ssmail.dll detected with avast virus scan:malware virus/worm advice please?

Greetings :D-I done a full sacn last night and ssmail.dll was detected and flagged as a virus/worm Win32:Trojan-Gen(other)/size file:352256and was moved to the virus chest.
I looked at he location it pointed to and it is part of a FOLDER in my COMMON FILES called SupportSoft/BIN and is a DLL file.
It relates to a program that supports TELEFONICA which is my adsl/telephone provider in SPAIN,could this be a false positive being flagged up.

Regards

southern man

ps excellent av program been with avast for many years now and tried other av’s in the past avast no.1.

Well avast isn’t alone in this detection as my friend google says, http://www.prevx.com/filenames/X3293692941153635430-X1/SSMAIL.DLL.html. Know the file name can be absolutely anything as it is common for malware to use names of legit files, so you have to go further.

Check out the above link and see if there are any common points relating to your file, possibly not.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

Thanks for the quick reply back,i have done all you have recommended uploaded the file according to your detailed instructions thankyou!
Seems like this ssmail.dll is recognised by a few othe av companies according to virustotal,i have put it in the avast chest anyway,just a bit concerned that if i remove/delete it later on it might stop this supportsoft program from working ?

cheers

southern man :slight_smile:

But what was the link to the results, what other AVs say/detect is useful for confirmation if all are using generic or heuristic detection, that is why I asked for it.

Sorry here are some links to ssmail.dll:_

http://www.prevx.com/filenames/X3293692941153635430-X1/SSMAIL.DLL.html
http://www.threatexpert.com/files/ssmail.dll.html
http://www.online-armor.com/oasis2/file/supportsoft__inc_/ssmail_module/ssmail_dll/822535

This posting on avaira makes it even more confusing for everyone!-avaira says its a trojan-malware bytes says its a false positive-i give up!
http://forum.avira.com/wbb/index.php?page=Thread&threadID=84502
http://www.virustotal.com/analisis/9a9f5dc672bb8027e69cd8fbaf58c991

VIRUS TOTAL ANALYSIS:
File has already been analysed:
MD5: 74fa32d2b277f583010b692a3f91b627
First received: 03.01.2009 10:01:32 (CET)
Date: 05.03.2009 23:15:57 (CET) [+1D]
Results: 11/40
Permalink: analisis/9a9f5dc672bb8027e69cd8fbaf58c991

File ssmail.dll received on 05.03.2009 23:14:51 (CET)
Current status: finished
Result: 11/40 (27.50%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.03 Trojan.Ransom!IK
AhnLab-V3 5.0.0.2 2009.05.03 -
AntiVir 7.9.0.160 2009.05.03 TR/Ransom.Hexzone.agn.4
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.03 -
Avast 4.8.1335.0 2009.05.03 Win32:Trojan-gen {Other}
AVG 8.5.0.327 2009.05.03 -
BitDefender 7.2 2009.05.03 -
CAT-QuickHeal 10.00 2009.05.02 TrojanRansom.Hexzone.agn
ClamAV 0.94.1 2009.05.03 -
Comodo 1149 2009.05.03 -
DrWeb 4.44.0.09170 2009.05.03 -
eSafe 7.0.17.0 2009.05.03 -
eTrust-Vet 31.6.6487 2009.05.02 -
F-Prot 4.4.4.56 2009.05.03 -
F-Secure 8.0.14470.0 2009.05.03 -
Fortinet 3.117.0.0 2009.05.03 -
GData 19 2009.05.03 Win32:Trojan-gen {Other}
Ikarus T3.1.1.49.0 2009.05.03 Trojan.Ransom
K7AntiVirus 7.10.722 2009.05.02 -
Kaspersky 7.0.0.125 2009.05.03 -
McAfee 5604 2009.05.03 -
McAfee+Artemis 5604 2009.05.03 Artemis!74FA32D2B277
McAfee-GW-Edition 6.7.6 2009.05.03 Trojan.Ransom.Hexzone.agn.4
Microsoft 1.4602 2009.05.03 -
NOD32 4050 2009.05.03 -
Norman 6.01.05 2009.04.30 -
nProtect 2009.1.8.0 2009.05.03 -
Panda 10.0.0.14 2009.05.03 -
PCTools 4.4.2.0 2009.05.03 -
Prevx1 3.0 2009.05.03 High Risk Worm
Rising 21.27.41.00 2009.05.01 -
Sophos 4.41.0 2009.05.03 Mal/Generic-A
Sunbelt 3.2.1858.2 2009.05.03 -
Symantec 1.4.4.12 2009.05.03 -
TheHacker 6.3.4.1.318 2009.05.03 -
TrendMicro 8.950.0.1092 2009.05.01 -
VBA32 3.12.10.4 2009.05.03 Trojan-Ransom.Win32.Hexzone.agn
ViRobot 2009.5.1.1717 2009.05.01 -
VirusBuster 4.6.5.0 2009.05.03 -
Additional information
File size: 352256 bytes
MD5…: 74fa32d2b277f583010b692a3f91b627
SHA1…: fbc3218a8ad9e467167ca460f732fa4d976bae1b
SHA256: 253e600ad862cb19548676d152c0e62c637bb81ae5debc2139aaf6007e2218db
SHA512: 912d9e4cd0fbf1bdfed8d3fb3a7f43e587641c609751d46cbc637d01d04a2344
f2f57cd29f22436df5226e635144dd105010daf552b6388b7642dd491e564ff0
ssdeep: 6144:CUjgQQw0OhucyGJVomd5bStkc1wPTntv/CTK/yC:3tQw0OgcyOiW/r
PEiD…: Armadillo v1.xx - v2.xx
TrID…: File type identification
DirectShow filter (59.7%)
Windows OCX File (36.5%)
Win32 Executable Generic (2.5%)
Generic Win/DOS Executable (0.5%)
DOS Executable Generic (0.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x8cb4
timedatestamp…: 0x42f33caf (Fri Aug 05 10:17:19 2005)
machinetype…: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x35282 0x36000 6.68 c46d8789a8a5bfa5a6c1c36d5b84e150
.rdata 0x37000 0x6863 0x7000 4.47 596403af03297b1ae171ad5a2c8e32b0
.data 0x3e000 0xd7f8 0x9000 4.15 0c0c02c546d382cbc7129f855836e569
.rsrc 0x4c000 0x69a0 0x7000 3.76 8f1ed56a5e3dbb88d55787fce0c1b8de
.reloc 0x53000 0x726e 0x8000 4.44 89d4c32b23499e5cd30fa9af43fd5d57

