a-squared found Trojan.Win32.Inject.aed

[polonus]

Hi malware fighters,

Is this a FP?
Here is the virustotal scan report:
File found C: Windows\system32\KCMDNIns.exe

Antivirus     Version     Last Update     Result
AhnLab-V3   2008.3.22.1   2008.03.21   -
AntiVir   7.6.0.75   2008.03.23   TR/Inject.aed
Authentium   4.93.8   2008.03.22   -
Avast   4.7.1098.0   2008.03.23   -
AVG   7.5.0.516   2008.03.22   -
BitDefender   7.2   2008.03.23   -
CAT-QuickHeal   9.50   2008.03.21   -
ClamAV   0.92.1   2008.03.23   -
DrWeb   4.44.0.09170   2008.03.23   -
eSafe   7.0.15.0   2008.03.18   -
eTrust-Vet   31.3.5633   2008.03.21   -
Ewido   4.0   2008.03.23   -
F-Prot   4.4.2.54   2008.03.22   -
F-Secure   6.70.13260.0   2008.03.23   -
FileAdvisor   1   2008.03.23   -
Fortinet   3.14.0.0   2008.03.23   -
Ikarus   T3.1.1.20   2008.03.23   Virus.Trojan.Win32.Inject.aed
Kaspersky   7.0.0.125   2008.03.23   -
McAfee   5257   2008.03.21   -
Microsoft   1.3301   2008.03.23   -
NOD32v2   2967   2008.03.21   -
Norman   5.80.02   2008.03.20   -
Panda   9.0.0.4   2008.03.23   -
Prevx1   V2   2008.03.23   -
Rising   20.36.62.00   2008.03.23   -
Sophos   4.27.0   2008.03.23   -
Sunbelt   3.0.978.0   2008.03.18   -
Symantec   10   2008.03.23   -
TheHacker   6.2.92.252   2008.03.22   -
VBA32   3.12.6.3   2008.03.21   Trojan.Win32.Inject.aed
VirusBuster   4.3.26:9   2008.03.22   -
Webwasher-Gateway   6.6.2   2008.03.23   Trojan.Inject.aed
Additional information
File size: 24576 bytes
MD5: 4a51d7a6efa86cceb60d72680c57952b
SHA1: 79ddd8fabfb2d6fc3a85c0bb509eb8f4328e4d8d
PEiD: Armadillo v1.71

Who can comment here?

pol

[Lisandro]

The file is strange... the folder and the name...

[oldman]

I found a little information on the file. It matches the size of file you have.

Thu 7 Aug 2003    24,576

I haven't been able to  find out who it belongs to. I'll keep looking.

[oldman]

I found something kind of interesting. On Mar 17. kaspersky detected it with the same infection. However,today it doesn't. I'm leaning towards a false positive.

[polonus]

Hi "oldman",

More info on this executable. It is only on one of my two accounts on XP, so not on the normal user account. It is a hidden archive file in system32, it was made using Amadillo v.1711 and Microsoft Visual Basics v. 5.0 and 6.0, it consists of text, rdata, and data, Import table (libr. 2), Kernel32.dll and User32.dll Security Admin etc. (all inbuilt), Stream Type Security 148, Standard 24576, Obj.id. 64
It has a pure virtual function, and is a Windows 32-bit VxD Message Server CMDNMST for
Windows Graphical User Interface (GUI) What it does? Open Process Kernel32.dll, Get Window Thread Process, Find Window User32.dll, GetModuleHandle, Get CommandLine, Get Version, Exit Process, Get Current Process, Free Environment String, Set Handle Count, HeapDestroy, HeapCreate, WriteFile, GetCPInfo, SetACP, GetOEMCP, HeapAlloc, VirtualAlloc, Heap ReAlloc, LinkLibrary, MultiByteToWideChas, LCMapString.A, LCMapStringW, GetStringTypeA, GetStringTypeW,

That is what FileAlyzer hicked up on this file,

pol

[polonus]

Hi "oldman",

Found this, but mine reads: kcmndinst.exe
for cmdninst.exe

Component Name: cmdninst.exe

Description of cmdninst.exe
This is a component of  MS Windows Application. Part of the widely popular Windows operating system. The Windows family of operating systems developed the point-and-click graphical user interface for easy interaction with programs and files.

Recommendation for cmdninst.exe
N/A

Trusted: Yes
Trojan: No
Chronic: No
Adware: No
Carrier: No
Browser Hijacker: No
Dialer: No
Commercial Keylogger: No
Remote Administration Tool: No
Suspected: No

Company Name: Microsoft Corporation
Platforms Affected: 
Methods of Distribution: .
Variants/Versions: 
Release Date: 1983

polonus

[lurkingatu2]

i'm trying to find info on this also avira antivir pe classic started to find this
on my last scan

antivir did not find this before my last scan on 3/12/08 i sent it to them and
am waiting for a email from them there is some that talked about on there German part
of the forum

i googled it and looked at some hjt logs and seen that the others find it on a acer pc
and that is what i have (Acer aspire T180)

the date from this file is 8/6/2003 and it's 24,576 bytes i wonder if it's a acer thing


i'll post back with what avria says
   

[oldman]

Yes, please post back. The size and date seem consistant on all logs I found.

