Trojan horse Generic5.GUH

[sobriquet]

Hi.
AVG recently started complaining about a file that supposedly was
infected with "Trojan horse Generic5.GUH". I fear I have already run
the executable on a Vista Premium laptop and XP pro (SP2) pc before
AVG was able to detect it.
Does anyone know of any detailed online info about this security
threat and maybe specific instructions how to remove it?

Thx in advance & kind regards, Niek

 

[David H. Lipman]

From: "sobriquet" <[email protected]>

|
| Hi.
| AVG recently started complaining about a file that supposedly was
| infected with "Trojan horse Generic5.GUH". I fear I have already run
| the executable on a Vista Premium laptop and XP pro (SP2) pc before
| AVG was able to detect it.
| Does anyone know of any detailed online info about this security
| threat and maybe specific instructions how to remove it?
|
| Thx in advance & kind regards, Niek

Unfortunately Grisoft's virus encyclopedia leaves much to be desired. Therefore I doubt you
find specifics on this "generic" Trojan.

However, you can submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

Once we see what other anti virus vendors declare this file to be, we may be able to check
their respecitive libraries and see what this Trojan is all about.

 

[sobriquet]

From: "sobriquet" <[email protected]>

|
| Hi.
| AVG recently started complaining about a file that supposedly was
| infected with "Trojan horse Generic5.GUH". I fear I have already run
| the executable on a Vista Premium laptop and XP pro (SP2) pc before
| AVG was able to detect it.
| Does anyone know of any detailed online info about this security
| threat and maybe specific instructions how to remove it?
|
| Thx in advance & kind regards, Niek

Unfortunately Grisoft's virus encyclopedia leaves much to be desired. Therefore I doubt you
find specifics on this "generic" Trojan.

However, you can submit a sample to Virus Total --http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

Once we see what other anti virus vendors declare this file to be, we may be able to check
their respecitive libraries and see what this Trojan is all about.

Thx for the help.
Somehow I can only submit the file compressed in rar format (Vista
won't let me send the exe file itself). I've also mailed it as a
rarred attachment to (e-mail address removed) (with "SCAN" as the subject).
The file is a patch for a program that was downloaded from eMule
(program + patch). Needless to say, I know p2p is risky, not to
mention illegal (at least in the Netherlands where I live, as far as
copyrighted software is concerned). But I also know that sometimes
patches occasionally get falsely identified as trojans or malware.

Here are some preliminary results from virustotal.com:

File Trojan_horse_Generic5.GUH.rar received on 08.11.2007 03:26:06
(CET)


Result: 4/32 (12.5%)

Antivirus Version Last Update Result
AhnLab-V3 2007.8.9.2 2007.08.10 -
AntiVir 7.4.0.60 2007.08.10 -
Authentium 4.93.8 2007.08.10 -
Avast 4.7.1029.0 2007.08.10 -
AVG 7.5.0.476 2007.08.10 Generic5.GUH
BitDefender 7.2 2007.08.11 -
CAT-QuickHeal 9.00 2007.08.10 -
ClamAV 0.91 2007.08.11 -
DrWeb 4.33 2007.08.11 -
eSafe 7.0.15.0 2007.08.10 -
eTrust-Vet 31.1.5050 2007.08.11 -
Ewido 4.0 2007.08.10 -
FileAdvisor 1 2007.08.11 -
Fortinet 2.91.0.0 2007.08.11 -
F-Prot 4.3.2.48 2007.08.10 -
F-Secure 6.70.13030.0 2007.08.11 -
Ikarus T3.1.1.12 2007.08.10 Trojan.HackTool.Patch.A
Kaspersky 4.0.2.24 2007.08.11 -
McAfee 5095 2007.08.10 -
Microsoft 1.2704 2007.08.11 HackTool:Win32/Patch.A
NOD32v2 2450 2007.08.10 -
Norman 5.80.02 2007.08.10 -
Panda 9.0.0.4 2007.08.10 -
Prevx1 V2 2007.08.11 -
Rising 19.35.42.00 2007.08.10 -
Sophos 4.19.0 2007.08.01 Troj/Patch-F
Sunbelt 2.2.907.0 2007.08.11 -
Symantec 10 2007.08.11 -
TheHacker 6.1.7.166 2007.08.10 -
VBA32 3.12.2.2 2007.08.10 -
VirusBuster 4.3.26:9 2007.08.10 -
Webwasher-Gateway 6.0.1 2007.08.10 -
Additional information
File size: 7979 bytes
MD5: 2b8744a5413f15117ba1434cb4938b01
SHA1: 06a5910083563fb5350dd5d2281ca4e22d7022c7

 

[joe black]

Result: 4/32 (12.5%)