( 6 imports )

KERNEL32.dll: lstrcatA, InterlockedIncrement, RtlUnwind, HeapFree, HeapAlloc, HeapReAlloc, lstrcpyA, GetCommandLineA, GetVersion, ExitProcess, GetCurrentThreadId, TlsSetValue, TlsAlloc, TlsFree, SetLastError, TlsGetValue, GetCPInfo, GetACP, GetOEMCP, TerminateProcess, GetCurrentProcess, HeapSize, GetEnvironmentVariableA, GetVersionExA, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, LCMapStringA, InitializeCriticalSection, DeleteCriticalSection, GetStdHandle, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, WriteFile, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, GetStringTypeA, GetStringTypeW, SetFilePointer, Sleep, SetStdHandle, FlushFileBuffers, CloseHandle, GetTimeZoneInformation, CompareStringA, CompareStringW, SetEnvironmentVariableA, InterlockedExchange, HeapDestroy, lstrcmpiA, IsDBCSLeadByte, lstrcpynA, LoadResource, LoadLibraryExA, FindResourceA, DisableThreadLibraryCalls, SizeofResource, GetModuleHandleA, LeaveCriticalSection, GetLastError, EnterCriticalSection, InterlockedDecrement, FormatMessageA, LocalAlloc, LoadLibraryA, GetModuleFileNameA, LocalFree, GetSystemTimeAsFileTime, GetProcAddress, FreeLibrary, lstrlenW, lstrlenA, MultiByteToWideChar, LCMapStringW, SetHandleCount, CopyFileA, DeleteFileA, GetSystemDefaultLangID, GetUserDefaultLangID, GetFileAttributesA, FindClose, FindFirstFileA, WideCharToMultiByte, GetTempPathA, GetComputerNameA, GetSystemDirectoryA, GetWindowsDirectoryA, GetTempFileNameA, GetCurrentDirectoryA, GetShortPathNameA, CreateFileA, LockResource, OutputDebugStringA, UnmapViewOfFile, MoveFileExA, SetFileAttributesA, RemoveDirectoryA, FindNextFileA, CreateDirectoryA, OpenMutexA, GetTickCount, CompareFileTime, lstrcmpA, ReadFile, RaiseException, SetEndOfFile
USER32.dll: SendMessageA, MessageBoxA, CharNextA, wsprintfA, LoadStringA, GetWindowTextA, EnumWindows
ADVAPI32.dll: GetUserNameA, RegEnumValueA, RegDeleteValueA, RegDeleteKeyA, RegQueryInfoKeyA, RegEnumKeyExA, RegSetValueExA, RegCreateKeyExA, RegQueryValueExA, RegCloseKey, RegOpenKeyExA
ole32.dll: OleRun, CLSIDFromProgID, CLSIDFromString, CoCreateInstance, CoTaskMemFree, CoTaskMemAlloc, CoTaskMemRealloc, CoCreateGuid, StringFromGUID2
OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -
WSOCK32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -

( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer
PDFiD.: -
RDS…: NSRL Reference Data Set

Hope this give the info you asked for!

regards

southern man

ps- lived near you in aylesbury 30 years

What next

Well that would normally be considered reasonably conclusive as a large number detect it by signature rather than generic or heuristic detections. I would tend to trust the VT results over the other links you gave as they are based on file name (which could mean anything unless the MD5 matched that of the VT results) and the VT results are based on a physical scan of the file.

However, given that there are a number of AVs that have relatively good detection rates, which don’t detect this, it is probably worth submitting it to avast (as a possible false positive) for further analysis.

You can send it from the Infected Files section of the chest, select the file, right click, email to Alwil Software; a form will pop-up for you to complete some basic details (a link to this topic might help). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

So for the time being leave it in the chest where it can do no harm, after it has been submitted, periodically scan it from within the chest (every few days or so after a VPS update). If the analysis decides it was a false positive the VPS signature should be updated and the next time you scan it it may not be detected as infected, in which case it can be Restored. You can cross that bridge when required, if you need help, just ask.

Thanks davidr i will do exactly what you have suggested!-i did submit the file to avast previously but as possible malware,i will re-submit it again as a possible false positive.
Thanks so much for your help and quick response,very much appreciated.

southern man

You’re welcome.