A
AndyManchesta
Trojan.Downloader.AdMSI
I was sent a email from a MSAS user who had this
detection so I asked for the file and placed it on my
desktop:
Ran MSAS
Infected files detected
c:\documents and settings\andy manchesta \
desktop\_shfoldr.dll (Ususal Location is temp file)
If you use MSAS and goto "Tools" > "Advanced Tools" >
then "Advanced File Analyser" then Browse to the
shfoldr.dll file it shows this :
----------------------------------------------------------
Detailed File Analysis
Display name: Microsoft(R)Windows(R)2000 Operating System
Name: _shfoldr.dll
Description: Shell Folder Service
Original file name: shfolder.dll
Publisher: Microsoft Corporation
Path: C:\Documents and Settings\Andy
Manchesta\Desktop\_shfoldr.dll
Version: 5.50.4807.2300
Size: 23312 bytes
MD5: 92dc6ef532fbb4a5c3201469a5b5eb63
File Properties Shows
Company - Microsoft
File Version - 5.50.4807.2300
InternetName - shfolder
Language - English (United States)
Original File Name - shfolder.dll
Product Name - Microsoft(R) Windows (R) 2000 Operating
System
Product Version - 5.50.4807.2300
----------------------------------------------------------
Then I went To The Microsoft Website and Downloaded
Platform SDK Redistributable: ShFolder DLL
http://www.microsoft.com/downloads/details.aspx?
FamilyID=6ae02498-07e9-48f1-a5d6-
dbfa18d37e0f&DisplayLang=en
And That displays this:
Detailed File Analysis
Display name: Microsoft Shell Folder Service
Name: shfolder.dll
Description: Shell Folder Service
Publisher: Microsoft Corporation
Path: C:\WINDOWS\system32\shfolder.dll
Version: 6.0.2800.1106
Size: 22528 bytes
MD5: c6b2ad321e6c12e12898d1cae587d0d5
File Properties :
Company - Microsoft Corporation
File Version - 6.00.2800.1106
InternetName - shfolder
Language - English (United States)
Original File Name - shfolder.dll
Product Name - Microsoft(R) Windows (R) Operating System
Product Version - 6.00.2800.1106
----------------------------------------------------------
Another Example genuine shfolder.dll
Detailed File Analysis
Display name: Microsoft(R)Windows(R)2000 Operating System
Name: shfolder.dll
Description: Shell Folder Service
Publisher: Microsoft Corporation
Path: C:\Documents and Settings\Andy
Manchesta\Desktop\test\shfolder.dll
Version: 5.0.2919.6304
Size: 23026 bytes
Copyright: Copyright (C) Microsoft Corp. 1981-1999
MD5: 00bb060720f7b185497615169bd08665
File Properties:
Company - Microsoft Corporation
File Version - 5.00.2919.6304
InternetName - shfolder
Language - English (United States)
Original File Name - shfolder.dll
Product Name - Microsoft(R) Windows (R) 2000 Operating
System
Product Version - 5.00.2919.6304
----------------------------------------------------------
Then If you run a scan with MSAS it shows this detection
shfoldr.dll
Detected Threats
Trojan.Downloader.AdMSI
Status: Ignored
High threat - High-risk items have a large potential for
harm, such as loss of computer control, and should be
removed unless knowingly installed.
Infected files detected
c:\documents and settings\andy manchesta \desktop
\_shfoldr.dll
more information :
Trojan.Downloader.AdMSI
Type: Trojan
A Trojan that silently installs other programs without
consent.
Category: Trojan Downloader
A Trojan that silently installs other programs without
consent.
Threat level: High
High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless
knowingly installed.
Here's the results of scanning the file with Various
AntiVirus/Antispy Scanners :
"_shfoldr.dll" file.
Adaware-SE Nothing Found
AntiVir 6.32.0.6 Nothing Found
ArcaVir Found nothing
Avast 4.6.695.0 Nothing Found
AVG 718 Nothing Found
Avira 6.32.0.6 Nothing Found
BitDefender 7.2 Nothing Found
CAT-QuickHeal 8.00 Nothing Found
ClamAV devel-20050917 Nothing Found
DrWeb 4.32b Nothing Found
eTrust-Iris 7.1.194.0 Nothing Found
eTrust-Vet 11.9.1.0 Nothing Found
Ewido Nothing Found
Fortinet Nothing Found
F-Prot 3.16c Nothing Found
Ikarus 0.2.59.0 Nothing Found
Kaspersky 4.0.2.24 Nothing Found
McAfee 4590 Nothing Found
Microsoft Antsipyware - Trojan.Downloader.AdMSI
NOD32v2 1.1233 Nothing Found
Norman 5.70.10 Nothing Found
Panda 8.02.00 Nothing Found
Sophos 3.98.0 Nothing Found
Spybot Search & Destroy Nothing Found
Symantec 8.0 Nothing Found
TheHacker 5.8.2.115 Nothing Found
UNA Nothing Found
VBA32 3.10.4 Nothing Found
So In my opinion this would be a false positive as the
alternatives would be MSAS is finding a Trojan in one of
its own files or The Trojan is using the MS Name and File
Information and no other company knows about it.
