avast! found: Win32:Downloader-BKV [Trj]

Hello,

When I ran avast! 4.8 - Home Edition today using thorough scan with scan archive files on, I discovered a trojan by the name of Win32:Downloader-BKV. The infected file is called IWD2CustomDll.exe, and is currently quarantined in the virus chest.

The file itself is a mod for Icewind Dale II and it was downloaded from this site specializing in CRPGs (Computer Role-Playing Games): http://www.sorcerers.net/.

The download address is: http://www.sorcerers.net/Games/IWD2/index_editors.php
This is not a direct dl adress, you may click it safely. It’s the second entry from the top.

Now, I’m not sure if it’s a false positive or not, so I’m keeping it in quarantine until someone more knowledgeable can confirm it. I’m 100% sure that I haven’t actually run the file, so does that mean it hasn’t activated on my computer (if it’s indeed a trojan)?

I haven’t noticed anything suspicious going on with my computer at least. I have run Ad-Aware SE Personal, COMODO Firewall Pro scanner and Spybot - Search & Destroy, all w/ the latest definition files, but none of them showed any harmful entries.

Regards,
Keldorn

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Alright, I’ve done as you suggested, and then moved the file back into the virus chest.

Here are the results of the VirusTotal scan:
http://www.virustotal.com/analisis/3a83855636d8846e71fdc07c5c75acb5

File IWD2CustomDll.exe received on 08.09.2008 20:32:12 (CET)
Current status: finished
Result: 7/36 (19.44%)

Results are inconclusive
It is not consistently marked as a heuristic or gen hit however other Major AV’s did not ID
Avast has a specific ID - google did not help using avast’s name as I do not know the languages found
however
google on Antivir name found this link
http://www.titanquest.net/forums/modifications-editor/10339-trojan-horse-tr-dldr-small-bws-20-found.html

just for drill scan with SAS and MBAM
let us know

I don’t believe the results are inconclusive:

  1. The avast detection isn’t listed either (a common issue with VT’s database not being as up to date as the users), so that would add another detection to the list.

  2. Most of the detections are by signature rather than generic or heuristics.

Googling the malware name often returns poor results because there is no standardisation or convention on malware naming, a search on the file name is often more productive.

However it is worth submitting to avast for additional analysis.

I agree with david R
further investigation is indicated
post back

I do see avast! detection on VT, fourth from the top. See screenshot below. I’m currently deep scanning my system with SAS and MBAM, I’ll post again after they’re done.


http://img360.imageshack.us/img360/6897/27652826oj7.th.jpg

Scanning results below. What’s the next step and how do I go about it? Do I send the file to avast from the virus chest and then delete it?

I tried to think of any odd behaviour that my computer might have showed, and the only thing I can think of is explorer.exe crashing occasionally.

SAS found no threats at all. MBAM found these:

Malwarebytes' Anti-Malware 1.24 Database version: 1036 Windows 5.1.2600 Service Pack 2

11:09:54 10.8.2008
mbam-log-8-10-2008 (11-09-48).txt

Scan type: Full Scan (C:|)
Objects scanned: 204005
Time elapsed: 54 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) → Bad: (0) Good: (1) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) → Bad: (0) Good: (1) → No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Your action should be send it to the chest as previously mentioned (if not already there), never delete (you have no more options) and sibmit the sample from the chest as a possible false positive as in the link in my first reply.

You should allow MBAM to quarantine the two Registry Data Items Infected that it found.

Edit: Having said that MBAM didn’t show the values that are in the entries, (see image of my values in the data column). Most of the time this will be 0x00000001 (1), which means show and 0x00000000 (0) which means hide.

Now they should only be set to (0) if you manually changed the settings in Start Properties or the registry. You can check the values in the registry by manually following the registry path given by MBAM using the regedit (from the Run window) and report your findings.

Yes, I’ve already sent the file to avast, and I was referring to deleting it from the chest afterwards (where it has been all along aside from scan tests). I included this topic’s link with the file sent.

As for the MBAM findings, they proved to be my own customizing of the start menu. Nothing to worry about there. :slight_smile:

Should I just wait for a reply from avast now or what?

Why delete it it might be a valid file and you have to leave it in the chest so you can scan it periodically ‘in’ the chest, when it is no longer detected (the virus signatures will have been updated if it truly was an FP), then you can restore it, remove any exclusions you might have created for it and then delete it from the chest.

:slight_smile: Hi Kelhorn :

Just a side Note : Lavasoft stopped providing “Updates” for their SE Personal
on Jan 1, 2008, so I recommend you install this worthless program .

@DavidR
Because I don’t have any real need for the file, as it doesn’t count among the mods I use for the previously mentioned game. It’s just a piece that I had archived, and therefore non-essential.

Edit: Plus, I know where I can download the file when I want to check if it was a false alarm later. In fact the link is in my first post, should anyone else want to confirm it for themselves.

@Spiritsongs
I know they did, but it’s possible to update the definitions manually, which is what I have done so far. I consider the 2008 version a bloated piece of software, so I don’t use it. Spybot - S&D is my primary spyware scanner anyway.

Manual definitions link: http://dlserver.download.lavasoft.com/public/defs.zip

Keldorn, in replace to Lavasoft bloatware… you can test SuperAntispyware, SpywareTerminator or MBAM.

Yes, I run SAS and MBAM when wyrmrider suggested it. I’ll probably replace Ad-Aware with SuperAntiSpyware, as it seems to have good scanning accuracy from what I’ve read about it.

You won’t regret :wink: