Malware in File "C:\WINDOWS\system32\Process.exe"

[steve281499]

I ran Zone Alarm Security spyware detection software last night and it
detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS
\system32\Process.exe" . The Zone security suite gave me the option
to quarantine the file of to delete the file. I am wondering if the
file it is listed as being in is an actual Win 32 file? Should I
delete the file?

Thanks!

Steve

 

[Pegasus \(MVP\)]

I ran Zone Alarm Security spyware detection software last night and it
detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS
\system32\Process.exe" . The Zone security suite gave me the option
to quarantine the file of to delete the file. I am wondering if the
file it is listed as being in is an actual Win 32 file? Should I
delete the file?

Thanks!

Steve

Process.exe does not appear to be a genuine Windows system file.

 

[Thee Chicago Wolf]

I ran Zone Alarm Security spyware detection software last night and it

detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS
\system32\Process.exe" . The Zone security suite gave me the option
to quarantine the file of to delete the file. I am wondering if the
file it is listed as being in is an actual Win 32 file? Should I
delete the file?

Thanks!

Steve

This is not a Windows XP file. Maybe double check it using Spybot S&D
1.6.

- Thee Chicago Wolf

 

[Mike Cawood, HND BIT]

I ran Zone Alarm Security spyware detection software last night and it
detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS
\system32\Process.exe" . The Zone security suite gave me the option
to quarantine the file of to delete the file. I am wondering if the
file it is listed as being in is an actual Win 32 file? Should I
delete the file?

Thanks!

Steve

Delete it then restart the computer.
There's no file called process.exe in my system32 folder.
Regards Mike.

 

[Rey Santos]

Read:
http://www.bleepingcomputer.com/startups/process.exe-7200.html

 

[Daave]

Process.exe does not appear to be a genuine Windows system file.

Correct.

However, there *is* a file called qprocess.exe in the system32 folder.

 

[David H. Lipman]

From: "steve281499" <[email protected]>

| I ran Zone Alarm Security spyware detection software last night and it
| detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS
| \system32\Process.exe" . The Zone security suite gave me the option
| to quarantine the file of to delete the file. I am wondering if the
| file it is listed as being in is an actual Win 32 file? Should I
| delete the file?

| Thanks!

| Steve

As others have noted, there is NO legitimate PROCESS.EXE in %windir%\system32

If you are unsure...


Please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition Virus
Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

 

[David H. Lipman]

From: "Thee Chicago Wolf" <.@.>



| This is not a Windows XP file. Maybe double check it using Spybot S&D
| 1.6.

| - Thee Chicago Wolf

NO !

This is not the correct procedure. SpyBot S&D is limited in scope and will likely produce
a False Negative.

Sending the file to Virus Total is the proper methodology as you would then have your one
sample examined by 33 anti virus scanners providing both heuristics and the wealth of
100's of thousands of signatures per AV vendor.


Please submit all samples to Virus Total at...
http://www.virustotal.com/flash/index_en.html
The submission(s) will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition Virus
Total will provide the sample(s) to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

 

[MowGreen [MVP]]

Were any anti-malware tools used previously that were recommended by a
helper on an anti-malware forum ?
It is not uncommon to include process.exe in said tools.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

 

[Thee Chicago Wolf]

| This is not a Windows XP file. Maybe double check it using Spybot S&D

| 1.6.

| - Thee Chicago Wolf

NO !

This is not the correct procedure. SpyBot S&D is limited in scope and will likely produce
a False Negative.

Sending the file to Virus Total is the proper methodology as you would then have your one
sample examined by 33 anti virus scanners providing both heuristics and the wealth of
100's of thousands of signatures per AV vendor.

Give me a break. There are countless dozen utilities for determining
what this baddie is. The user isn't going to do forensics on it. They
want it deleted off their system if it is a threat. False negatives my
posterior.

- Thee Chicago Wolf

 

[Pegasus \(MVP\)]

Correct.

However, there *is* a file called qprocess.exe in the system32 folder.

So? Malware is well noted for selecting file names that resemble
those of genuine Windows files.

 

[David H. Lipman]

From: "MowGreen [MVP]" <[email protected]>

| Were any anti-malware tools used previously that were recommended by a
| helper on an anti-malware forum ?
| It is not uncommon to include process.exe in said tools.

| MowGreen [MVP 2003-2008]
| ===============
| *-343-* FDNY
| Never Forgotten
| ===============


Usually however they are placed in the same folder as the utility and not placed in
%windir%\system32 and if so it would have been probably declared differently such as a
hacktool or processkiller, etc.

 

[David H. Lipman]

From: "Thee Chicago Wolf" <.@.>



| Give me a break. There are countless dozen utilities for determining
| what this baddie is. The user isn't going to do forensics on it. They
| want it deleted off their system if it is a threat. False negatives my
| posterior.

| - Thee Chicago Wolf

Yes, beside Virus Total there is the Virus.Org scanner [ http://scanner.virus.org/ ],
Jotti [ http://virusscan.jotti.org/ ] and VirScan [ http://www.virscan.org/ ].

These are the *best* ways to to determine if a given file is malicious with (in my
opinion) Virus Total being the best of the bunch.

This is NOT forensics. This is submitting one file to a service that will have the file
tested amongst a multiture of anti virus scanners.

Using ANUBIS may be considered a forensic examination of a give EXE sample.

 

[David H. Lipman]

| So? Malware is well noted for selecting file names that resemble
| those of genuine Windows files.


Exactly. This is to obfuscate their malicious intent.

The most common name of a legitimate file is SVCHOST.EXE with a myriad of slight
variations.

 

[Daave]

So? Malware is well noted for selecting file names that resemble
those of genuine Windows files.

Good point. I only mentioned that because that might have been a typo on
Steve's part. Googling that message implied a false positive on ZA's
part.

But malware *always* needs to be ruled out. And if Steve has something
called Process.exe, it very well might be malware.

 

[PA Bear [MS MVP]]

Did you ever download/run SmitFraudFix?

 

[MowGreen [MVP]]

It's present here in sys32 from running an older malware removal tool
for testing purposes, David. Did get an FP on it from a-squared and it
was detected as a trojan, FWIW.
If Steve ever posts back perhaps we'll find out just "what" detected it
as a trojan. <w>

MG