Suspected malware (cleanwipe.exe)

[ibell63]

When looking for a removal tool for Symantec Endpoint Protection last night, I found this .exe online.  Symantec does not have a download page where you can get SEP Cleanwipe.

This drops an .exe detected by Malwarebytes Anti-Malware as Malware.gen in C:\Windows\temp\.

Virustotal results here:

https://www.virustotal.com/file/fd9382c4eff3c4ecc71da47572fe4af974676d9929c078aa3b0287621eeb9210/analysis/1330107687/

Please analyze this file and add detection if it is malware.

I uploaded the .zip with password "virus" to FTP server at ftp.avast.com/incoming

[Pondus]

you should send it to   virus @ avast.com  in a password protected zip.file
zip Password:  infected
mail subject:  undetected sample





anyway i think this is a False Positive

First seen by VirusTotal  2008-06-03 10:03:43 UTC ( 3 year, 8 months ago )

[ibell63]

Ok I'll send it in just a minute.

[Pondus]

was your malwarebytes updated when you scanned ?

[ibell63]

Yes, but Malwarebytes does NOT detect the outermost .exe file.  It detects an .exe WITHIN the .exe when it gets unpacked.  This detection was made with the on access file scanning in Malwarebytes Pro.  It detected the .exe as it was being dropped in C:\Windows\temp.  Perhaps you will be able to get the detection on the free version by unpacking the .exe with a file archiver and scanning the contents.

[ibell63]

The detection was Malware.gen, so it may be an FP, but I was concerned given that the file is detected by 4 scanners at virustotal and I don't see any reason why it should need to drop anything in C:\Windows\temp.

[Pondus]

what was the .exe name?
can you attach the log from that ?

[ibell63]

I am on a different computer now.  I will quickly unpack it and scan with Malwarebytes and show you the results.

[ibell63]

Here is the Malwarebytes log.  Do you want me to send in the detected files?


Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.24.02

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
imb1 :: PC070677 [administrator]

Protection: Enabled

2/24/2012 2:25:15 PM
mbam-log-2012-02-24 (14-25-15).txt

Scan type: Custom scan
Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P
Objects scanned: 65
Time elapsed: 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\imb1\Desktop\CleanWipe\app\ESUGDlgControl.exe (Malware.Gen) -> Quarantined and deleted successfully.
C:\Users\imb1\Desktop\CleanWipe\app\ESUGMSI.exe (Malware.Gen) -> Quarantined and deleted successfully.
C:\Users\imb1\Desktop\CleanWipe\app\ESUGMSIConvert.exe (Virtool.Obfuscator) -> Quarantined and deleted successfully.

(end)

[Pondus]

OK yepp i got the same when unpacking the .exe

will report it as FP at Malwarebytes

[ibell63]

So you don't think it's malicious?  Avast told me to run it in it's autosandbox when I opened it...

[YoKenny]

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385

Why are you not using IE9 with Windows 7 Ultimate 64 bit?

[ibell63]

I'm currently at work.  This computer has deep freeze on it and the admins here haven't updated it in a while.  I do not use IE for anything, ever!  I am currently running Chrome beta 18.0.1025.39.

[Pondus]

So you don't think it's malicious?  Avast told me to run it in it's autosandbox when I opened it...

If you scroll down to the bottom of your VT scan and click "Additional information"

you find this   First seen by VirusTotal   2008-06-03 10:03:43 UTC ( 3 year, 8 months ago )

so almost 4 year and only 4 detections   

[polonus]

Hi posters in this thread,

Possibly a PUP and packer FP detection, because here generically we detect HTTP Zbot Activity, seen as a threat: -see: http://www.threatexpert.com/files/esugdlgcontrol.exe.html
Detected as posing a security risk here: -http://www.backgroundtask.eu/Systeemtaken/taakinfo/74132/esugdlgcontrol.exe/
Considered FP here: -http://forums.malwarebytes.org/index.php?showtopic=96653
This is considered a Trojan Backdoor also here: ESUGDLGCONTROL.EX- is known as: packed with PE_Patch [Kaspersky Lab].
MD5 of ESUGDLGCONTROL.EX- = 2B5C000B2D23BD3F5F3E0C0EE3FC2ACB
ESUGDLGCONTROL.EX- size is 76455 bytes.
Full path on a computer: %WINDIR%\TEMP\CLEANWIPE\APP\ESUGDLGCONTROL.EX-
If found to be a FP what is likely and being supported here: -http://www.prevx.com/filenames/112526285422626354-X1/ESUGDLGCONTROL.EXE.html
cleanwipe.exe should be considered a PUP, because it should always be run in safe mode, and not be allowed to disable connectivity drivers.
Just remove the Symantic components manually if need be,

polonus