Ive only seen two cases of this detection and both were
in a temp folder with this path to the file:
C:\documents_and_settings\owner\local_settings\temp\is-
(Various)\_shfoldr.dll
I'm guessing It might be connected to "Inno Setup" in
some way
http://www.jrsoftware.org/isinfo.php
Regards
Andy
I was sent a email from a MSAS user who had this
detection so I asked for the file and placed it on my
desktop:
Ran MSAS
Infected files detected
c:\documents and settings\andy manchesta \
desktop\_shfoldr.dll (Ususal Location is temp file)
If you use MSAS and goto "Tools" > "Advanced Tools" >
then "Advanced File Analyser" then Browse to the
shfoldr.dll file it shows this :
----------------------------------------------------------
Detailed File Analysis
Display name: Microsoft(R)Windows(R)2000 Operating System
Name: _shfoldr.dll
Description: Shell Folder Service
Original file name: shfolder.dll
Publisher: Microsoft Corporation
Path: C:\Documents and Settings\Andy
Manchesta\Desktop\_shfoldr.dll
Version: 5.50.4807.2300
Size: 23312 bytes
MD5: 92dc6ef532fbb4a5c3201469a5b5eb63
File Properties Shows
Company - Microsoft
File Version - 5.50.4807.2300
InternetName - shfolder
Language - English (United States)
Original File Name - shfolder.dll
Product Name - Microsoft(R) Windows (R) 2000 Operating
System
Product Version - 5.50.4807.2300
----------------------------------------------------------
Then I went To The Microsoft Website and Downloaded
Platform SDK Redistributable: ShFolder DLL
http://www.microsoft.com/downloads/details.aspx?
FamilyID=6ae02498-07e9-48f1-a5d6-
dbfa18d37e0f&DisplayLang=en
And That displays this:
Detailed File Analysis
Display name: Microsoft Shell Folder Service
Name: shfolder.dll
Description: Shell Folder Service
Publisher: Microsoft Corporation
Path: C:\WINDOWS\system32\shfolder.dll
Version: 6.0.2800.1106
Size: 22528 bytes
MD5: c6b2ad321e6c12e12898d1cae587d0d5
File Properties :
Company - Microsoft Corporation
File Version - 6.00.2800.1106
InternetName - shfolder
Language - English (United States)
Original File Name - shfolder.dll
Product Name - Microsoft(R) Windows (R) Operating System
Product Version - 6.00.2800.1106
----------------------------------------------------------
Another Example genuine shfolder.dll
Detailed File Analysis
Display name: Microsoft(R)Windows(R)2000 Operating System
Name: shfolder.dll
Description: Shell Folder Service
Publisher: Microsoft Corporation
Path: C:\Documents and Settings\Andy
Manchesta\Desktop\test\shfolder.dll
Version: 5.0.2919.6304
Size: 23026 bytes
Copyright: Copyright (C) Microsoft Corp. 1981-1999
MD5: 00bb060720f7b185497615169bd08665
File Properties:
Company - Microsoft Corporation
File Version - 5.00.2919.6304
InternetName - shfolder
Language - English (United States)
Original File Name - shfolder.dll
Product Name - Microsoft(R) Windows (R) 2000 Operating
System
Product Version - 5.00.2919.6304
----------------------------------------------------------
Then If you run a scan with MSAS it shows this detection
shfoldr.dll
Detected Threats
Trojan.Downloader.AdMSI
Status: Ignored
High threat - High-risk items have a large potential for
harm, such as loss of computer control, and should be
removed unless knowingly installed.
Infected files detected
c:\documents and settings\andy manchesta \desktop
\_shfoldr.dll
more information :
Trojan.Downloader.AdMSI
Type: Trojan
A Trojan that silently installs other programs without
consent.
Category: Trojan Downloader
A Trojan that silently installs other programs without
consent.
Threat level: High
High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless
knowingly installed.
Here's the results of scanning the file with Various
AntiVirus/Antispy Scanners :
"_shfoldr.dll" file.
Adaware-SE Nothing Found
AntiVir 6.32.0.6 Nothing Found
ArcaVir Found nothing
Avast 4.6.695.0 Nothing Found
AVG 718 Nothing Found
Avira 6.32.0.6 Nothing Found
BitDefender 7.2 Nothing Found
CAT-QuickHeal 8.00 Nothing Found
ClamAV devel-20050917 Nothing Found
DrWeb 4.32b Nothing Found
eTrust-Iris 7.1.194.0 Nothing Found
eTrust-Vet 11.9.1.0 Nothing Found
Ewido Nothing Found
Fortinet Nothing Found
F-Prot 3.16c Nothing Found
Ikarus 0.2.59.0 Nothing Found
Kaspersky 4.0.2.24 Nothing Found
McAfee 4590 Nothing Found
Microsoft Antsipyware - Trojan.Downloader.AdMSI
NOD32v2 1.1233 Nothing Found
Norman 5.70.10 Nothing Found
Panda 8.02.00 Nothing Found
Sophos 3.98.0 Nothing Found
Spybot Search & Destroy Nothing Found
Symantec 8.0 Nothing Found
TheHacker 5.8.2.115 Nothing Found
UNA Nothing Found
VBA32 3.10.4 Nothing Found
So In my opinion this would be a false positive as the
alternatives would be MSAS is finding a Trojan in one of
its own files or The Trojan is using the MS Name and File
Information and no other company knows about it.
Ive only seen two cases of this detection and both were
in a temp folder with this path to the file:
C:\documents_and_settings\owner\local_settings\temp\is-
(Various)\_shfoldr.dll
I'm guessing It might be connected to "Inno Setup" in
some way
http://www.jrsoftware.org/isinfo.php
Regards
Andy