
it should be fine...
once great way to check whether its a false positive is to see whether it has a valid signature...
if it does then all means its a false positive...

 

[DJG]

very understandable, DJG. one thing i don't understand is why people still use winzip? i gave it up years ago ever since windows (was it xp) starting supporting zip's 'out of the box'.

don't get me wrong, i'm not criticising you using it, just wondering what advantages winzip has over windows explorer in dealing with zip files.

I actually like the interface better, and I got the license the year before it got integrated into Win Explorer . Also I prefer to explicitly deal with the archive environment separately from the filesystem. I think I did one upgrade, to v10. It does have nicer functionality, but if I didn't have that original license I just might be using the Win Explorer integration too. I'm just showing my age .

OK, I went through all sorts of hoops to try and get a hold of the mswinsck.ocx file to send it to Agnitum but security would not let me do anything with it, saying I needed permissions, it said it couldn't display the owner when I tried to take ownership, bla, bla. I started to get worried as it looked like they'd made the file untouchable. Then I realized it might be the AV trying to protect me. Bingo. I momentarily disabled protection and was able to submit it as a suspect infection with a brief history. Well, I really can't complain even if it turns out to be a false (I'm hoping), it seems to be doing its job.

Plus it forced me to do a clean install of 385 instead of the upgraded 384, which will make many people in this forum happy . It was coming once I got comfy but now I'm there a bit sooner. Minus my lovely Brit Lass voice to croon to me . Let's see if I get a response from Agnitum.

 

[DJG]

ok there shouldnt be any problem extracting the file...

... into somebody else's PC

since its a OCX file its not executable by default...
it should be fine...

Paranoia often makes you take little for granted and assumptions for what they are :shock:

once great way to check whether its a false positive is to see whether it has a valid signature...
if it does then all means its a false positive...

Good point on the sig, but again, I trust very little at this point until (if) I hear from Agnitum. Here's that for you. Whadda ya think?

 

[darkassain]

Good point on the sig, but again, I trust very little at this point until (if) I hear from Agnitum. Here's that for you. Whadda ya think?

click on the sig itself and the click the details button...

if the the sig checks out the there is NO way (emphasis on "no way"...) its malware...
if this the rtm mswinsck file send the zip file (i dont know how Agnitum handles FP) since this is a very important file..
if it does not then there might be tampering going on...:huh:

 

[DJG]

You are of course right, I'm getting over my initial paranoia attack :shock:. Between that and my still-somewhat-there tooth ache, and my PITA neighbor complaining about some fronds that slightly tilt over her side of the fence, it was just getting too overwhelming at once :sarc:.

And actually everything looks rather kosher from the sig end. I'm breathing much easier now :

 

[DJG]

click on the sig itself and the click the details button...
View attachment 19845
if the the sig checks out the there is NO way (emphasis on "no way"...) its malware...
if this the rtm mswinsck file send the zip file (i dont know how Agnitum handles FP) since this is a very important file..
if it does not then there might be tampering going on...:huh:

Actually this is not a core file - it's not part of the MS distribution. It doesn't show up in my current 7600 install since I haven't installed the ZIP file this time around. There's a similarly named DLL that is though, mswsock.dll.

 

[darkassain]

Actually this is not a core file - it's not part of the MS distribution. It doesn't show up in my current 7600 install since I haven't installed the ZIP file this time around. There's a similarly named DLL that is though, mswsock.dll.

rightly noted DJG....
you are correct of course, the dll is the critical one not the ocx (got the two files mixed up....)...

 

[DJG]

And a very important file it is. Sock management is very important. Socks keep your feet warm in the winter, and your shoes from getting smelly. Managing Win sockets is also very important .

BTW, I've been trying to fathom "In a ... lazy eight portal?

And FYI, I believe Marie Antoinette did - or at least so I've been told. Might want to check it out, though I think she's out in France somewhere, and probably doesn't even visit the forum ... most likely not something you'd want to lose your head over.

 

[Mercurial]

I'd say change your AV ;

 

[Antman]

This thread is good example of analysis in action. I hope that at least one reader has learned or refreshed a skill. We needn't be slaves to system or security utilities when careful examination of an error condition is equally effective. Thank you guys, Dark Assassin (+1 pending some spread) and DJGeneration (+1).

 

[DJG]

I'd say change your AV ;

Change what has been an excellent firewall and AV because of a single false positive? Much rather have several of those than a single false negative .

 

[DJG]

This thread is good example of analysis in action. I hope that at least one reader has learned or refreshed a skill. We needn't be slaves to system or security utilities when careful examination of an error condition is equally effective. Thank you guys, Dark Assassin (+1 pending some spread) and DJGeneration (+1).

Well, who am I to argue with such wisdom . Gotta say DA has been a great thread asset here. He gets mine!

 

[Mercurial]

I'd go with no false positive at all XD...

and I just can't understand antmant's posts it just requires lots of thinking X_X;

 

[DJG]

I'd go with no false positive at all XD...

and I just can't understand antmant's posts it just requires lots of thinking X_X;

Just think of Antman as the Thinking Man's Thinking Man ...

Or as somebody once said,

The only difference between you & me is that I have the power of mind-over-matter, and you have no mind and it doesn't seem to matter ...

Well, you can't fool me, I've seen you thinking .

 

[zay]

:huh:

 

[darkassain]

This thread is good example of analysis in action. I hope that at least one reader has learned or refreshed a skill. We needn't be slaves to system or security utilities when careful examination of an error condition is equally effective. Thank you guys, Dark Assassin (+1 pending some spread) and DJGeneration (+1).

Well, who am I to argue with such wisdom . Gotta say DA has been a great thread asset here. He gets mine!

oh you guys flatter me...

I'd go with no false positive at all XD...

and I just can't understand antmant's posts it just requires lots of thinking X_X;

Just think of Antman as the Thinking Man's Thinking Man ...

Or as somebody once said,

The only difference between you & me is that I have the power of mind-over-matter, and you have no mind and it doesn't seem to matter ...

Well, you can't fool me, I've seen you thinking .

:roflmao:

 

[Antman]

There is a singular quality of pride that a man, such as myself, is not often afforded the opportunity to feel -

If it ain't broke, your not working hard enough...
"You can always tell a programmer, you just can't tell him much." -Antman
proud novice java coder and beginner javascript coder
​

If only today was one of those days...

​

 

[damoh]

Its a trojan that helps propogate further viruses or worms. I had it and MSE was the only thing that detected it. Ill find the link again and post it on here

 

[DJG]

Thanks, damoh. Let's see where this ends up. I'm hoping for a false positive. OTOH, I've realized that my use of the installed software does not involve use of the OCX, so that may be why I haven't had any problems if it is indeed infected.