Jump to content


Photo

False positive


  • Please log in to reply
5 replies to this topic

#1 manero_manero

manero_manero

    New Member

  • Members
  • Pip
  • 2 posts

Posted 28 February 2009 - 03:09 AM

Hi, in the two logs of MalwareBytes has identified malware in plugin of banks in Brazil.
Look:

Malwarebytes' Anti-Malware 1.34
Versão do banco de dados: 1812
Windows 5.1.2600 Service Pack 3

28/2/2009 04:17:26
mbam-log-2009-02-28 (04-17-23).txt

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 1
Valores do Registro infectados: 1
Ítens do Registro infectados: 0
Pastas infectadas: 0
Arquivos infectados: 1

Chaves do Registro infectadas:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/uni.gpc (Trojan.Agent) -> No action taken.

Valores do Registro infectados:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\uni.gpc (Trojan.Agent) -> No action taken.

Arquivos infectados:
C:\WINDOWS\Downloaded Program Files\uni.gpc (Trojan.Agent) -> No action taken.


And ..

Malwarebytes' Anti-Malware 1.34
Versão do banco de dados: 1812
Windows 5.1.2600 Service Pack 3

28/2/2009 04:52:38
mbam-log-2009-02-28 (04-52-38).txt

Tipo de Verificação: Rápida
Objetos verificados: 59558
Tempo decorrido: 5 minute(s), 14 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 2
Valores do Registro infectados: 0
Ítens do Registro infectados: 0
Pastas infectadas: 0
Arquivos infectados: 1

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c41a1c0e-ea6c-11d4-b1b8-444553540003} (Trojan.BHO) -> Not selected for removal.
HKEY_CLASSES_ROOT\CLSID\{c41a1c0e-ea6c-11d4-b1b8-444553540003} (Trojan.BHO) -> Not selected for removal.

Valores do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Pastas infectadas:
(Nenhum ítem malicioso foi detectado)

Arquivos infectados:
C:\Arquivos de programas\GbPlugin\gbiehcef.dll (Trojan.BHO) -> Not selected for removal.


Thank you for atention!
Best Regards
Manero

#2 Einstein

Einstein

    Advanced Member

  • Experts
  • PipPipPip
  • 138 posts
  • Gender:Male
  • Location:Sao Paulo, Brazil

Posted 28 February 2009 - 09:39 AM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/uni.gpc (Trojan.Agent) -> No action taken.
Valores do Registro infectados:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\uni.gpc (Trojan.Agent) -> No action taken.
Arquivos infectados:
C:\WINDOWS\Downloaded Program Files\uni.gpc (Trojan.Agent) -> No action taken.

It's true. In the first log, this entrances are from GBPlugin used by brazilian bank Unibanco. This is the legit files of this plugins:

gbiehuni.dll
Tamanho: 368640 bytes
MD5: 7b175796380360b0ae0d020c330f2045
C:\Arquivos de programas\GbPlugin\gbiehuni.dll

uni.gpc
Tamanho: 33312 bytes
MD5: 6833c0cd3ace03108d957313b9e00408
C:\Arquivos de programas\GbPlugin\uni.gpc

O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\Arquivos de programas\GbPlugin\gbiehuni.dll
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking...GbPluginUni.cab
O20 - Winlogon Notify: GbPluginUni - C:\Arquivos de programas\GbPlugin\gbiehuni.dll

----------

Chaves do Registro infectadas:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c41a1c0e-ea6c-11d4-b1b8-444553540003} (Trojan.BHO) -> Not selected for removal.
HKEY_CLASSES_ROOT\CLSID\{c41a1c0e-ea6c-11d4-b1b8-444553540003} (Trojan.BHO) -> Not selected for removal.

In the second log, this entrances too are legitime. Belongs to internet banking plugin of Caixa.
This is the legit files of this plugins:

cef.gpc
Tamanho: 64431 bytes
MD5: 1D224338D4BB9A5B15D46496BBD5056D
C:\Arquivos de programas\GbPlugin\cef.gpc

gbiehcef.dll
Tamanho: 366672 bytes
MD5: 285176E4BC7D6778D9740E69BC584302
C:\Arquivos de programas\GbPlugin\gbiehcef.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dll
O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll


Marcin/Bruce, please review this false positive.

:rolleyes:
Malware Researcher | www.linhadefensiva.org
ASAP Member * Alliance of Security Analysis Professionals

#3 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 03 March 2009 - 12:19 PM

Please generate dev logs for these FPs :

http://www.malwareby...?showtopic=3228

@Einstein make sure to remind all guests with potential FPs to generate a dev log with the instructions at the top of this forum section .
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#4 manero_manero

manero_manero

    New Member

  • Members
  • Pip
  • 2 posts

Posted 04 March 2009 - 06:34 AM

In attention on your message Bruce .. the log:

Malwarebytes' Anti-Malware 1.34
Versão do banco de dados: 1815
Windows 5.1.2600 Service Pack 3

4/3/2009 08:28:31
mbam-log-2009-03-04 (08-28-28).txt

Tipo de Verificação: Rápida
Objetos verificados: 59789
Tempo decorrido: 4 minute(s), 44 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 2
Valores do Registro infectados: 0
Ítens do Registro infectados: 0
Pastas infectadas: 0
Arquivos infectados: 1

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c41a1c0e-ea6c-11d4-b1b8-444553540003} (Trojan.BHO) -> No action taken. [3541483053838075667915354148130140143586848570830135838088847083013770717079847
001363839]
HKEY_CLASSES_ROOT\CLSID\{c41a1c0e-ea6c-11d4-b1b8-444553540003} (Trojan.BHO) -> No action taken. [3541483053838075667915354148130140143586848570830135838088847083013770717079847
001363839]

Valores do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Pastas infectadas:
(Nenhum ítem malicioso foi detectado)

Arquivos infectados:
C:\Arquivos de programas\GbPlugin\gbiehcef.dll (Trojan.BHO) -> No action taken. [3541483053838075667915354148130140143586848570830135838088847083013770717079847
001363839]


"Sorry for not have read the instructions in the topic."
Is this in English .. ;)
Tks!

#5 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 04 March 2009 - 10:45 AM

Thanks , resolved in next update .
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#6 Einstein

Einstein

    Advanced Member

  • Experts
  • PipPipPip
  • 138 posts
  • Gender:Male
  • Location:Sao Paulo, Brazil

Posted 04 March 2009 - 10:49 AM

make sure to remind all guests with potential FPs to generate a dev log with the instructions

Sorry, I'll do in the next report.

resolved in next update .

Thanks a lot!

;)
Malware Researcher | www.linhadefensiva.org
ASAP Member * Alliance of Security Analysis Professionals




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users