a-squared found Trojan.Win32.Inject.aed

Hi malware fighters,

Is this a FP?
Here is the virustotal scan report:
File found C: Windows\system32\KCMDNIns.exe

Antivirus Version Last Update Result
AhnLab-V3 2008.3.22.1 2008.03.21 -
AntiVir 7.6.0.75 2008.03.23 TR/Inject.aed
Authentium 4.93.8 2008.03.22 -
Avast 4.7.1098.0 2008.03.23 -
AVG 7.5.0.516 2008.03.22 -
BitDefender 7.2 2008.03.23 -
CAT-QuickHeal 9.50 2008.03.21 -
ClamAV 0.92.1 2008.03.23 -
DrWeb 4.44.0.09170 2008.03.23 -
eSafe 7.0.15.0 2008.03.18 -
eTrust-Vet 31.3.5633 2008.03.21 -
Ewido 4.0 2008.03.23 -
F-Prot 4.4.2.54 2008.03.22 -
F-Secure 6.70.13260.0 2008.03.23 -
FileAdvisor 1 2008.03.23 -
Fortinet 3.14.0.0 2008.03.23 -
Ikarus T3.1.1.20 2008.03.23 Virus.Trojan.Win32.Inject.aed
Kaspersky 7.0.0.125 2008.03.23 -
McAfee 5257 2008.03.21 -
Microsoft 1.3301 2008.03.23 -
NOD32v2 2967 2008.03.21 -
Norman 5.80.02 2008.03.20 -
Panda 9.0.0.4 2008.03.23 -
Prevx1 V2 2008.03.23 -
Rising 20.36.62.00 2008.03.23 -
Sophos 4.27.0 2008.03.23 -
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.03.23 -
TheHacker 6.2.92.252 2008.03.22 -
VBA32 3.12.6.3 2008.03.21 Trojan.Win32.Inject.aed
VirusBuster 4.3.26:9 2008.03.22 -
Webwasher-Gateway 6.6.2 2008.03.23 Trojan.Inject.aed
Additional information
File size: 24576 bytes
MD5: 4a51d7a6efa86cceb60d72680c57952b
SHA1: 79ddd8fabfb2d6fc3a85c0bb509eb8f4328e4d8d
PEiD: Armadillo v1.71

Who can comment here?

pol

The file is strange… the folder and the name…

I found a little information on the file. It matches the size of file you have.

Thu 7 Aug 2003 24,576

I haven’t been able to find out who it belongs to. I’ll keep looking.

I found something kind of interesting. On Mar 17. kaspersky detected it with the same infection. However,today it doesn’t. I’m leaning towards a false positive.

Hi “oldman”,

More info on this executable. It is only on one of my two accounts on XP, so not on the normal user account. It is a hidden archive file in system32, it was made using Amadillo v.1711 and Microsoft Visual Basics v. 5.0 and 6.0, it consists of text, rdata, and data, Import table (libr. 2), Kernel32.dll and User32.dll Security Admin etc. (all inbuilt), Stream Type Security 148, Standard 24576, Obj.id. 64
It has a pure virtual function, and is a Windows 32-bit VxD Message Server CMDNMST for
Windows Graphical User Interface (GUI) What it does? Open Process Kernel32.dll, Get Window Thread Process, Find Window User32.dll, GetModuleHandle, Get CommandLine, Get Version, Exit Process, Get Current Process, Free Environment String, Set Handle Count, HeapDestroy, HeapCreate, WriteFile, GetCPInfo, SetACP, GetOEMCP, HeapAlloc, VirtualAlloc, Heap ReAlloc, LinkLibrary, MultiByteToWideChas, LCMapString.A, LCMapStringW, GetStringTypeA, GetStringTypeW,

That is what FileAlyzer hicked up on this file,

pol

Hi “oldman”,

Found this, but mine reads: kcmndinst.exe
for cmdninst.exe

Component Name: cmdninst.exe

Description of cmdninst.exe
This is a component of MS Windows Application. Part of the widely popular Windows operating system. The Windows family of operating systems developed the point-and-click graphical user interface for easy interaction with programs and files.

Recommendation for cmdninst.exe
N/A

Trusted: Yes
Trojan: No
Chronic: No
Adware: No
Carrier: No
Browser Hijacker: No
Dialer: No
Commercial Keylogger: No
Remote Administration Tool: No
Suspected: No

Company Name: Microsoft Corporation
Platforms Affected:
Methods of Distribution: .
Variants/Versions:
Release Date: 1983

polonus

i’m trying to find info on this also avira antivir pe classic started to find this
on my last scan

antivir did not find this before my last scan on 3/12/08 i sent it to them and
am waiting for a email from them there is some that talked about on there German part
of the forum

i googled it and looked at some hjt logs and seen that the others find it on a acer pc
and that is what i have (Acer aspire T180)

the date from this file is 8/6/2003 and it’s 24,576 bytes i wonder if it’s a acer thing

i’ll post back with what avria says

Yes, please post back. The size and date seem consistant on all logs I found.

