False positive?

[Daave]

Okay, this is a new one.

(I'm running 98 SE)

On a whim, I decided to do the Symantec online virus scan. The message:

Your computer is infected with at least one known virus or Trojan horse.

c:\WINDOWS\SYSTEM32\msmsgre.dll is infected with Trojan Horse

---------------------------------------------------------------

Interestingly, there's no mention *anywhere* on symantec.com of
msmsgre.dll!

I then decided to visit http://virusscan.jotti.org/ for more opinions.
The results:

Service load: 0% 100%

File: msmsgre.dll
Status: INFECTED/MALWARE
MD5 32883c56a4cb283d06cfb1f03f003b26
Packers detected: -

Scanner results
Scan taken on 08 Apr 2007 17:20:06 (GMT)
AntiVir Found ADSPY/Agent.o.1
ArcaVir Found Adware.Agent.O
Avast Found nothing
AVG Antivirus Found Generic.NDP
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.Agent.o (4, 1, 400)
Fortinet Found W32/Agent
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Agent.o
NOD32 Found nothing
Norman Virus Control Found W32/Agent.VIC
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found AdWare.Win32.Agent.o

---------------------------------------------------------------

Right-clicking to get this file's Properties:

Type: Application Extension
Location: C:\WINDOWS\SYSTEM32
Size: 136 KB (139,264 bytes), 139,264 bytes used
MS-DOS name: MSMSGRE.DLL
Created: Monday, January 01, 2001 8:51:25 AM
Modified: Monday, January 01, 2001 8:51:26 AM
Attributes: Archive
File Version: 5, 1, 2600, 0
Desccription: Messenger Service Extension Module

Copyright: Copyright 2000

---------------------------------------------------------------

Opening the .dll file in Wordpad yielded some clues (amidst characters
which were illegible):

Software\SourceSafe\1.0

http://safe.w2kserver2.com/

Content type: application/x-www-form-urlencoded

MyOverlayIcon\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIc
onOverlayIdentifiers

CorExitProcess

mscoree.dll

Messenger ServiceExt Extension

Microsoft Visual C++ Runtime Library

buffer overrun has been detected which has corrupted the program's
internal state. The program annot safely continue execution and must
now be terminated.

Unknown security failure detected!

R6029
This application cannot run using the active version of the Microsoft
..NET Runtime

c:\Install Ads\igal\Random job\Messenger Service\Release\adw.pdb

InitializeCriticalSectionAndSpinCount

HeapDestroy
HeapFree

AVout_of_range

CLSID = s '{C2DC6E27-64F9-4273-9623-D74617325F62}'
CurVer = s 'Messenger Service.Messenger ServiceExt.1'

NoRemove ShellIconOverlayIdentifiers
ForceRemove MyOverlayIcon1 = s '{C2DC6E27-64F9-4273-9623-D74617325F62}'

---------------------------------------------------------------

Finally, a Web search yielded:

http://kichik.net/

Even more evil files
Dec 15th, 2006 by kichik

While searching for the complete list of registry keys used by NSIS
Media, I found yet another update server for an even older version. Only
this server seems a bit different, it's for removal of NSIS Media. Its
output contains a URL for an installer that removes a lot of files and
registry keys I haven't ever seen.

auole4.dll
aviprope.dll
brwe042.dll
cabext32.dll
cagt041.dll
cryptdbe.dll
direjmod.dll
dobj01e.dll
dspmode.dll
dsq052e.dll
edk052.dll
iccext.dll
icmmext.dll
mail052e.dll
msgetm.dll
msgsple.dll

* msmsgre.dll *

mssfdr.dll
ntext052.dll
ntfssetx.dll
prtmde3.dll
shllimgd.dll
slpube03.dll
splsrv4.dll
syncmte.dll
tragte.dll
vidcpl2.dll
vlcx052.dll
wint042e.dll

Expect a complete NSIS Media remover very soon

 

[Daave]

Okay, this is a new one.

(I'm running 98 SE)

On a whim, I decided to do the Symantec online virus scan. The
message:

Your computer is infected with at least one known virus or Trojan
horse.

c:\WINDOWS\SYSTEM32\msmsgre.dll is infected with Trojan Horse

---------------------------------------------------------------

Interestingly, there's no mention *anywhere* on symantec.com of
msmsgre.dll!

