Results 1 to 8 of 8

Thread: Trojan vbRichClient5.dll found by MS security essentials

  1. #1

    Thread Starter
    Fanatic Member TTn's Avatar
    Join Date
    Jul 2004
    Posts
    708

    Trojan vbRichClient5.dll found by MS security essentials

    Detected item:
    Trojan:Win32/Azden.A!cl
    file:C:\....vbRichClient5.dll

    Alert level: Severe
    Name:  vbrich.jpg
Views: 433
Size:  34.3 KB
    Says, it executes commands from an attacker.
    I'm not sure if this is a false positive or not.

  2. #2
    New Member
    Join Date
    Nov 2018
    Posts
    8

    Re: Trojan vbRichClient5.dll found by MS security essentials


  3. #3

    Thread Starter
    Fanatic Member TTn's Avatar
    Join Date
    Jul 2004
    Posts
    708

    Re: Trojan vbRichClient5.dll found by MS security essentials

    I already removed the file, so I can't submit it to Microsoft. Can some of the members here go through the process to submit the file as a home end user?
    Submit here:
    https://www.microsoft.com/en-us/wdsi/filesubmission

  4. #4
    PowerPoster
    Join Date
    Jun 2013
    Posts
    7,454

    Re: Trojan vbRichClient5.dll found by MS security essentials

    It's a false positive (the same thing was brought up in the german NewsGroup a few weeks ago as well).

    A scan on VirusTotal shows, that Windows-Defender is the only tool which marks it "red".
    https://www.virustotal.com/#/file/03...dd1f/detection

    Also note, that in my (fully up-to-date) Win10 - a direct scan with the Windows-Defender shows "no Problem".
    That's, as long as you didn't have activated the new "Cloud-Scan feature" (where the "AI" is apparently "over-eager" to "sanctify its existence").

    FWIW - here's the SHA256 values for the latest (downloadable):
    - vbRC5BaseDlls.zip: 03ba3103b21e0ade16fe2063a188d7dce9bda28c9f5b85af96a80f2e9764dd1f
    - vbRichClient5.dll: 4017a8eda514593cc1b8439a2e421d170dd91f07d02748058e5b317a0a158bf9
    (In case one wants to verify the file-contents of those files oneself on his machine).

    HTH

    Olaf

  5. #5
    Addicted Member
    Join Date
    Sep 2015
    Posts
    226

    Re: Trojan vbRichClient5.dll found by MS security essentials

    Quote Originally Posted by TTn View Post
    Detected item:
    Trojan:Win32/Azden.A!cl
    file:C:\....vbRichClient5.dll

    Alert level: Severe
    Name:  vbrich.jpg
Views: 433
Size:  34.3 KB
    Says, it executes commands from an attacker.
    I'm not sure if this is a false positive or not.
    Nothing wrong at all here!

    I scanned the files using:
    1. MS Security Essentials
    2. Avira
    3. BitDefender

  6. #6

  7. #7
    PowerPoster
    Join Date
    Jun 2013
    Posts
    7,454

    Re: Trojan vbRichClient5.dll found by MS security essentials

    FWIW - I've reported the file now - over the link TTn provided in #3...

    And (after an hour or so) they have now "finished their analysis" and "removed the detection":
    https://www.microsoft.com/en-us/wdsi...e-b4c0f9f59307

    That probably means, that the (Cloud-based) part of the Windows-Defender will not "cry woolf" anymore in the next rolled out signature updates.

    Olaf

  8. #8
    Hyperactive Member
    Join Date
    Aug 2017
    Posts
    380

    Re: Trojan vbRichClient5.dll found by MS security essentials

    Quote Originally Posted by The trick View Post
    AV companies often mark a VB6-PE-file as a virus, we have become accustomed.
    It is unfortunate indeed that VB6 has acquired such a poor reputation from computer security firms, but we can't really blame them because VB6 (and VBA macros) are still being (ab)used by bad actors to deliver malware. Here is one such recent example:

    Quote Originally Posted by Amanda Rousseau, Lucien Brule
    What Year Is It? VB6 Payload Crypter


    Last year, researchers identified new crimeware, Loki-Bot, which steals data and login credentials. ...

    Loki-Bot’s crypter is especially interesting and unique because it utilizes Visual Basic 6.0 to load multiple stages of shellcode to deliver the Loki-Bot payload. ... We’ll walk through Loki-Bot’s crypter functionality, the first and second stage shellcodes, the payload, and then provide some thoughts on stopping these kinds of attacks and what we can expect to see next.

    . . .

    Conclusion

    There are a few key aspects to this crypter and its behaviour that make it fishy, including its crafty implementation of the VB6 runtime in shellcode, and use of anti-reverse engineering techniques and process hollowing. First, VB6 and the VB6 run time are rather old. While there are numerous binary distributions of software in the wild that were built with VB6 enterprise, it is still suspicious. ...

    As for the future, we are likely to see more samples using legacy run times and features. Judging from this sample, a performant Visual Basic 6 crypter has recently been distributed in the wild. It seems natural that in the future its capabilities will improve and the volume of distribution will increase with continued black market adoption.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width