Jump to content


Photo

Version 0.63


  • This topic is locked This topic is locked
8 replies to this topic

#1 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Root Admin
  • PipPipPipPipPipPip
  • 4,148 posts
  • Gender:Male

Posted 02 August 2007 - 02:47 AM

Just a small update with minor improvements. Released it because of that memory leak. Also some settings were not working correctly. Comments and suggestions open in this thread as always.
Marcin Kleczynski
Chief Executive Officer



Follow us: Twitter, Become a fan: Facebook

#2 ipl_001

ipl_001

    Advanced Member

  • Experts
  • PipPipPip
  • 135 posts
  • Gender:Male
  • Location:Paris, France
  • Interests:Genealogy, Languages and Linguistic, Computing, Sciences and Cultures

Posted 02 August 2007 - 12:41 PM

Hi Marcin, Bruce, hi everyone,

Just a small update with minor improvements. Released it because of that memory leak. Also some settings were not working correctly. Comments and suggestions open in this thread as always.

LOL
I don't know why you say there just minor improvements as, the results are impressive!

My last tests were v0.62 / DBv109 /5236 fingerprints Quick scan gave a "rootkit"!
Thanks for the explanations regarding this "0-byte rootkit" which was a file added by MBAM and not deleted, for some reason!
By the way Bruce, I know how to run a Developer scan and I'll do this in case of another FP!

~~

Today,
- upgraded to v0.63 -> surprisingly, my v109/5236 database went back to v105/5218
Latest News still blocked at v0.61
- update -> MBAMv0.63 DBv110/5272 fingerprints

- Quick Scan -> 4 minutes 56 seconds for 10,092 objects -> fine!

- Full Scan -> 47 minutes 7 seconds for 70,584 objects -> 13 infected files ! ie big improvements for my personal case!

My previous infectious files were caught by MBAM except that in the meanwhile, I had added another one! :D

Here's my log:

Malwarebytes' Anti-Malware Version 0.63
This logfile was saved before the removal process.
Database version: 110

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Gérard\Mes documents\GerardMelone\Zeb'Campus\Infections\patch.exe (Trojan.Tibs) -> No action taken.
C:\Documents and Settings\Gérard\Mes documents\GerardMelone\Zeb'Campus\Infections\dChauveinc\dllhst.exe (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\Gérard\Mes documents\GerardMelone\Zeb'Campus\Infections\dChauveinc\eventmgr.exe (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\Gérard\Mes documents\GerardMelone\Zeb'Campus\Infections\dChauveinc\read.exe (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\Gérard\Mes documents\GerardMelone\Zeb'Campus\Infections\funny\funny.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Gérard\Mes documents\GerardMelone\Zeb'Campus\Infections\Temp\dllhst.exe (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\Gérard\Mes documents\GerardMelone\Zeb'Campus\Infections\Temp\eventmgr.exe (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\Gérard\Mes documents\GerardMelone\Zeb'Campus\Infections\Temp\funny.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Gérard\Mes documents\GerardMelone\Zeb'Campus\Infections\Temp\patch.exe (Trojan.Tibs) -> No action taken.
C:\Documents and Settings\Gérard\Mes documents\GerardMelone\Zeb'Campus\Infections\Temp\read.exe (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\Gérard\Mes documents\GerardMelone\Zeb'Campus\Infections\Temp\WinSecUp.exe (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\Gérard\Mes documents\GerardMelone\Zeb'Campus\Infections\X\read.exe (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\Gérard\Mes documents\GerardMelone\Zeb'Campus\Infections\X\WinSecUp.exe (Backdoor.Bot) -> No action taken.

13 files found!

In the meanwhile, I added 'fungame.exe' 20,992 bytes which was not detected!
Described as Win32:Agent-JSL [Trj] by Avast!