I then decided to visit http://virusscan.jotti.org/ for more opinions.
The results:

Service load: 0% 100%

File: msmsgre.dll
Status: INFECTED/MALWARE
MD5 32883c56a4cb283d06cfb1f03f003b26
Packers detected: -

Scanner results
Scan taken on 08 Apr 2007 17:20:06 (GMT)
AntiVir Found ADSPY/Agent.o.1
ArcaVir Found Adware.Agent.O
Avast Found nothing
AVG Antivirus Found Generic.NDP
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.Agent.o (4, 1,
400) Fortinet Found W32/Agent
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Agent.o
NOD32 Found nothing
Norman Virus Control Found W32/Agent.VIC
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found AdWare.Win32.Agent.o

---------------------------------------------------------------

Right-clicking to get this file's Properties:

Type: Application Extension
Location: C:\WINDOWS\SYSTEM32
Size: 136 KB (139,264 bytes), 139,264 bytes used
MS-DOS name: MSMSGRE.DLL
Created: Monday, January 01, 2001 8:51:25 AM
Modified: Monday, January 01, 2001 8:51:26 AM
Attributes: Archive
File Version: 5, 1, 2600, 0
Desccription: Messenger Service Extension Module

Copyright: Copyright 2000

---------------------------------------------------------------

Opening the .dll file in Wordpad yielded some clues (amidst characters
which were illegible):

Software\SourceSafe\1.0

http://safe.w2kserver2.com/

Content type: application/x-www-form-urlencoded

MyOverlayIcon\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIc
onOverlayIdentifiers

CorExitProcess

mscoree.dll

Messenger ServiceExt Extension

Microsoft Visual C++ Runtime Library

buffer overrun has been detected which has corrupted the program's
internal state. The program annot safely continue execution and must
now be terminated.

Unknown security failure detected!

R6029
This application cannot run using the active version of the Microsoft
.NET Runtime

c:\Install Ads\igal\Random job\Messenger Service\Release\adw.pdb

InitializeCriticalSectionAndSpinCount

HeapDestroy
HeapFree

AVout_of_range

CLSID = s '{C2DC6E27-64F9-4273-9623-D74617325F62}'
CurVer = s 'Messenger Service.Messenger ServiceExt.1'

NoRemove ShellIconOverlayIdentifiers
ForceRemove MyOverlayIcon1 = s
'{C2DC6E27-64F9-4273-9623-D74617325F62}'

---------------------------------------------------------------

Finally, a Web search yielded:

http://kichik.net/

Even more evil files
Dec 15th, 2006 by kichik

While searching for the complete list of registry keys used by NSIS
Media, I found yet another update server for an even older version.
Only this server seems a bit different, it's for removal of NSIS
Media. Its output contains a URL for an installer that removes a lot
of files and registry keys I haven't ever seen.

auole4.dll
aviprope.dll
brwe042.dll
cabext32.dll
cagt041.dll
cryptdbe.dll
direjmod.dll
dobj01e.dll
dspmode.dll
dsq052e.dll
edk052.dll
iccext.dll
icmmext.dll
mail052e.dll
msgetm.dll
msgsple.dll

* msmsgre.dll *

mssfdr.dll
ntext052.dll
ntfssetx.dll
prtmde3.dll
shllimgd.dll
slpube03.dll
splsrv4.dll
syncmte.dll
tragte.dll
vidcpl2.dll
vlcx052.dll
wint042e.dll

Expect a complete NSIS Media remover very soon

Addendum:

Created by MIDL version 6.00.0361 at Mon Jan 01 17:20:40 2001

 

[David H. Lipman]

From: "Daave" <[email protected]>

| Okay, this is a new one.
|
| (I'm running 98 SE)
|
| On a whim, I decided to do the Symantec online virus scan. The message:
|
| Your computer is infected with at least one known virus or Trojan horse.
|
| c:\WINDOWS\SYSTEM32\msmsgre.dll is infected with Trojan Horse
|

< snip >

The findings are too consistent top be a False Positive.
It is very likely an AdWare Trojan, Win32.Agent.o

 

[Bullseye]

Okay, this is a new one.

