Suspicious File Found: WINSYS2.EXE

[Maxx_original]

can you remember this thread? http://forum.avast.com/index.php?topic=35761.msg302364#msg302364

it's quite similar, don't you think? regarding the google hits, i believe there's something strange.. and it seems, that the (anti)rootkit detection is valid, but i can ask someone else from our team to validate it again...

btw: some files which arived at our viruslab have an overlay full of zeros and maybe other modifications against the valid ones...

[alisonnic]

Ok, I just completed a scan of Windows/System32 using F-Secure's online scanner.  It found five tracking cookies but no other malware.

I am re-running F-Secure now on the entire system.  But I must admit that it looks to me like the WINSYS2.EXE from the MSI driver CD is not a rootkit.  If it were, surely F-Secure or one of the virus scanners on Virustotal would have picked it up.

avast - over to you.  You've got the copy of the file I sent you yesterday.  I can send it again if necessary.  Can you please compare it to a copy of the known rootkit and see if it's the same?

[DavidR]

I would suggest sending it again, as Maxx_original said some of the samples were full of zeros or other modifications.

[alisonnic]

can you remember this thread? http://forum.avast.com/index.php?topic=35761.msg302364#msg302364

it's quite similar, don't you think? regarding the google hits, i believe there's something strange.. and it seems, that the (anti)rootkit detection is valid, but i can ask someone else from our team to validate it again...

btw: some files which arived at our viruslab have an overlay full of zeros and maybe other modifications against the valid ones...

I did a search on Google as well, just after I started this thread.  That search led me to a thread on AnandTech in which a number of other people with MSI NVIDIA cards found the same files on their driver CD's.

Here's a link to the thread:

http://forums.anandtech.com/messageview.aspx?catid=32&threadid=2032070&enterthread=y

At the bottom of the thread is a quote, supposedly from MSI:

Official quote from MSI
"MSI Tech. 09/19/2007
No, this is a MSI utility info which required when running MSI based utility. If you do not want to install this file, you can download and install/use Nvidia's reference driver which can also work as well: http://www.nvidia.com/object/winxp_2k_162.18.html"

Ok, so I could uninstall the MSI driver and install a different driver, but doesn't it seem like an awfully big coincidence that a lot of people in this thread and a lot of those on the Anand thread that have this file also have MSI NVIDIA drivers installed?

Maxx, the thread you posted the link to says that a file can somehow masquerade as another file, or something to that effect.  If that's indeed what's happening here, how do I fix it?

Also, thanks for having someone take another look at the file I sent.  I'm looking forward to hearing what you find out.

[colebn]

Ok, I just found my original MSI Driver disk that came with my MSI 8600GT graphics card.

I did a search of the CD and sure enough I found the Winsys2 (and Winsys) applications. I then went to virustotal.com and uploaded it from the CD (not my machine):- http://www.virustotal.com/analisis/bd46e1e0e8e21616f2c167581b67e94b

Those results are identical to the one I posted earlier. So either MSI have shipped CD's with a virus on them or Avast! is wrong, which is it?

Edit:- I have emailed you a download location for that file to virus@avast.com

If it is a trojan, why has avast! started picking up on it just recently?

Trend Micro's online scanner did not pick up on it either, neither did A-squared's free download.

[alisonnic]

Ok, I just re-zipped and re-sent my WINSYS2.EXE to the avast support team.  This time I zipped it using Windows' Compressed Folder utility rather than 7-Zip, which is what I used before.

Hopefully this will help them determine what's going on. 

[drakester]

I have an MSI video card and MSI mobo and AVAST reports WINSYS2.EXE's suspicious behavior. I think this is a false positive due to all the people reporting it having MSI hardware. This message just started popping up yesterday. No other problems on my machine--no flaky behavior etc.

So far, I have ignored these warnings because I think they are bogus.

Either Avast is right and ALL the other antivirus programs in the world are wrong. Or Avast is giving a false positive.

Maybe someone tightened the heuristics scanning a little too much on the development team. I would like to know either way.

The file date on WINSYS2.EXE is 04-29-2006.

The File information says DOT MFC. It is used by MSI software.

Googling WINSYS2.EXE shows similar discussions as this being held in at least two other forums.

[drakester]

I think winsys2.exe is Dynamic Overclock Technology (DOT) MFC from MSI. It is used with the MSI video card.
I did an online Kapersky virus scan just now and it did not find any virus in the Critical Areas or in windows/system32 (I ran both scans).

If this is really a virus then it should have been identified by this date, rather than an anonymous heuristic scan. The Last Modified date on winsys2.exe is 04-29-2006.

[colebn]

Is there any chance we can get an update on this? Has this been determined as a trojan or not?

I notice that the download link I sent has not been used, but I believe others have sent their files as well.

[abba12]

http://www.bleepingcomputer.com/forums/lofiversion/index.php/t99121.html

This is a relativly short thread that has a lot of information about the same question, and comes to the conclusion that it comes from the driver CD. the driver CD does, in fact, have a file by the same name on it. The thread is from the middle of last year so obviously its meaningful

I have an NVIDIA MSI card as well, and at the moment I have found no other issues rather than a seemingly unrelated trojan I need to look into. It's the fact it's started picking it up so suddenly that worries me.