Here's VirusTotal's log:

File fungame.exe received on 08.02.2007 19:20:46 (CET)
Result: 30/31 (96.78%)

Antivirus Version Last Update Result

AhnLab-V3 2007.8.3.0 2007.08.02 Dropper/Agent.20992.I
AntiVir 7.4.0.57 2007.08.02 TR/Ntech.A
Authentium 4.93.8 2007.08.02 W32/Downldr2.AOUA
Avast 4.7.1029.0 2007.08.02 Win32:Agent-JSL
AVG 7.5.0.476 2007.08.02 Downloader.Agent.OGE
BitDefender 7.2 2007.08.02 Trojan.Kobcka.A
CAT-QuickHeal 9.00 2007.08.01 TrojanDownloader.Agent.brk
ClamAV 0.91 2007.08.02 Trojan.Downloader-12017
DrWeb 4.33 2007.08.02 BackDoor.Bulknet
eSafe 7.0.15.0 2007.07.31 Win32.Agent.brk
eTrust-Vet 31.1.5026 2007.08.02 Win32/Cutwail!generic
Ewido 4.0 2007.08.02 Downloader.Agent.brk
FileAdvisor 1 2007.08.02 -
Fortinet 2.91.0.0 2007.08.02 W32/Agent.AUH!tr
F-Prot 4.3.2.48 2007.08.02 W32/Downldr2.AOUA
F-Secure 6.70.13030.0 2007.08.02 Trojan-Downloader.Win32.Agent.brk
Ikarus T3.1.1.8 2007.08.02 Trojan.Win32.Agent.auh
Kaspersky 4.0.2.24 2007.08.02 Trojan-Downloader.Win32.Agent.brk
McAfee 5088 2007.08.01 Spy-Agent.bv.dldr
Microsoft 1.2704 2007.08.02 Worm:Win32/Nuwar.JU
NOD32v2 2433 2007.08.02 Win32/TrojanDownloader.Agent.BRK
Norman 5.80.02 2007.08.02 W32/Agent.BXFQ
Panda 9.0.0.4 2007.08.02 Bck/Haxdoor.PL
Rising 19.34.32.00 2007.08.02 Trojan.Win32.Agent.tuq
Sophos 4.19.0 2007.08.01 Troj/Agent-FZG
Sunbelt 2.2.907.0 2007.08.02 Trojan-Downloader.Win32.Agent.brk
Symantec 10 2007.08.02 Trojan.Pandex
TheHacker 6.1.7.160 2007.08.01 Trojan/Downloader.Agent.brk
VBA32 3.12.2.2 2007.08.01 Trojan.Win32.Agent.auh
VirusBuster 4.3.26:9 2007.08.02 Trojan.DL.Agent.Gen.8
Webwasher-Gateway 6.0.1 2007.08.02 Trojan.Ntech.A

Additional information
File size: 20992 bytes
MD5: 2eefd084d54649b4da2176d6fea24fb5
SHA1: e7274a3fef1b1adc80a7274ed399cba1feb64664

Nasty beast, isn't it?
Gérard Posted Image Posted Image Don't give up... that is what they want us to do... Budfred!
Posted Image Posted Image

#3 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Root Admin
  • PipPipPipPipPipPip
  • 4,148 posts
  • Gender:Male

Posted 02 August 2007 - 12:50 PM

Gérard,

Can you upload it instead. You do not have to zip it up =). http://uploads.malwarebytes.org. After you upload it, can you remove it from your post :D.
Marcin Kleczynski
Chief Executive Officer



Follow us: Twitter, Become a fan: Facebook

#4 ipl_001

ipl_001

    Advanced Member

  • Experts
  • PipPipPip
  • 135 posts
  • Gender:Male
  • Location:Paris, France
  • Interests:Genealogy, Languages and Linguistic, Computing, Sciences and Cultures

Posted 02 August 2007 - 01:05 PM

Marcin,

Malwarebytes’ Malware Upload Center

Thanks! The file fungame.exe has been uploaded!

