Microsoft: Not malware!

Viruses and worms
1

I sent this file to Alwil lab yesterday… please comment? Microsoft not detect, i send sample to MS Lab, but reply is…

Thank you for your submission. Analysis of the file(s) in your submission (MMPC10022791770908) is now complete and this is the final email that you will receive regarding this submission. You can view your submission online at http://www.microsoft.com/security/portal/Submission/SubmissionHistory.aspx?SubmissionId=ACA1FEAE-5663-4545-B07F-24186C7F0D02

The Microsoft Malware Protection Center (MMPC) has investigated the following file(s) which we received on 2/27/2010 6:48:59 AM Pacific Time.
If you were to scan the files you submitted using Microsoft’s Forefront Client Security product, you would see relevant detection information similar to what is displayed below.
The detection results for the file(s) in your submission are as follows:

Submitted Files

killer_javqhc.exe [Not Malware]

http://www.virustotal.com/analisis/c33b83e11d878cbc28aa069d4c8f209add478e6fb958366c96f5507c814203e5-1267281957

Any comment from Alwil?

2

Very suprised to Microsoft comment Not malware…

http://www.threatexpert.com/report.aspx?md5=20d1f117385e86da6732bfc14580a621

3

Hi hpguru,

Here are the freefixer removal instructions for this malware: http://www.kephyr.com/spywarescanner/library/exploit-ntos.exe/index.phtml
Another quick and dirty removal instruction using killbox here:
http://www.techzonez.com/forums/showthread.php?t=25243

polonus

4

I not infected with this, just test with Threat Expert. I just try say to MS Lab, that this is virus! MS Lab: Not malware… :slight_smile:

But thank you polonus.

5

Hi hpguru,

I knew that you weren’t infected, and that you only wanted to alert to malcode not flagged/ detected and forward the malware to get detected and of course succesfully removed.
As there might be additional victims of the malcode (not you) looking here, I always like to publish a tool or a manual routine for the victim to cleanse the malcious software in question (in this case an information stealer) from their systems. It just grew into a second nature with me, and also adds to my anti-malcode experience, well thanks for posting on it anyway,

polonus

6

Send 2 message to MS Lab, but nothing happen…

https://www.microsoft.com/security/portal/Submission/SubmissionHistory.aspx?SubmissionId=ACA1FEAE-5663-4545-B07F-24186C7F0D02 - Not Malware

Way to go, when just can not investigate further… Just trying help MSE.

Maybe avast detect it tomorrow. Posted to virus(at)avast(dot)com yesterday.

7

Hello,
I have made a short analysis it and it doesn’t look dangerous.

Milos

8

Ok.

So you mean it’s not virus? In MBAM trojan.dropper. You mean it is false positive in MBAM and in other AV?

Thank you.

9

It’s rarher strange. Virustotal analisys contains link to Sandbox results. And these results shows creating ntos.exe process.Usually ntos.exe was considered as virus.

10

Yes the name looks strange, but you can try it to run in some Virtual machine an look, what it does (i. e. use “process monitor”).

Milos