False positive on moo.dll ??

[George]

hi all

on my system (win2k, SP4) i have mIRC V6.02 installed, an irc client,
together with German Fun Script V2.04.

the software installs moo.dll.

moo.dll is detected as:

IRC.Lambot Backdoor
path: program files\germanfunscript\moo.dll

moo.dll is the only item detected during a deep scan and i suspect it
to be a false alarm.

has anybody made the same experience or knows more about it?


regards,
George

 

[Bill Sanderson]

There are a good many false positives, apparently. This is the right place
to post them. I'd recommend verifying that the Moo.dll on your machine is
precisely the same bits as the one installed by mIRC V6.02 or the German Fun
script--just to be sure the file hasn't been modified in some malicious way.

 

[George]

Thx for quick answer, Bill

The dll seems to be harmless. Other sources on the net list the dll in
the context of an IRC worm but classify them as regular file. Besides
this, the dll is widely used.

The dll on my system has not been modified since installation (log),
same size, same "last modified" date.

I'm on the way to find a clean original moo.dll to compare/verify the
content, but I do not expect to meet with surprise.

I will post the verification result.


Greets,
George

 

[Bill Sanderson]

I expect that it will check out fine--but the only way to be certain is to
really do the compare, and I'd hate to have said to somebody that it was
probably fine only to find that it was possible for the file to be infected
and be dangerous.

 

[George]

moo.dll which comes with German Fun Script V2.04 (an mIRC script):

size: 88,0 KB (90.112 bytes)
last modified: 28. April 2001, 19:18:04

is definitively not a threat,
but reported by MSAS Beta 1
Spyware Definition Version: 5680 (12.01.05 20:28:32)
as IRC.Lambot Backdoor

George

 

[Bill Sanderson]

Thanks! There is one more thing you can do, perhaps.

If you navigate to this file via one of the Tools, advanced tools, system
explorers, you can submit the file to Spynet.

 

[George]

I didnt find out how to navigate to a file and then to submit a file to Spynet, using "Tools, advanced tools, system explorers ...".

After the scan there is chance to "Send to Spynet" - do you mean this when I click Yes?
(sorry for posting a large html article but I didnt know how to show you what I can see ...)

I did it.

(pls continue reading below the pic)



In the folder where the "spyware" moo.dll was found I've stored a copy of the file and named it "moo.dll.CopyOf". This file, although of identical content, was not reported as spyware ... looks like they check for the file name only :-(((. Scan was a full system scan.

Regards,
George

 

[Bill Sanderson]

George--my apologies. I'm not sure what I was thinking of. I have a
definite recollection of seeing a point in the program where you could do
file submissions, and also noticing that it wasn't clear whether it was
functional--there was no feedback to the user.

I can't find it now, and I believe that there is no method to submit a
binary to the Microsoft team working on this product at this time.

FWIW, there is now a direct link to a form for resolution of false positives
that a vendor can use:

http://www.spynet.com/falsepositive.aspx


I agree that your test of renaming the file looks bad. Microsoft is reading
these groups, and I hope that this detection will be improved as a result of
these postings.

 

[DragonMaster]

moo.dll

hello i wirte mirc and fyi moo.dll is not a Backdoor its mircosoft trying to stop us from useing it cuss it help vin to get on msn chats i been useing it for over 5 years never had any problems with my pc at all so dont worrie mate go to www.influenced.net thats the peps that made it anyway peace yall


♠♥ÐRÃĠÕÑ₪MŧŦER♣♦™


Elite Force Scripts™

 

[hm2k]

Is moo.dll a virus or backdoor?
No, this is often a mis-conception as moo.dll is sometimes packaged up with trojans made with mIRC, such as GTbot, it is then used to retreive that systems information. It is NOT possible for moo.dll to be a backdoor or virus as it does not have the functionality to do so, all it does is return a strings of text.

HndlWCare: he may have written what incorporates moo.dll, but he did not write moo.dll — moo.dll was written by a college roommate of one of our ops who has admitted inserting a backdoor into it.
Marky: don’t make me laugh.. check any antivirus website where a virus which has included moo.dll has been disassembled - check the description of moo.dll.. it’s usually “harmless mirc addon” or suchlike.. and you can be sure the anti virus people have disassembled it thoroughly.

​

Source: http://www.hm2k.com/projects/moo

Sorry for bringing this old topic up, but I just wanted to clear that up.