Antivirus Version Last Update Result
AhnLab-V3 2007.8.9.2 2007.08.10 -
AntiVir 7.4.0.60 2007.08.10 -
Authentium 4.93.8 2007.08.10 -
Avast 4.7.1029.0 2007.08.10 -
AVG 7.5.0.476 2007.08.10 Generic5.GUH
BitDefender 7.2 2007.08.11 -
CAT-QuickHeal 9.00 2007.08.10 -
ClamAV 0.91 2007.08.11 -
DrWeb 4.33 2007.08.11 -
eSafe 7.0.15.0 2007.08.10 -
eTrust-Vet 31.1.5050 2007.08.11 -
Ewido 4.0 2007.08.10 -
FileAdvisor 1 2007.08.11 -
Fortinet 2.91.0.0 2007.08.11 -
F-Prot 4.3.2.48 2007.08.10 -
F-Secure 6.70.13030.0 2007.08.11 -
Ikarus T3.1.1.12 2007.08.10 Trojan.HackTool.Patch.A
Kaspersky 4.0.2.24 2007.08.11 -
McAfee 5095 2007.08.10 -
Microsoft 1.2704 2007.08.11 HackTool:Win32/Patch.A
NOD32v2 2450 2007.08.10 -
Norman 5.80.02 2007.08.10 -
Panda 9.0.0.4 2007.08.10 -
Prevx1 V2 2007.08.11 -
Rising 19.35.42.00 2007.08.10 -
Sophos 4.19.0 2007.08.01 Troj/Patch-F
Sunbelt 2.2.907.0 2007.08.11 -
Symantec 10 2007.08.11 -
TheHacker 6.1.7.166 2007.08.10 -
VBA32 3.12.2.2 2007.08.10 -
VirusBuster 4.3.26:9 2007.08.10 -
Webwasher-Gateway 6.0.1 2007.08.10 -
Additional information
File size: 7979 bytes
MD5: 2b8744a5413f15117ba1434cb4938b01
SHA1: 06a5910083563fb5350dd5d2281ca4e22d7022c7

The fact that some of the more reputable products did not alert would
suggest it may be a false positive, very typical of AVG.

 

[Dustin Cook]

The fact that some of the more reputable products did not alert would
suggest it may be a false positive, very typical of AVG.

Sophos is a very reputable product, and it too alarmed on it. If you have
the time, I'd also like a copy of the rar file. I'd be happy to analyze
it.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: (e-mail address removed)
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

 

[sobriquet]

@registered.motzarella.org:









Sophos is a very reputable product, and it too alarmed on it. If you have
the time, I'd also like a copy of the rar file. I'd be happy to analyze
it.

--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: (e-mail address removed)
web..:http://bughunter.it-mate.co.uk
Pad..:http://bughunter.it-mate.co.uk/pad.xml- Tekst uit oorspronkelijk bericht niet weergeven -

- Tekst uit oorspronkelijk bericht weergeven -

Here you go, thx in advance for the analysis:

http://www.ibbu.nl/~nsprakel/trojan.rar

 

[miner.-]

-

Here you go, thx in advance for the analysis:

http://www.ibbu.nl/~nsprakel/trojan.rar

Very often AVs will detect legitimate software as malware because it
displays malware like actions.
If in doubt
1) Don't run it
2) Submit it to your AV company as if it is a false positive they need to
correct it
3) If you know any malware experts then you can submit it to them and they
can look at the code

miner.-

 

[Ant]

The file is a patch for a program that was downloaded from eMule
(program + patch). Needless to say, I know p2p is risky, not to
mention illegal (at least in the Netherlands where I live, as far as
copyrighted software is concerned). But I also know that sometimes
patches occasionally get falsely identified as trojans or malware.

Here are some preliminary results from virustotal.com:

Microsoft 1.2704 2007.08.11 HackTool:Win32/Patch.A

Sophos 4.19.0 2007.08.01 Troj/Patch-F

I've examined the file and all indications are that it appears to be
what it claims; i.e. a patching or cracking tool for other software.
It's not malware or a trojan in the classic sense, so I'm not
surprised most AVs don't detect it.

This is what Sophos has to say:

http://www.sophos.com/security/analyses/trojpatchf.html

Troj/Patch-F may be used to circumvent copyright protection for the program NuSphere 4.6.
Troj/Patch-F will create the following file:
<System>\Basemod.dll - this file is not malicious and may be deleted.

 

[Dustin Cook]

http://www.ibbu.nl/~nsprakel/trojan.rar

Got it, thank you. You may wish to remove it now.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: (e-mail address removed)
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

 

[Dustin Cook]

I've examined the file and all indications are that it appears to be
what it claims; i.e. a patching or cracking tool for other software.
It's not malware or a trojan in the classic sense, so I'm not
surprised most AVs don't detect it.

