|
-
Dec 9th, 2018, 04:44 AM
#1
Thread Starter
Fanatic Member
Trojan vbRichClient5.dll found by MS security essentials
Detected item:
Trojan:Win32/Azden.A!cl
file:C:\....vbRichClient5.dll
Alert level: Severe

Says, it executes commands from an attacker.
I'm not sure if this is a false positive or not.
Last edited by TTn; Dec 9th, 2018 at 05:54 AM.
-
Dec 9th, 2018, 05:11 AM
#2
New Member
Re: Trojan vbRichClient5.dll found by MS security essentials
-
Dec 9th, 2018, 05:50 AM
#3
Thread Starter
Fanatic Member
Re: Trojan vbRichClient5.dll found by MS security essentials
I already removed the file, so I can't submit it to Microsoft. Can some of the members here go through the process to submit the file as a home end user?
Submit here:
https://www.microsoft.com/en-us/wdsi/filesubmission
-
Dec 9th, 2018, 09:27 AM
#4
Re: Trojan vbRichClient5.dll found by MS security essentials
It's a false positive (the same thing was brought up in the german NewsGroup a few weeks ago as well).
A scan on VirusTotal shows, that Windows-Defender is the only tool which marks it "red".
https://www.virustotal.com/#/file/03...dd1f/detection
Also note, that in my (fully up-to-date) Win10 - a direct scan with the Windows-Defender shows "no Problem".
That's, as long as you didn't have activated the new "Cloud-Scan feature" (where the "AI" is apparently "over-eager" to "sanctify its existence").
FWIW - here's the SHA256 values for the latest (downloadable):
- vbRC5BaseDlls.zip: 03ba3103b21e0ade16fe2063a188d7dce9bda28c9f5b85af96a80f2e9764dd1f
- vbRichClient5.dll: 4017a8eda514593cc1b8439a2e421d170dd91f07d02748058e5b317a0a158bf9
(In case one wants to verify the file-contents of those files oneself on his machine).
HTH
Olaf
-
Dec 9th, 2018, 09:53 AM
#5
Addicted Member
Re: Trojan vbRichClient5.dll found by MS security essentials
 Originally Posted by TTn
Detected item:
Trojan:Win32/Azden.A!cl
file:C:\....vbRichClient5.dll
Alert level: Severe

Says, it executes commands from an attacker.
I'm not sure if this is a false positive or not.
Nothing wrong at all here!
I scanned the files using:
1. MS Security Essentials
2. Avira
3. BitDefender
-
Dec 9th, 2018, 10:09 AM
#6
Re: Trojan vbRichClient5.dll found by MS security essentials
AV companies often mark a VB6-PE-file as a virus, we have become accustomed.
To avoid such behavior one could sign the image.
-
Dec 9th, 2018, 10:23 AM
#7
Re: Trojan vbRichClient5.dll found by MS security essentials
FWIW - I've reported the file now - over the link TTn provided in #3...
And (after an hour or so) they have now "finished their analysis" and "removed the detection":
https://www.microsoft.com/en-us/wdsi...e-b4c0f9f59307
That probably means, that the (Cloud-based) part of the Windows-Defender will not "cry woolf" anymore in the next rolled out signature updates.
Olaf
-
Dec 9th, 2018, 11:41 AM
#8
Re: Trojan vbRichClient5.dll found by MS security essentials
 Originally Posted by The trick
AV companies often mark a VB6-PE-file as a virus, we have become accustomed.
It is unfortunate indeed that VB6 has acquired such a poor reputation from computer security firms, but we can't really blame them because VB6 (and VBA macros) are still being (ab)used by bad actors to deliver malware. Here is one such recent example:
 Originally Posted by Amanda Rousseau, Lucien Brule
What Year Is It? VB6 Payload Crypter
Last year, researchers identified new crimeware, Loki-Bot, which steals data and login credentials. ...
Loki-Bot’s crypter is especially interesting and unique because it utilizes Visual Basic 6.0 to load multiple stages of shellcode to deliver the Loki-Bot payload. ... We’ll walk through Loki-Bot’s crypter functionality, the first and second stage shellcodes, the payload, and then provide some thoughts on stopping these kinds of attacks and what we can expect to see next.
. . .
Conclusion
There are a few key aspects to this crypter and its behaviour that make it fishy, including its crafty implementation of the VB6 runtime in shellcode, and use of anti-reverse engineering techniques and process hollowing. First, VB6 and the VB6 run time are rather old. While there are numerous binary distributions of software in the wild that were built with VB6 enterprise, it is still suspicious. ...
As for the future, we are likely to see more samples using legacy run times and features. Judging from this sample, a performant Visual Basic 6 crypter has recently been distributed in the wild. It seems natural that in the future its capabilities will improve and the volume of distribution will increase with continued black market adoption.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|