false positive ?

[CalmCookie]

My first searched found this in C:\windows\system32
\winsys.exe

KCGame
Type: RAT
Threat Level: Severe
Author: c0ldfyr3

Description: A Remote Administration Tool (RAT) is a
Trojan type of software that when run, provides an
attacker with the capability of remotely controlling a
user's computer (victim) over the Internet. The attacker
usually has full access to functions on the victim's
computer. The victim's computer usually listens on the
Internet for the attacker's commands.

Advice: This is an extremely high risk threat and should
be removed immediately as to prevent harm to your
computer or your privacy.

Looking at it more closely shows:
File Name : DOT Application
File Path : C:\windows\system32\winsys.exe
Publisher : NONE
File Size : 135168 bytes.

Now I know that I have a DOT application which stands for
Dynamic Over-Clocking Technology which came with the
Nvidia Graphics Driver supplied from the manafacturer of
my Graphics Card (MSI or Microstar). Have they really
planted a Trojan in my Graphics Card software?

 

[Bill Sanderson]

Check it out--see whether the file contains copyright information that ties
it to the vendor as you expect. See whether it matches what you see on the
installation media from the vendor.

This might well be a false positive--and you've posted it in the right place
to bring it to Microsoft's attention--but if it is not, you don't want it
around!

 

[CalmCookie]

Trying not to look to thick here.....but how can I
examine the contents of an exe file....ie winsys.exe

 

[CalmCookie]

I've just run the AntiSpyware on my sons PC which also
has an MSI Graphics card with an Nvidia Graphics Driver
as supplied by MSI and Dynamic Over-Clocking
Technology...that shows the same result as well. Just a
bit of a coincidence maybe...or maybe not.
Just to be on the safe side I've posted on the MSI forum
asking them if they can explain this hiccup.

 

[Bill Sanderson]

Use explorer to browse to the location of the file, right click it, and
choose Properties, and then what is most useful is the Version tab. You may
see a list of items down the left you can click on and look at the results.
Some antivirus programs add an antivirus tab that allows a scan of just that
file.

Some files will not have this information, and that isn't necessarily an
indicator of maliciousness, but the presence of consistent information, and
a good scan by an antivirus product should be reassuring.

 

[Bill Sanderson]

That information is probably reassuring, but lets get confirmation from some
source that these files are a normal part of the install.

 

[c0ldfyr3]

Strange.

This is hillarious.

winsys.exe, or KCGame as the dropper was called, was created by me about six years ago.

Not only was it written in VB 5, it is also useless without Yahoo Messenger 4 which ceased operation in 2000.

All the 'RAT' did, was sit there looking for Instant Message windows, and reading the text from each one. As soon as someone typed a command, in visible text, it acted.

I really cant beleive it made it onto so many AV/Ad-Ware lists.

This is something to show the folks =)