Was .bad spyware?

  • Thread starter Thread starter Zoltan Pasztor
  • Start date Start date
Z

Zoltan Pasztor

Hello all

Spyware quarantinized a registry entry - but I dont
understand why is this a spyware

--
Zoltan Pasztor

*****quarantenized registry entry after un-
quarantinizing****

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.bad]



*****not removed registry entry*****

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\BAD_auto_file]
@=""

[HKEY_CLASSES_ROOT\BAD_auto_file\shell]

[HKEY_CLASSES_ROOT\BAD_auto_file\shell\edit]
@="&Edit"

[HKEY_CLASSES_ROOT\BAD_auto_file\shell\edit\command]
@="C:\\WINDOWS\\notepad.exe %1"

[HKEY_CLASSES_ROOT\BAD_auto_file\shell\open]

[HKEY_CLASSES_ROOT\BAD_auto_file\shell\open\command]
@=hex
(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6
f,00,74,00,25,\

00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c
,00,4e,00,4f,00,\

54,00,45,00,50,00,41,00,44,00,2e,00,45,00,58,00,45,00,20,00
,25,00,31,00,00,\
00

*****cleaner.log*********

30.01.2005 01:27:58::--------------------------------------
----------------------------
30.01.2005 01:27:58::Initializing Clean - (ScanID:
3411744F-9FBE-44F6-B9A8-B4AB05)
30.01.2005 01:27:58::Clean Threat Beast (ID:3065)
30.01.2005 01:28:02::Terminating IE
30.01.2005 01:28:05::Removing registry value
HKEY_CLASSES_ROOT\.bad [=BAD_auto_file
30.01.2005 01:28:05::Removing registry value
HKEY_CLASSES_ROOT\.bad
30.01.2005 01:28:05::Removing registry key
HKEY_CLASSES_ROOT\.bad
30.01.2005 01:28:05::Clean Threat Beast (ID:3065) Complete
30.01.2005 01:28:06::Unititializing Clean
30.01.2005 01:28:06::--------------------------------------
----------------------------


*****errors.log*****
7::ln 10:Out of
memory::gcasDtServ:ScheduleScans:Update::30.01.2005
00:59:08:1.0.501
7::ln 10:Out of
memory::gcasDtServ:ScheduleScans:Update::30.01.2005
02:00:25:1.0.501



**********

Spyware Scan Details
Start Date: 30.01.2005 00:59:30
End Date: 30.01.2005 01:12:44
Total Time: 13 mins 14 secs

Detected Threats

Beast RAT more information...
Status: Quarantined
Severe threat - Severe threats typically are remotely
exploitable vulnerabilities, which can lead to system
compromise. Successful exploitation does not normally
require any interaction and exploits are in the wild.
There exists a high possibility of potential system damage
or security flaw. Attacker has complete control over your
computer or install new software on your machine.

Infected registry keys/values detected
HKEY_CLASSES_ROOT\.bad
HKEY_CLASSES_ROOT\.bad BAD_auto_file


Detected Spyware Cookies
No spyware cookies were found during this scan.


*****diagnostic.log*****


Microsoft AntiSpyware version 1.0.501
Windows OS: XP
Windows OS Version Info: 148
Windows OS Major Version: 5
Windows OS Minor Version: 1
Windows OS Build: 2600
Current Path: C:\Program Files\Microsoft AntiSpyware
Install Path: C:\Program Files\Microsoft AntiSpyware\
Session.RunMode: 5
Session.TimeBombDaysRemaining: 182
Session.TimeBombExpirationDate: 31.07.2005
Real-time protection running: True
Real-time protection enabled: True
Security Agents Application Enabled: True
Security Agents Internet Enabled: True
Security Agents System Enabled: True
Security Agents Checkpoints: 59
Definitions Update Date: 29.01.2005 01:28:33
AutoUpdater Enabled: 1
AutoUpdater AutoApply Enabled:
Definitions Increment Version: 38/38
Definitions ThreatAuditThreatData: 1215017
Definitions ThreatAuditScanData: 2103732
Definitions DeterminationData: 113316
Software Update Check Date: 30.01.2005 00:58:04
AutoUpdater Software Enabled:
TotalThreatsDetected: 1
TotalScansRun: 2
LastScanDate: 30.01.2005 02:00:27
Is US Locale: False
Locale Language: German (Austria):German (0c07)
Locale Country: Austria:Austria (43)
Processor Identifier: x86 Family 6 Model 6 Stepping 5
Processor Name:
IE Version: 6.0.2900.2180
msvbvm60.dll: 6.0.96.90
vbscript.dll: 5.6.0.8820
gcUnCompress.dll: 1.1.0.0
gcmd5query.dll: 1.0.0.1
openports.dll:
SDelete.dll:
gcASSoapLib.dll: 1.0.0.501
gcPorttoProcess.dll:
gcTCPObjLib.dll: 1.0.0.501
gcasDtServ.exe: 1.0.0.501
gcAntiSpywareLibrary.dll: 1.0.0.501
gcIPtoHostQueue.exe: 1.0.0.501
gcasServ.exe: 1.0.0.501
gcasServAlert.exe: 1.0.0.501
gcasServHook.dll:
gcASHashLibrary.dll:
gcASThreatAudit.dll: 1.0.0.501
gcASCleaner.exe: 1.0.0.501
GIANTAntiSpywareUpdater.exe: 1.0.0.501
gcASPrivacyLib.dll: 1.0.0.501
gcASShredCtxShell.dll:
gcasSWUpdater.exe: 1.0.0.501
gcSoftwareUpdateLib.dll: 1.0.0.501
GIANTSpywareScan.exe:
gcasDtServ Status: Loaded
gcasDtServ IsAuthorized: True
gcAntiSpywareLibrary Status: Loaded
gcAntiSpywareLibrary IsAuthorized: True
gcASThreatAudit Status: Loaded
gcASThreatAudit IsAuthorized: True
Now: 30.01.2005 13:40:09
 
