What's your opinion on this VT report

Discussion in 'Anti-Virus' started by Virus Guy, Feb 4, 2012.

  1. Virus Guy

    Virus Guy Guest


    Any chance this is a false-positive report?
    Virus Guy, Feb 4, 2012
    1. Advertisements

  2. Of course, there's always a chance. It could be the packing is very very
    similar to that which known malware uses.
    FromTheRafters, Feb 4, 2012
    1. Advertisements

  3. Maybe, it is possible. However I since there is a consistent detection of Win32/Sefnit
    that might not be the case.

    Do you have the file ? If yes, I will take a look it at.
    David H. Lipman, Feb 4, 2012
  4. Virus Guy

    Virus Guy Guest

    Virus Guy wrote:

    The original file (security-monitor-pro-4.33.exe) has a size of
    12,014,232 bytes, and as the above VT link suggests, it's full of
    malware - predominantly one specific malware -> Sefnit (but also some
    generic flags).

    I used 7-zip to unpack the file. It unpacked into a small sub-directory
    structure containing 2 DLL files and 1 exe file:


    Same name as the original archive, with a size of 11,976,176 bytes.

    But get this: VT scans that file and comes up with ZERO hits:


    However, a scan of one of the DLL files turns up this:


    So pVfGBe1C.dll (80 kb) is full of Sefnit. The other file (NSISdl.dll
    73 kb) turns up zero hits.

    So I wonder if I can delete the viral dll file and run the "clean" exe

    Any opinions?

    I can upload the original 12-meg file if anyone wants to analyze it.
    Virus Guy, Feb 4, 2012
  5. Unfortunately, UploadMalware.Com may balk on a 12MB file and I doubt that placing it in a
    ZIP file will decrease its size enough to upload or email it.

    NSISdl.dll came up with zero hits because because it is part of the legitimate installer
    package software.
    David H. Lipman, Feb 4, 2012
  6. Virus Guy

    Virus Guy Guest

    Fileden seems to have suffered some sort of intrusion or hack a couple
    of weeks ago, and even though I went through a password rest process I
    can't seem to log into my account.

    So - anyone know of an alternative free file-hosting service?
    Virus Guy, Feb 4, 2012
  7. Virus Guy

    Dustin Guest

    Dustin, Feb 4, 2012
  8. This is not a False Positive.

    I don't know where you got this from but it is a case of malicious repackaging of a
    legitimate file with malware.

    The original file is "security-monitor-pro-4.33.exe" is by DeskShare Inc and is digitally
    signed, albeit the certificate expired 9/17/2011. The file security-monitor-pro-4.33.exe
    is packaged using Inno Setup Version v5.2.3.

    Someone else then repackaged "security-monitor-pro-4.33.exe" with the malware DLL
    "pVfGBe1C.dll" using the Nullsoft Scriptable Install System.

    BTW: Although I requested the file, I did not get the the file from Virus Guy.
    David H. Lipman, Feb 6, 2012
  9. Virus Guy

    Virus Guy Guest

    Oh sorry - I was going to upload it at some point, but I see you found
    it. I did get it from a torrent.

    I guess after unpacking it I was wondering if even the "legit" file was
    really legit. I suppose it's safe to run the internal (unpacked) exe
    file - the "real" install file?

    What is/was the purpose of the other DLL (NSISdl.dll) ?

    Lots of references on the web to that file and (false?) reports of
    malware detection. Going through several pages of google results and
    still no idea what that file is for. File itself has no properties
    (description, version, company-name, etc).
    Virus Guy, Feb 8, 2012
  10. I got the file from Hispasec Sistemas (Virus Total)

    NSISdl.dll is part of the Nullsoft Scriptable Install System (NSIS) software installation
    packaging application.

    DeskShare Inc's security-monitor-pro-4.33.exe is probably legitimate. In this case the
    malicious actor just took an outdated installer and repackaged it with the malware as a
    delivery mechanism and is a perfect example of a "trojan horse".

    I see this kind of repackaging all the time. In one type of schema the malware is placed
    in a password protectded 7zip file. The installer woud have the .7z file and a command
    line 7zip extractor. The installer package would provide the password and extract and run
    the malware as well as the legitimate packaged installer. The malware was often a very
    nasty trojan downloader. By password protected the .7z file ascan would not see it the
    malware, only a encryped file. Others are more simple taking a legitimate installer and
    using a archival SFX and it would run the malwere and the legitimate installer at runtime.
    David H. Lipman, Feb 8, 2012
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.