[polonus]

Hi lurkingatu2,

Maybe it has to do with acer and their software, because I am on an Acer too. That could be the clue. Part of Acer Media Synchronization or something similar... Thanks for that information, lurkingatu2,

polonus

P.S. Hi, "oldman" you keep digging please, I trust you to get at the facts! In the description of the malware, kcmdnins.exe had "keylogger"-like aspects. More and more I also lean to it being a False Positive,

Damian

[lurkingatu2]

hello

sorry i could not get here earlier the fourm must have had a problem

well i got a email back from avira and thay say

File ID  Filename  Size (Byte) Result
3793551  KCMDNIns.exe  24 KB  MALWARE


Please find a detailed report concerning each individual sample below:

 Filename Result
 KCMDNIns.exe  MALWARE

The file 'KCMDNIns.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/Inject.aed. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.00.03.35.

Please note: The detection of Spy/Adware is not available in the product "AntiVir PersonalEdition Classic". Please address specific questions to support@avira.com

so i'm not sure what to do i scanned it at jotti's and virustotal and virscan,org

jotti's found it with
AntiVir  Found TR/Inject.aed
VBA32  Found Trojan.Win32.Inject.aed

virustotal found
AntiVir 7.6.0.75 2008.03.24 TR/Inject.aed
Ikarus T3.1.1.20 2008.03.24 Virus.Trojan.Win32.Inject.aed
VBA32 3.12.6.3 2008.03.21 Trojan.Win32.Inject.aed
Webwasher-Gateway 6.6.2 2008.03.24 Trojan.Inject.aed

virscan found
A-Squared 3.0.0.126 2008.03.23 2008-03-23 Trojan.Win32.Inject.aed
AntiVir 7.6.0.75 7.0.3.66 2008-03-24 TR/Inject.aed
Ikarus T3.1.01.20 2008.03.19.70473 2008-03-19 Virus.Trojan.Win32.Inject.aed
KingSoft 2007.6.20.249 2008.3.25 2008-03-25 Win32.Troj.Small.ap.24576
nProtect 2008-03-24.01 1247199 2008-03-24 Trojan/W32.Inject.24576.D
Prevx V2 20080325 2008-03-25 TROJAN.DOWNLOADER.GEN
VBA32 3.12.6.3 20080324.1134 2008-03-24 Trojan.Win32.Inject.aed

Additional information
File size: 24576 bytes
MD5: 4a51d7a6efa86cceb60d72680c57952b
SHA1: 79ddd8fabfb2d6fc3a85c0bb509eb8f4328e4d8d
PEiD: Armadillo v1.71

i'v got mamutu on here and it has not found nothing so i'm not sure
i'm going to leave it for now 

[oldman]

Thank you for posting back. I still don't know what to make of it. If the file date is correct, it's been kicking around for almost 5 years and no one has make a fuss over it until now. From the description, it's spyware, but spying on what? If it is indeed from Acer, perhaps a question directed in their direction will shed some light on it.

Other manufacturers have similar sofware that "phones" home for updates. (as far as we know) Maybe we are getting too parinoid.

It would have been nice if avira's descrpition was a little more detailed. More of an explaination on what the unwanted modifications where. Updates??

Polonus, I suggest you submit your sample and see who has joined in the detections. As I said earlier, kaspersky seems to have changed their minds. Maybe they know something we don't.

Perhaps Awil could have a look and give us a better understanding of what the "trojan" actually does.

[lurkingatu2]

well i called Acer support in the us but thay would not say because my pc is not under warrenty
thay wanted me to call pay support but the way she said she could not say if it was or not makes
me think it's from Acer 

i'v also sent it to avast and i'm asking at avria so i still doin't know what to do with it lol

 thanks 

[CharleyO]

***

From what I have been able to find ......

cmdninst.exe seems to be Microsoft Config Manager Device Installer Launcher.

Everything I could find about KCMDNIns.exe says it is Trojan.Win32.Inject.aed (which is already known) and for whatever reason, I found nothing related to Acer computers.


***

[lurkingatu2]

hello

i gave it to castlecops and that say kaspersky says it's no malware and avria says

File ID  Filename  Size (Byte) Result
3793551  KCMDNIns.exe  24 KB  FALSE POSITIVE


Please find a detailed report concerning each individual sample below:

 Filename Result
 KCMDNIns.exe  FALSE POSITIVE

The file 'KCMDNIns.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.

 thanks 

[oldman]

Thanks for posting. Kaspersky changed their minds within a few days.

You can relax now polonus.