Is US Locale: False
Locale Language: German (Austria):German (0c07)
Locale Country: Austria:Austria (43)
Click to expand...

MSAS BETA1 runs on English language systems only, Zoltan. Is your system
setup for English US or UK via Regional and Language Options in the
Control Panel ?

Check out these 2 web pages for more info on the reg keys found in the log :

http://www.pestpatrol.com/PestInfo/b/beast_2_00.asp
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_BEAST.205&VSect=T


Steve Wechsler (akaMowGreen)
MVP Windows Server
 
Hi, Steve!
Snip from diagnostics.log on my machines
<!----
Is US Locale: False
Locale Language: Latvian (Latvia):Latvian (0426)
Locale Country: Latvia:Latvia (371)
---->
BTW customized short date format
No functionality issues except known ones (mostly)
listed in FAQ compiled by Mark L. Ferguson
Windows XP Pro SP2
Regards - Kaspars
-----Original Message-----
Is US Locale: False
Locale Language: German (Austria):German (0c07)
Locale Country: Austria:Austria (43)
Click to expand...

MSAS BETA1 runs on English language systems only, Zoltan.
Is your system
setup for English US or UK via Regional and Language
Options in the
Control Panel ?

Check out these 2 web pages for more info on the reg keys
found in the log :

http://www.pestpatrol.com/PestInfo/b/beast_2_00.asp
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=BKDR_BEAST.205&VSect=T

Steve Wechsler (akaMowGreen)
MVP Windows Server

Zoltan said:
Hello all

Spyware quarantinized a registry entry - but I dont
understand why is this a spyware
Click to expand...
..
 
Do you admin an Exchange server?

Several pieces of software use this extension for legitimate purposes and
are detected as you've seen. This can definitely be a false positive.
--
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

Zoltan Pasztor said:
Hello all

Spyware quarantinized a registry entry - but I dont
understand why is this a spyware

--
Zoltan Pasztor

*****quarantenized registry entry after un-
quarantinizing****

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.bad]



*****not removed registry entry*****

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\BAD_auto_file]
@=""

[HKEY_CLASSES_ROOT\BAD_auto_file\shell]

[HKEY_CLASSES_ROOT\BAD_auto_file\shell\edit]
@="&Edit"

[HKEY_CLASSES_ROOT\BAD_auto_file\shell\edit\command]
@="C:\\WINDOWS\\notepad.exe %1"

[HKEY_CLASSES_ROOT\BAD_auto_file\shell\open]

[HKEY_CLASSES_ROOT\BAD_auto_file\shell\open\command]
@=hex
(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6
f,00,74,00,25,\

