Page MenuHomePhabricator

Clam AV wrongly detects Win.Malware.Fareit-6597973-0
Closed, ResolvedPublic

Description

Grrrr! There is no Malware in the application, yet VirusTotal says Clam AV found one.

Get to the bottom of it.

https://www.virustotal.com/#/file/17b330ac8ae5e7f07dc635826954ea7e946de014231fd4bc46abf6793a2a32f4

Event Timeline

Joe created this task.Oct 29 2018, 4:39 PM
Joe triaged this task as Unbreak Now! priority.
Joe added a comment.Oct 29 2018, 4:44 PM

This is for another version of the malware. Might be that the application writes to the registry?

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/fareit

TECHNICAL DETAILS
MEMORY RESIDENT: Yes
PAYLOAD: Connects to URLs/IPs
Other System Modifications
This spyware adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\WinRAR
HWID = "{GUID}"

Joe shifted this object from the Restricted Space space to the S5 Public space.Oct 29 2018, 4:45 PM
Joe changed the visibility from "All Users" to "Public (No Login Required)".
Joe added a comment.Oct 29 2018, 5:42 PM

Tried removing shell registration, no different. Downloaded ClamAV: It does detect it in the executable. Scanned VB98, scanned redist. Scanned Karen's VB folder.. nothing found. The signature is being created by the Visual Basic compiler??!?!?

Joe added a comment.Oct 29 2018, 5:49 PM

ClamAV's signature entry

Win.Malware.Fareit-6597973-0;Engine:81-255,Target:1;0&1&2&3&4;56657273696f6e2e646c6c;496e7374616c6c61626c65::w;47657446696c6556657273696f6e496e666f53697a6557;47657446696c6556657273696f6e496e666f57;53797374656d20647276::w
Joe added a comment.Oct 30 2018, 5:54 AM
This comment was removed by Joe.
Joe added a comment.Oct 30 2018, 5:55 AM

False Positive Report #201810303410
This report shows in real time the status of a request for false-positive CRDF Threat Center. All data from this system is confidential.

Reference : 201810303410
E-Mail : joe@karenware.com

Date : about 11 hours ago
Request status : Analysis completed
Marked as delete : No
Verdict of the request: : False positive confirmed - entry removed from database
Internal ID : 2162942
Domain name : karenware.com
URL detected :
Category : Malicious:URL
Date : about 4 hours ago
Status : Not blacklisted

Joe added a comment.Oct 30 2018, 5:56 AM

Apache and PHP updated.

Joe added a comment.Oct 30 2018, 6:59 AM

About that ClaimAV signature.

[daily.ldb] Win.Malware.Fareit-6597973-0;Engine:81-255,Target:1;0&1&2&3&4;56657273696f6e2e646c6c;496e7374616c6c61626c65::w;47657446696c6556657273696f6e496e666f53697a6557;47657446696c6556657273696f6e496e666f57;53797374656d20647276::w

Weenies!

Dear ClamAV dudes: Not allowed to check versions of files without setting off alarms? Why is it 66 other scanners on VirusTotal.com let it pass? OH OH OH DUDES!!!!

HexText
56657273696f6e2e646c6cVersion.dll
496e7374616c6c61626c65Installable
47657446696c6556657273696f6e496e666f53697a6557GetFileVersionInfoSizeW
47657446696c6556657273696f6e496e666f57GetFileVersionInfoW
53797374656d20647276System drv
Joe added a comment.Oct 30 2018, 7:14 AM

Neither GetFileVersionInfoSizeW nor GetFileVersionInfoW are actually used. Karen just declared their prototypes. So, removing those to avoid the false positive.

Joe added a comment.Oct 30 2018, 7:38 AM

Fixed it

clamscan -r "K:\proj\vb6\ptdirprn\Release\Directory Printer v5.4"

K:\proj\vb6\ptdirprn\Release\Directory Printer v5.4\Dist\Karens-Directory-Printer-v5.4-Setup.exe: OK
K:\proj\vb6\ptdirprn\Release\Directory Printer v5.4\Src\DirPrn.exe: OK
K:\proj\vb6\ptdirprn\Release\Directory Printer v5.4\Src\PTHash.dll: OK

----------- SCAN SUMMARY -----------
Known viruses: 6696551
Engine version: 0.100.2
Scanned directories: 3
Scanned files: 11 
Infected files: 0
Data scanned: 4.69 MB
Data read: 2.64 MB (ratio 1.77:1)
Time: 15.242 sec (0 m 15 s)