Hi lurkingatu2,

Maybe it has to do with acer and their software, because I am on an Acer too. That could be the clue. Part of Acer Media Synchronization or something similar… Thanks for that information, lurkingatu2,

polonus

P.S. Hi, “oldman” you keep digging please, I trust you to get at the facts! In the description of the malware, kcmdnins.exe had “keylogger”-like aspects. More and more I also lean to it being a False Positive,

Damian

hello

sorry i could not get here earlier the fourm must have had a problem

well i got a email back from avira and thay say

File ID Filename Size (Byte) Result
3793551 KCMDNIns.exe 24 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result
KCMDNIns.exe MALWARE

The file ‘KCMDNIns.exe’ has been determined to be ‘MALWARE’. Our analysts named the threat TR/Inject.aed. The term “TR/” denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.00.03.35.

Please note: The detection of Spy/Adware is not available in the product “AntiVir PersonalEdition Classic”. Please address specific questions to support@avira.com

so i’m not sure what to do i scanned it at jotti’s and virustotal and virscan,org

jotti’s found it with
AntiVir Found TR/Inject.aed
VBA32 Found Trojan.Win32.Inject.aed

virustotal found
AntiVir 7.6.0.75 2008.03.24 TR/Inject.aed
Ikarus T3.1.1.20 2008.03.24 Virus.Trojan.Win32.Inject.aed
VBA32 3.12.6.3 2008.03.21 Trojan.Win32.Inject.aed
Webwasher-Gateway 6.6.2 2008.03.24 Trojan.Inject.aed

virscan found
A-Squared 3.0.0.126 2008.03.23 2008-03-23 Trojan.Win32.Inject.aed
AntiVir 7.6.0.75 7.0.3.66 2008-03-24 TR/Inject.aed
Ikarus T3.1.01.20 2008.03.19.70473 2008-03-19 Virus.Trojan.Win32.Inject.aed
KingSoft 2007.6.20.249 2008.3.25 2008-03-25 Win32.Troj.Small.ap.24576
nProtect 2008-03-24.01 1247199 2008-03-24 Trojan/W32.Inject.24576.D
Prevx V2 20080325 2008-03-25 TROJAN.DOWNLOADER.GEN
VBA32 3.12.6.3 20080324.1134 2008-03-24 Trojan.Win32.Inject.aed

Additional information
File size: 24576 bytes
MD5: 4a51d7a6efa86cceb60d72680c57952b
SHA1: 79ddd8fabfb2d6fc3a85c0bb509eb8f4328e4d8d
PEiD: Armadillo v1.71

i’v got mamutu on here and it has not found nothing so i’m not sure
i’m going to leave it for now :slight_smile:

Thank you for posting back. I still don’t know what to make of it. If the file date is correct, it’s been kicking around for almost 5 years and no one has make a fuss over it until now. From the description, it’s spyware, but spying on what? If it is indeed from Acer, perhaps a question directed in their direction will shed some light on it.

Other manufacturers have similar sofware that “phones” home for updates. (as far as we know) Maybe we are getting too parinoid.

It would have been nice if avira’s descrpition was a little more detailed. More of an explaination on what the unwanted modifications where. Updates??

Polonus, I suggest you submit your sample and see who has joined in the detections. As I said earlier, kaspersky seems to have changed their minds. Maybe they know something we don’t.

Perhaps Awil could have a look and give us a better understanding of what the “trojan” actually does.

well i called Acer support in the us but thay would not say because my pc is not under warrenty
thay wanted me to call pay support but the way she said she could not say if it was or not makes
me think it’s from Acer

i’v also sent it to avast and i’m asking at avria so i still doin’t know what to do with it lol

thanks :slight_smile:


From what I have been able to find …

cmdninst.exe seems to be Microsoft Config Manager Device Installer Launcher.

Everything I could find about KCMDNIns.exe says it is Trojan.Win32.Inject.aed (which is already known) and for whatever reason, I found nothing related to Acer computers.


hello

i gave it to castlecops and that say kaspersky says it’s no malware and avria says

File ID Filename Size (Byte) Result
3793551 KCMDNIns.exe 24 KB FALSE POSITIVE

Please find a detailed report concerning each individual sample below:

Filename Result
KCMDNIns.exe FALSE POSITIVE

The file ‘KCMDNIns.exe’ has been determined to be ‘FALSE POSITIVE’. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.

thanks :slight_smile:

Thanks for posting. Kaspersky changed their minds within a few days.

You can relax now polonus. :wink:

Hi lrkingatu2 & “oldman”,

Thanks for the further investigations. If I was leaning towards a False Positive earlier, I am convinced now. So it is important to really evaluate every thing flagged by an anti-malware scanner to be able to make the right decision. Again this adds to the credibility and quality of this support forum,

polonus