Author Topic: security breach Exploit.CVE_2019_0803-6976664-0 Dropper.Sykipot-9950506-0  (Read 1127 times)

0 Members and 1 Guest are viewing this topic.

Offline grrrl212

  • Newbie
  • *
  • Posts: 3
hi,

today I was using a few antivirus programs.
Sadly while performing scan on second operating system I've found security break.

Quote
Program Files/Avast Software/Avast/defs/22052800/gvma64.dat: Win.Exploit.CVE_2019_0803-6976664-0 FOUND
Program Files/Google/Chrome/Application/chrome.exe: Win.Dropper.Sykipot-9950506-0 FOUND

Both were found using ClamAV.
I'm guessing that the Avast database was infected on my side and that way he wasn't able to find it.

Now I am wondering where the rest of that bad files are kept... files that can infect Chrome one more time, and Avast too.

Such viruses are known for Avast team?? I guess they are.
Hmm I'm thinking about sharing infected files just to share samples.
But if that's needed please tell me how to do that.

regards,
G

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86832
  • No support PMs thanks
Using multiple AVs isn't advisable as they can become conflicted and could well result in false positive detections.

Routing around in the definitions folder, used to identify malware could well result in false positives, which is what I believe this to be.

The rest of what bad files ?

That is the Chrome browser location and chrome.exe should be digitally signed (as mine is), if that is good then its integrity should be good.

For me both of these Crud AV detections are False Positives.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline grrrl212

  • Newbie
  • *
  • Posts: 3
in my case, I was running ClamAV from Linux,
and Avast was running from Windows in the system, and once after reboot in Windows booting phase.
So I think it's not a problem, because they don't exist in the same systems.

Scanning results from ClamAV.
First are from Windows main partition.
Quote
/run/media/user/0CD216BFD216ACC8/Program Files/Google/Chrome/Application/102.0.5005.63/elevation_service.exe: Win.Dropper.Sykipot-9950507-0 FOUND
/run/media/user/0CD216BFD216ACC8/Program Files/Google/Chrome/Application/102.0.5005.63/Installer/chrmstp.exe: Win.Dropper.Sykipot-9950505-0 FOUND
/run/media/user/0CD216BFD216ACC8/Program Files/Google/Chrome/Application/102.0.5005.63/Installer/setup.exe: Win.Dropper.Sykipot-9950505-0 FOUND
/run/media/user/0CD216BFD216ACC8/Program Files/Google/Chrome/Application/chrome.exe: Win.Dropper.Sykipot-9950506-0 FOUND

I've created for test purpose 32bit Wine Prefix on Linux, and I've installed the same browser, but I've downloaded installer again, separately.

Here are results from closed Wine environment.
Quote
/home/user/wine-prefixes/test-browser/drive_c/Program Files/Google/Chrome/Application/102.0.5005.63/elevation_service.exe: Win.Dropper.Sykipot-9950507-0 FOUND
/home/user/wine-prefixes/test-browser/drive_c/Program Files/Google/Chrome/Application/102.0.5005.63/Installer/chrmstp.exe: Win.Dropper.Sykipot-9950505-0 FOUND
/home/user/wine-prefixes/test-browser/drive_c/Program Files/Google/Chrome/Application/102.0.5005.63/Installer/setup.exe: Win.Dropper.Sykipot-9950505-0 FOUND
/home/user/wine-prefixes/test-browser/drive_c/Program Files/Google/Chrome/Application/chrome.exe: Win.Dropper.Sykipot-9950506-0 FOUND
/home/user/wine-prefixes/test-browser/drive_c/Program Files/Google/Update/Download/{8A69D345-D564-463C-AFF1-A69D9E530F96}/102.0.5005.63/102.0.5005.63_chrome_installer.exe: Win.Dropper.Sykipot-9950505-0 FOUND
/home/user/wine-prefixes/test-browser/drive_c/Program Files/Google/Update/Install/{7D6240B5-B336-45CA-91D9-8DA878DF6897}/102.0.5005.63_chrome_installer.exe: Win.Dropper.Sykipot-9950505-0 FOUND

That's weird, anyway. The same results. I can agree that they can be false positive.

Offline grrrl212

  • Newbie
  • *
  • Posts: 3
you were asking: The rest of what bad files ?

I am a bit paranoid after security breach in my Google account.

I thought that results can lead me somewhere.
I mean I was thinking that I've got something infected in my Windows.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86832
  • No support PMs thanks
Even when running another AV in another environment, you're still scanning a live system with another AV running and that is likely to be checking the intrusions/activity into/on that environment.  However detections within a .dat file containing a avast's virus signatures, the means of detecting malware is highly likely to trigger false positives.

As for the Google Chrome executables, they should be digitally signed and that signature is good (as in my previous attached image), then the detection is highly likely to be an FP.  So it doesn't appear that the other AV even checks that.

Nothing wrong with being a bit paranoid, but when your actions increase that paranoia then you might have gone a step too far.

If there was a security breach in my Google account, presumably you have changes your security related settings and passwords, etc.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76213
  • Urlaub/Vacation
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
That's weird, anyway. The same results. I can agree that they can be false positive.
Best you report the FPs to clamAV, so they can fix their stuff. ;)
W8.1 [x64] - Avast PremSec 22.7.7366.BC [UI.713] - Firefox ESR 91.11 [NS/uBO/PB] - Thunderbird 91.11
Avast-Tools: Secure Browser 103.0 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76213
  • Urlaub/Vacation
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
I am a bit paranoid after security breach in my Google account.
-> Avast Hack-Check: https://www.avast.com/hackcheck
W8.1 [x64] - Avast PremSec 22.7.7366.BC [UI.713] - Firefox ESR 91.11 [NS/uBO/PB] - Thunderbird 91.11
Avast-Tools: Secure Browser 103.0 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33669
  • malware fighter
A security breach can be a serious issue, but one could also be threatened by some hacker sending you a template taken from a place (repository) where a security breach has been made public. Then it can be best ignored. Not every threat should be genuine.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!