This is what Sophos has to say:

http://www.sophos.com/security/analyses/trojpatchf.html

Troj/Patch-F may be used to circumvent copyright protection for the
program NuSphere 4.6. Troj/Patch-F will create the following file:
<System>\Basemod.dll - this file is not malicious and may be deleted.

Basemod is a plugin to play, mod files. lol. from the old amiga's.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: (e-mail address removed)
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

 

[sobriquet]

Got it, thank you. You may wish to remove it now.

Ok, file has been taken offline.

 

[Dustin Cook]

Ok, file has been taken offline.

The file itself is not malware. It is however an operational crack for a
program called Flash Renamer v5.0.2; It'll patch the registry and the
executable. It basically turns the program into a paid for copy without you
actually paying for it.

Personally, it's junk and I wouldn't use it, but it's not malware.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: (e-mail address removed)
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

 

[Dustin Cook]

I've examined the file and all indications are that it appears to be
what it claims; i.e. a patching or cracking tool for other software.
It's not malware or a trojan in the classic sense, so I'm not
surprised most AVs don't detect it.

This is what Sophos has to say:

http://www.sophos.com/security/analyses/trojpatchf.html

Troj/Patch-F may be used to circumvent copyright protection for the
program NuSphere 4.6. Troj/Patch-F will create the following file:
<System>\Basemod.dll - this file is not malicious and may be deleted.

It's likely general in nature. This patch.exe is related to others which
crack other executables. It's a template program, designed by a cracking
group. Basemod.dll however is completely harmless.

--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: (e-mail address removed)
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

 

[sobriquet]

The file itself is not malware. It is however an operational crack for a
program called Flash Renamer v5.0.2; It'll patch the registry and the
executable. It basically turns the program into a paid for copy without you
actually paying for it.

Personally, it's junk and I wouldn't use it, but it's not malware.

You mean the flash renamer is junk or the patch?
Flash renamer seems to be a useful little utility.

 

[Dustin Cook]

You mean the flash renamer is junk or the patch?
Flash renamer seems to be a useful little utility.

I'm not familiar with flash renamer, so I can't comment. The crack
however, is imho, junk. It rips the author off. If you like the program
and the author wants money, pay for it. Or find an alternative.



--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: (e-mail address removed)
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

 

[sobriquet]

I'm not familiar with flash renamer, so I can't comment. The crack
however, is imho, junk. It rips the author off. If you like the program
and the author wants money, pay for it. Or find an alternative.

Well, it's probably futile to start a discussion about this, but the
way I see it, I'm not ripping off the author by using a patch or
crack. I think the real criminals are the people advocating
intellectual property.

From my perspective, information can not be owned, bought or sold,

simply because it can be duplicated indefinitely at no extra costs
(unlike physical commodities). A monetary value being associated with
things is an indication of scarcity and depends on laws of supply and
demand. In case of software or other information in digital form
(music, video, books or whatever), the supply is infinite and hence
the price is 0 regardless of the demand.
That doesn't mean I think people creating digital stuff shouldn't be
compensated for their efforts, but I just don't think they should be
compensated by passing off their digital stuff as if it's a physical
commodity.
The only sensible alternative imho is a tax on information so people
can share stuff freely online and the government should monitor what
things are exchanged, tax information and dispense the collected taxes
among people who create fresh content.
Until such a system is implemented, I will use cracks and patches
because I simply deny the validity of the whole concept of
intellectual property. In my opinion property is only property as long
as people have control over it. If I throw my money out on the
streets, it's no longer my property and it would be silly for me to
accuse people of stealing my money if I freely scatter it wherever I
go (kind of similar to how authors claim to remain in possession of
their creations no matter how widely they are distributed).
Copyright was originally invented to avoid unfair competition amongst
centralized commercial distributors and it's not applicable to
decentralized online distribution for noncommercial purposes.

 

[Dustin Cook]

Well, it's probably futile to start a discussion about this, but the
way I see it, I'm not ripping off the author by using a patch or
crack. I think the real criminals are the people advocating
intellectual property.

That's entirely upto you. I was giving my personal opinion of the
patch.exe you provided for analysis is all.

--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: (e-mail address removed)
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

 

[sobriquet]

That's entirely upto you. I was giving my personal opinion of the
patch.exe you provided for analysis is all.

--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: (e-mail address removed)
web..:http://bughunter.it-mate.co.uk
Pad..:http://bughunter.it-mate.co.uk/pad.xml- Tekst uit oorspronkelijk bericht niet weergeven -

- Tekst uit oorspronkelijk bericht weergeven -

That's cool. I understand and respect your position as well. I was
just trying to point out how I feel about the issue.