Uploaded! Attachment removed!
Gérard Posted Image Posted Image Don't give up... that is what they want us to do... Budfred!
Posted Image Posted Image

#5 joe53

joe53

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 151 posts
  • Gender:Male

Posted 02 August 2007 - 08:01 PM

False positive detection of atl71.dll (ATL Module for Windows (Unicode)?

Malwarebytes' Anti-Malware Version 0.63
This logfile was saved before the removal process.
Database version: 112

Files Infected:
C:\WINDOWS\system32\atl71.dll (Adware.Accoona)


virusscanjotti is 100% clean:
atl71.dll
MD5: 8f2097e8b174f38178570c611464935f

#6 lurkingatu2

lurkingatu2

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 171 posts
  • Gender:Male
  • Location:Oregon

Posted 02 August 2007 - 08:17 PM

mbam 0.63 database:112 fingerprints:5314 did a quick scan and mbam 0.63 found this Malwarebytes' Anti-Malware Version 0.63
This logfile was saved before the removal process.
Database version: 112

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\atl71.dll (Adware.Accoona) -> No action taken.
and also during the scan comodo firewall 2.4 went off and says this :D Date/Time :2007-08-02 17:49:53Severity :HighReporter :Application Behavior AnalysisDescription: Suspicious Behaviour (sched.exe)Application: C:\Program Files\AntiVir PersonalEdition Classic\sched.exeParent: C:\WINDOWS\system32\services.exeProtocol: TCP OutDestination: 127.0.0.1::18350Details: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe modified the memory of C:\Program Files\AntiVir PersonalEdition Classic\sched.exe in memory. :D Date/Time :2007-08-02 17:49:07Severity :HighReporter :Application Behavior AnalysisDescription: Suspicious Behaviour (MSNAccel.exe)Application: C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\MSNAccel.exeParent: C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exeProtocol: TCP OutDestination: 65.54.154.20::32769Details: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe modified the memory of C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\MSNAccel.exe in memory. :D Date/Time :2007-08-02 17:49:05Severity :HighReporter :Application Behavior AnalysisDescription: Suspicious Behaviour (MSNAccel.exe)Application: C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\MSNAccel.exeParent: C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exeProtocol: UDP OutDestination: 65.54.154.20::33607Details: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe modified the memory of the Parent application C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe in memory. Date/Time :2007-08-02 17:48:45 :( then i opend iexplorer to come here and comodo goes off again and says :) Date/Time :2007-08-02 17:55:09Severity :HighReporter :Application Behavior AnalysisDescription: Suspicious Behaviour (MSNAccel.exe)Application: C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\MSNAccel.exeParent: C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exeProtocol: TCP OutDestination: 127.0.0.1::2983Details: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe modified the memory of C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\MSNAccel.exe in memory. :) Date/Time :2007-08-02 17:55:01Severity :HighReporter :Application Behavior AnalysisDescription: Suspicious Behaviour (iexplore.exe)Application: C:\Program Files\Internet Explorer\iexplore.exeParent: C:\WINDOWS\explorer.exeProtocol: TCP OutDestination: 127.0.0.1::9022Details: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe modified the memory of the Parent application C:\WINDOWS\explorer.exe in memory. Date/Time :2007-08-02 17:53:45 after i used ccleaner comodo stoped the popups :)
AMD 3500+
2gb memory
Win Xp Pro MCE sp3
Webroot SecureAnywhere Essentials
Malwarebytes Pro
Superantispyware pro
Sandboxie

#7 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 02 August 2007 - 08:34 PM

virusscanjotti is 100% clean:
atl71.dll
MD5: 8f2097e8b174f38178570c611464935f

Will be removed in next update .
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#8 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 02 August 2007 - 08:42 PM

Removed as of now .
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#9 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Root Admin
  • PipPipPipPipPipPip
  • 4,148 posts
  • Gender:Male

Posted 02 August 2007 - 09:08 PM

No clue why Comodo is complaining. All I do is query information, not modify..
Marcin Kleczynski
Chief Executive Officer



Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users