Trojan WifiKill or FP?

[polonus]

Hello malware fighters,

I loaded up Kill1211.exe
File size: 24576 bytes
MD5: 2b7cdb2f62367af88f9ee4ad8d983c09
SHA1: cc9c676c114bf9bd69411e2e0787eff94cb8ea78
to Virustotal, only DrWeb flagged this as Trojan WifiKill the rest of the 32 scanners as clean.
Apparently an FP?
But the I found this: This is a system32 hidden folder Wireless Lan Configuration Tool plus X-Micro Wlang 11 g USB Adapter
This executable program has a file size of 24,576 bytes, it is most frequently called KILL1211.EXE and is most frequently located in the %windir%\system32\ folder.
This file is considered unsafe. It was first seen on Saturday, Jun 2 2007. It has been seen frequently by 85 users in this section of the community. The file was first seen in BELGIUM but has been seen in other locations, including The EUROPEAN UNION.
KILL1211.EXE has yet to be seen running in this section of the community.
KILL1211.EXE has been the subject of the following behavior:
- Process creation
- Process deletion

Some have more information?

polonus

[Lisandro]

Apparently an FP?

With this file name in the system32 folder?
Rather strange... I don't think it's a false positive.
Maybe you can submit the file again and check if the list of the engines that detect it increases...

[polonus]

Hi Tech,

It seems the file is exclusively for Acer computers. Just one flag by DrWeb's does not make it a trojan file, but I like to get some additional info from others. It could be recently added by DrWebs's, or I have to check a backup of my files if it is there as well. Anyone with additional info?
Like here: http://www.computerbase.de/forum/member.php?s=61d40283c69ec61f954f8db6c28407c5&u=254493

polonus

[polonus]

Virustotal records found by Dr.Web -Safe'n'Sec

File Kill1211.exe received on 07.15.2007 22:38:58 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Loading server information...
Your file is queued in position: 3.
Estimated start time is between 52 and 75 seconds.
Do not close the window untill scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Print results

Your file has expired or do not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.7.14.0 2007.07.14 no virus found
AntiVir 7.4.0.42 2007.07.15 no virus found
Authentium 4.93.8 2007.07.13 no virus found
Avast 4.7.997.0 2007.07.13 no virus found
AVG 7.5.0.476 2007.07.15 no virus found
BitDefender 7.2 2007.07.15 no virus found
CAT-QuickHeal 9.00 2007.07.14 no virus found
ClamAV devel-20070416 2007.07.15 no virus found
DrWeb 4.33 2007.07.15 Trojan.WiFiKill
eSafe 7.0.15.0 2007.07.10 no virus found
eTrust-Vet 30.8.3784 2007.07.14 no virus found
Ewido 4.0 2007.07.14 no virus found
FileAdvisor 1 2007.07.15 no virus found
Fortinet 2.91.0.0 2007.07.14 no virus found
F-Prot 4.3.2.48 2007.07.13 no virus found
Ikarus T3.1.1.8 2007.07.15 no virus found
Kaspersky 4.0.2.24 2007.07.15 no virus found
McAfee 5074 2007.07.13 no virus found
Microsoft 1.2704 2007.07.15 no virus found
NOD32v2 2399 2007.07.14 no virus found
Norman 5.80.02 2007.07.13 no virus found
Panda 9.0.0.4 2007.07.15 no virus found
Sophos 4.19.0 2007.07.06 no virus found
Sunbelt 2.2.907.0 2007.07.14 no virus found
Symantec 10 2007.07.15 no virus found
TheHacker 6.1.6.146 2007.07.13 no virus found
VBA32 3.12.0.2 2007.07.14 no virus found
VirusBuster 4.3.23:9 2007.07.15 no virus found
Webwasher-Gateway 6.0.1 2007.07.15 no virus found
Aditional information
File size: 24576 bytes
MD5: 2b7cdb2f62367af88f9ee4ad8d983c09
SHA1: cc9c676c114bf9bd69411e2e0787eff94cb8ea78


edit. was also sent to Avira and Eset gesendet.

Like to hear from Avast if it isn't an FP why it was not found up.

[mauserme]

It seems the file is exclusively for Acer computers.

pol, I'm on an Acer laptop with Vista Home Premium and do not find that file (searched for kill1211.exe and kill*.exe as well as looking directing in system32).

Maybe specific to XP, or maybe related to your earlier potential ComboFix detection?

[polonus]

Hi Mauserme,

I cannot come up with something definitive. I do not like to delete the file if it is something essential, else I could rename it or put it in another place (drive). Consider this link: http://www.bleepingcomputer.com/forums/topic54375.html
The find of DrWeb's was not that recent - 15th od September last as far as it was uploaded to Virustotal according to the German virusforum. I also found this link:
http://www.bleepingcomputer.com/forums/topic54375.html
I'd appreciate your feeling about this, the more like I saw things mentioned in Commodo alerts, like using global hooks and starting notepad.exe through a global hook with browseui.dll, or ole automatization via Hijackthis.exe and once Temp\RarSFXO\start.exe for firefox.exe and IEexplorer. What is this, rather scaring behavior?

polonus

[mauserme]

I cannot come up with something definitive.

Nor can I.  In the end this may prove to be nothing more than a PUP, similar to killwind.exe that we discuss here every few months, but that ComboFix reboot and the firewall activity calls for more research.

I know you deleted the ComboFix program files but is there an chance the logs are still present?  They would be

C:\ComboFix.txt and

C:\ComboFix-quarantined-files.txt

[polonus]

Hi Mauserme

What would you say I do, repeat the ComboFix routine again, in the hope to get something definitive in the logs? Where I had them I cannot dig them up with restoration program, because it is a normal user account.  I placed it on my normal user account on this XP machine, the other is my normal account with full rights. Have a key scrambler installed, but I think I am not trojaned. My browsers fly from  a USB stick (use IE just for updating M$),  so Comodo also complains the browser satarts are invisable, and using global hooks is not out of the ordinary then, but I hesitate a bit about hijackthis.exe also loading browseui.dll on two occasions.
Gmer gives nothing to worry, full scanned with ewido and a-squared - nothing. Have COMODO BoClean, newly installed the Comodo FW to see whether it was OK. Had the latest patches for the nsExternalHelperAppService file in Firefox to harden against an URI handler exploit via IE. But everything seems normal now.

polonus

[mauserme]

... I think I am not trojaned.

You know your computer better than us pol, and you know what to look for if you are infected.  If it seems clean to you then maybe just rename kill1211.exe and tuck it away in a safe place for a while.  Scanning it again in a couple weeks may alleviate the concerns.

[polonus]

Hi Keith

Here is info I iound at castlecops:
http://www.castlecops.com/modules.php?&name=Forums&file=viewtopic&p=964199#964199

So I changed the extension to old, and see what happens from there.
Thanks for thinking along with me, it is great to have you here on this forum.

Damian

[mauserme]

Thanks for the link Damian. Keep this thread updated if you don't mind.  I'll be interested to know the outcome.

[polonus]

Hi mauserme,

I sent an email to acer to ask about this dll (part of their configuration apparently), and provide us with some more info. Hope they will answer the mail,

polonus