00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c
,00,4e,00,4f,00,\

54,00,45,00,50,00,41,00,44,00,2e,00,45,00,58,00,45,00,20,00
,25,00,31,00,00,\
00

*****cleaner.log*********

30.01.2005 01:27:58::--------------------------------------
----------------------------
30.01.2005 01:27:58::Initializing Clean - (ScanID:
3411744F-9FBE-44F6-B9A8-B4AB05)
30.01.2005 01:27:58::Clean Threat Beast (ID:3065)
30.01.2005 01:28:02::Terminating IE
30.01.2005 01:28:05::Removing registry value
HKEY_CLASSES_ROOT\.bad [=BAD_auto_file
30.01.2005 01:28:05::Removing registry value
HKEY_CLASSES_ROOT\.bad
30.01.2005 01:28:05::Removing registry key
HKEY_CLASSES_ROOT\.bad
30.01.2005 01:28:05::Clean Threat Beast (ID:3065) Complete
30.01.2005 01:28:06::Unititializing Clean
30.01.2005 01:28:06::--------------------------------------
----------------------------


*****errors.log*****
7::ln 10:Out of
memory::gcasDtServ:ScheduleScans:Update::30.01.2005
00:59:08:1.0.501
7::ln 10:Out of
memory::gcasDtServ:ScheduleScans:Update::30.01.2005
02:00:25:1.0.501



**********

Spyware Scan Details
Start Date: 30.01.2005 00:59:30
End Date: 30.01.2005 01:12:44
Total Time: 13 mins 14 secs

Detected Threats

Beast RAT more information...
Status: Quarantined
Severe threat - Severe threats typically are remotely
exploitable vulnerabilities, which can lead to system
compromise. Successful exploitation does not normally
require any interaction and exploits are in the wild.
There exists a high possibility of potential system damage
or security flaw. Attacker has complete control over your
computer or install new software on your machine.

Infected registry keys/values detected
HKEY_CLASSES_ROOT\.bad
HKEY_CLASSES_ROOT\.bad BAD_auto_file


Detected Spyware Cookies
No spyware cookies were found during this scan.


*****diagnostic.log*****


Microsoft AntiSpyware version 1.0.501
Windows OS: XP
Windows OS Version Info: 148
Windows OS Major Version: 5
Windows OS Minor Version: 1
Windows OS Build: 2600
Current Path: C:\Program Files\Microsoft AntiSpyware
Install Path: C:\Program Files\Microsoft AntiSpyware\
Session.RunMode: 5
Session.TimeBombDaysRemaining: 182
Session.TimeBombExpirationDate: 31.07.2005
Real-time protection running: True
Real-time protection enabled: True
Security Agents Application Enabled: True
Security Agents Internet Enabled: True
Security Agents System Enabled: True
Security Agents Checkpoints: 59
Definitions Update Date: 29.01.2005 01:28:33
AutoUpdater Enabled: 1
AutoUpdater AutoApply Enabled:
Definitions Increment Version: 38/38
Definitions ThreatAuditThreatData: 1215017
Definitions ThreatAuditScanData: 2103732
Definitions DeterminationData: 113316
Software Update Check Date: 30.01.2005 00:58:04
AutoUpdater Software Enabled:
TotalThreatsDetected: 1
TotalScansRun: 2
LastScanDate: 30.01.2005 02:00:27
Is US Locale: False
Locale Language: German (Austria):German (0c07)
Locale Country: Austria:Austria (43)
Processor Identifier: x86 Family 6 Model 6 Stepping 5
Processor Name:
IE Version: 6.0.2900.2180
msvbvm60.dll: 6.0.96.90
vbscript.dll: 5.6.0.8820
gcUnCompress.dll: 1.1.0.0
gcmd5query.dll: 1.0.0.1
openports.dll:
SDelete.dll:
gcASSoapLib.dll: 1.0.0.501
gcPorttoProcess.dll:
gcTCPObjLib.dll: 1.0.0.501
gcasDtServ.exe: 1.0.0.501
gcAntiSpywareLibrary.dll: 1.0.0.501
gcIPtoHostQueue.exe: 1.0.0.501
gcasServ.exe: 1.0.0.501
gcasServAlert.exe: 1.0.0.501
gcasServHook.dll:
gcASHashLibrary.dll:
gcASThreatAudit.dll: 1.0.0.501
gcASCleaner.exe: 1.0.0.501
GIANTAntiSpywareUpdater.exe: 1.0.0.501
gcASPrivacyLib.dll: 1.0.0.501
gcASShredCtxShell.dll:
gcasSWUpdater.exe: 1.0.0.501
gcSoftwareUpdateLib.dll: 1.0.0.501
GIANTSpywareScan.exe:
gcasDtServ Status: Loaded
gcasDtServ IsAuthorized: True
gcAntiSpywareLibrary Status: Loaded
gcAntiSpywareLibrary IsAuthorized: True
gcASThreatAudit Status: Loaded
gcASThreatAudit IsAuthorized: True
Now: 30.01.2005 13:40:09
Click to expand...
 
Back
Top