Zbot-K Not sure if false-positive?

[Michael (alan1998)]

Pondus, it's VT. The file was already sent to all the vendors.

can you upload that file and send me a DL link so I can do a malwr.com anaylsis?

[Pondus]

Pondus, it's VT. The file was already sent to all the vendors.

and that is why i gave him all the how to send to avast lab options.     


VT give this file info

Copyright© Microsoft Corporation. All rights reserved.
Publisher Microsoft Corporation
Product Windows® Internet Explorer
Original name IeRtUtil.dll
Internal name IeRtUtil.dll
File version 8.00.6001.23562 (longhorn_ie8_ldr_escrow.140131-1840)
Description Run time utility for Internet Explorer

[paraxeno]

same problem here on windows XP pro as well no option to move or delete, no problem with windows that is obvious. am not that experienced so to be able to find where it is


attaching screenie

[Pondus]

same problem here on windows XP pro as well no option to move or delete,

see my first reply in this topic......

[iXer]

Uploaded to Malwr: https://malwr.com/analysis/OTgzMGQ4ZjIxNTQyNDBhMjgyOTk2NDM4MGE0ZDMwZTQ/

[Michael (alan1998)]

Hi, that malwr analysis doesn't show much. Nothing is being contacted. only 2 files which are temp are made. Nothing is in the Registry and no domains are contacted. I'd say it's clean.

[paraxeno]

Uploaded to Malwr: https://malwr.com/analysis/OTgzMGQ4ZjIxNTQyNDBhMjgyOTk2NDM4MGE0ZDMwZTQ/

yeap saw it I do hope its not serious, did the OTL and malwarebytes scans and everything looks ok

I guess if there is something dangerous it will be included in next avast update ?

Thank you

[spades]

My custom scan (see first post) is now coming up clean. 

I assume it was a false-positive and the latest virus definitions from Avast have corrected this?

[Michael (alan1998)]

Most likely yes. If you have any other issue. Feel free to come back!

Although, I must ask. Why are you guys running custom scans? The normal Full Scan or Quick Scan will do. Unless Avast! detects malware or viruses, full scans don't need to be run very often. Keep MBAM around as an On-Demand scanner. MBAM will probably detect more then Avast!

[essexboy]

You are doing a memory scan .. Which other anti malware tools are you using.  They may have some files in memory

[paraxeno]

Most likely yes. If you have any other issue. Feel free to come back!

Although, I must ask. Why are you guys running custom scans? The normal Full Scan or Quick Scan will do. Unless Avast! detects malware or viruses, full scans don't need to be run very often. Keep MBAM around as an On-Demand scanner. MBAM will probably detect more then Avast!

Ι only run a custom scan as a precaution once a month, just in case cause I am not that deeply experienced... 

[nibikibaba]

Did iXer send the dll dumped from windbg for scanning? I thought about the matter for a while and then searched the web a bit about the use of SOS.dll in Windbg for saving modules from memory to disk. It seems that there might be legitimate explanations for the discrepancies between the dumped version of iertutil.dll and the original one in System32. According to a discussion in stackoverflow, memory alignment could be one of the causes. So perhaps we are just worrying about sky-fall after all.  However, the thought that a Zeus/ZBot has infiltrated our machines is just too scary -- who knows what such a bug could have stolen from us if it managed to penetrate our machines even with our (perhaps) over cautious way of scanning!

Michael (alan1998):
Although, I must ask. Why are you guys running custom scans? The normal Full Scan or Quick Scan will do.

I echo paraxeno's sentiments. We are just trying to play safe and scan as thoroughly as possible, hopefully to increase the chance of catching any scary viruses like the ever-changing/polymophic Zeus-variants. Again, if custom or memory scans are not supposed to be done, then why would Avast provide the elaborate interface to allow users to do them? I am glad that it turns out to be another false alarm but I personally would rather go through such a drill once in a while and stay alert than to be complacent and get robbed clean :-)

PS. I scanned the machines with the updated Avast database and no threats are detected now.

[iXer]

Did iXer send the dll dumped from windbg for scanning? I thought about the matter for a while and then searched the web a bit about the use of SOS.dll in Windbg for saving modules from memory to disk. It seems that there might be legitimate explanations for the discrepancies between the dumped version of iertutil.dll and the original one in System32. According to a discussion in stackoverflow, memory alignment could be one of the causes. So perhaps we are just worrying about sky-fall after all.  However, the thought that a Zeus/ZBot has infiltrated our machines is just too scary -- who knows what such a bug could have stolen from us if it managed to penetrate our machines even with our (perhaps) over cautious way of scanning!

I did upload it. Here is the result:

https://malwr.com/analysis/OTgzMGQ4ZjIxNTQyNDBhMjgyOTk2NDM4MGE0ZDMwZTQ/

It doesn't look like a change due to memory alignment to me when I do a compare in Notepad++ with the Compare plugin and load the version I pulled out of memory against the version on the disk. I did read that it's very common for DLLs to be modified in memory for totally benign reasons, though. I'm guessing that's what's going on. If a pre-boot scan via the avast! Rescue Disk didn't find any viruses, unless something is involved at the BIOS level, I'm pretty sure this is a false positive. The fact that avast! no longer detects the in-memory version of iertutil.dll as a virus corroborates that feeling.

Michael (alan1998):
Although, I must ask. Why are you guys running custom scans? The normal Full Scan or Quick Scan will do.

I echo paraxeno's sentiments. We are just trying to play safe and scan as thoroughly as possible, hopefully to increase the chance of catching any scary viruses like the ever-changing/polymophic Zeus-variants. Again, if custom or memory scans are not supposed to be done, then why would Avast provide the elaborate interface to allow users to do them? I am glad that it turns out to be another false alarm but I personally would rather go through such a drill once in a while and stay alert than to be complacent and get robbed clean :-)

PS. I scanned the machines with the updated Avast database and no threats are detected now.

Agreed on all counts. I learned a lot of stuff from this fire drill, so I'm not mad about it.