(I'm running 98 SE)

On a whim, I decided to do the Symantec online virus scan. The message:

Your computer is infected with at least one known virus or Trojan horse.

c:\WINDOWS\SYSTEM32\msmsgre.dll is infected with Trojan Horse

---------------------------------------------------------------

<Snip>

I would say it is very likely there is a problem due to the fact that
Windows Messenger is very susceptible to buffer overflow problems.

From http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=26347

"Microsoft Windows Messenger Service contains a vulnerability that can
allow an attacker to cause a denial of service or possibly execute
arbitrary code. The vulnerability is due to the Messenger service failing
to validate the size of a message before processing it. Attackers can
exploit the vulnerability by sending a carefully constructed message to the
Messenger Service to overflow the allocated buffer."

From http://secunia.com/advisories/10012/ which lists this vulnerability
as "Highly Critical":

"Microsoft has issued patches for Microsoft Windows to fix a buffer
overflow vulnerability in Messenger Service, which could lead to execution
of arbitrary code.

The problem is that the Messenger Service doesn't verify the length of
messages. This allows malicious people to send messages, which causes a
buffer overflow that may allow execution of arbitrary code.

The vulnerability only affects systems where the Messenger Service is
enabled.

The Messenger Service is disabled by default on Microsoft Windows 2003."

This could be a real problem with Windows 98 no longer being supported, as
(according to this site) patches are only available for newer systems.

However, F-Secure AV website has info on how to block this vulnerability:

"How to block buffer overflow attack
Solution / Workaround
1) Create a service definition for the Windows messaging service.
- open the IS/DFW advanced GUI
- click on the "Services" tab
- click on "Add..."
- Write description: Windows Messenger Service
- click "Next"
- Choose protocol: UDP (17)
- check "Allow broadcasts" and "Allow multicasts"
- Edit the initiator ports (click "Edit...")
- click on the entry that says 1024-65535
- in the "Range" starting field, change start value to 1.
- click "Add to list"
- remove the 1024-65535 entry, leaving only the new one
- click "OK"
- Edit the responder ports (click "Edit...")
- write 135 in the "Single" input field
- click "Add to list" and

2) Create a deny service to block this traffic:
- click on the "Rules" tab
- click the "Add..." button
- choose "Deny"
- define a rule name, e.g. Inbound Windows Messenger traffic
- click "Next"
- make sure "Any IP address" is checked and click "Next"
- check the Windows Messenger Service you created in 1)
- mark it as inbound (by clicking the question mark until the inbound arrow
is shown)
- click "Next"
- choose "No alert" (or alerting if you want) and press "Next"
- click "Finish"

You are now protected."

I hope the little bit of info I've provided helps in some way.

 

[Peter Seiler]

Daave - 08.04.2007 22:37 :

why unnecessaerly fullquoting your own again?

 

[Daave]

This could be a real problem with Windows 98 no longer being
supported, as
(according to this site) patches are only available for newer systems.

However, F-Secure AV website has info on how to block this
vulnerability:

"How to block buffer overflow attack
Solution / Workaround
1) Create a service definition for the Windows messaging service.
- open the IS/DFW advanced GUI
- click on the "Services" tab
- click on "Add..."
- Write description: Windows Messenger Service
- click "Next"
- Choose protocol: UDP (17)
- check "Allow broadcasts" and "Allow multicasts"
- Edit the initiator ports (click "Edit...")
- click on the entry that says 1024-65535
- in the "Range" starting field, change start value to 1.
- click "Add to list"
- remove the 1024-65535 entry, leaving only the new one
- click "OK"
- Edit the responder ports (click "Edit...")
- write 135 in the "Single" input field
- click "Add to list" and

2) Create a deny service to block this traffic:
- click on the "Rules" tab
- click the "Add..." button
- choose "Deny"
- define a rule name, e.g. Inbound Windows Messenger traffic
- click "Next"
- make sure "Any IP address" is checked and click "Next"
- check the Windows Messenger Service you created in 1)
- mark it as inbound (by clicking the question mark until the inbound
arrow
is shown)
- click "Next"
- choose "No alert" (or alerting if you want) and press "Next"
- click "Finish"

You are now protected."

I hope the little bit of info I've provided helps in some way.

Most definitely. Thank you much!