I'm going to leave it at the moment, but would LOVE a confirmation from avast about this.

[drakester]

I don't know if we're going to get any additional info from Avast. It's hard to say whether a program is or is not a virus/trojan. They would have to disassemble it and look at the assembly code. Not fun. And the chances are they might miss something.

Bottom line for me is that NO ONE reporting this file has said, "I do not run MSI hardware." That for me would be a red flag. But everyone is saying they have an MSI video card. I remember going to the MSI web site and downloading their video driver, and yeah, I tinkered with it and tried to maximize the performance.

Also, the fact that Kapersky Online Scan showed nothing, after scanning C:\WINDOWS\SYSTEM32.

Avast does not have a problem with WINSYS2.EXE as a file, only that it "acts" like a virus sometimes, based on heuristic methods. I happen to know that MSI programming methodology is not all that. They are sloppy programmers to begin with so I can readily believe their program would trigger Avast. That is a sign of a sloppy programmer. Heck maybe it is some kind of spyware, who knows what MSI has up its sleeves, but probably not as dangerous as a criminal virus from the wild.

I have no idea how to uninstall or even if uninstalling would be safe and not mess up my video. I can imagine uninstalling WINSYS2.EXE and then not being able to see anything.

For the time being I am just having Avast ignore the problem when it comes up, but continue alerting me about it. Hopefully we will read more info in this forum from other knowledgeable people. The more people who come on here, and say they have MSI video cards, the better.

[drakester]

Okay, I did a scan at virustotal, and three antivirus products decided it was a trojan:

http://www.virustotal.com/analisis/58cbe86b8023ed329c52c2d57b80b51d

 File WinSys2.exe received on 09.27.2008 16:46:40 (CET)
Result: 3/36 (8.34%)
   
Antivirus    Version    Last Update    Result
AhnLab-V3   2008.9.25.0   2008.09.26   -
AntiVir   7.8.1.34   2008.09.26   -
Authentium   5.1.0.4   2008.09.27   -
Avast   4.8.1195.0   2008.09.26   -
AVG   8.0.0.161   2008.09.26   -
BitDefender   7.2   2008.09.27   -
CAT-QuickHeal   9.50   2008.09.27   -
ClamAV   0.93.1   2008.09.27   -
DrWeb   4.44.0.09170   2008.09.27   -
eSafe   7.0.17.0   2008.09.25   -
eTrust-Vet   31.6.6110   2008.09.26   -
Ewido   4.0   2008.09.27   -
F-Prot   4.4.4.56   2008.09.27   -
F-Secure   8.0.14332.0   2008.09.27   -
Fortinet   3.113.0.0   2008.09.27   -
GData   19   2008.09.27   -
Ikarus   T3.1.1.34.0   2008.09.27   -
K7AntiVirus   7.10.476   2008.09.27   Trojan.Win32.Malware.1
Kaspersky   7.0.0.125   2008.09.27   -
McAfee   5393   2008.09.27   -
Microsoft   1.3903   2008.09.27   -
NOD32   3476   2008.09.27   -
Norman   5.80.02   2008.09.26   -
Panda   9.0.0.4   2008.09.27   Trj/Agent.ISR
PCTools   4.4.2.0   2008.09.26   -
Prevx1   V2   2008.09.27   Worm
Rising   20.63.52.00   2008.09.27   -
SecureWeb-Gateway   6.7.6   2008.09.26   -
Sophos   4.34.0   2008.09.27   -
Sunbelt   3.1.1675.1   2008.09.27   -
Symantec   10   2008.09.27   -
TheHacker   6.3.0.9.094   2008.09.25   -
TrendMicro   8.700.0.1004   2008.09.26   -
VBA32   3.12.8.6   2008.09.27   -
ViRobot   2008.9.26.1394   2008.09.26   -
VirusBuster   4.5.11.0   2008.09.26   -

That's enough for me. I am uninstalling this piece of crap before it does anymore damage. I'm using Panda's anti-rootkit.

[Lisandro]

drakester, it seems a false positive of that programs...

[drakester]

Well, I ran Panda, F-Secure and Trend Micro anti-Rootkit utilities. And none of them picked up anything.

The only other option I have is to actually delete WINSYS2.EXE.

Instead of doing that, I'm just going to rename the file to backupWinSYS2.EXE and see if the warning messages from Avast go away. (And if any impact to the video display.)

[DavidR]

That is a safer bet than deletion, as what ever would run this wouldn't be able to find the original file name, so it shouldn't be running when avast's rootkit scan takes place and hopefully wouldn't detect the renamed file.

However, since avast doesn't detect this in the virustotal results and that was using a recent VPS version 080926-0, right click on the file and select scan, I believe avast will no longer detect it (as the VPS may have been corrected) ?

If that is the case there is no need to rename it, you could revert to the normal name and see if avast detects it on the next reboot.