Jump to content

Archived

This topic is now archived and is closed to further replies.

cybot

False virus detection in setup file for MSI Dragon Center 2 v.6.2.1912.2601

Recommended Posts

I am trying to update my laptops MSI Dragon Center 2 software, but it is being blocked by both windows defender, ESET ESSP, and windows smart screen. I try and extract the files, and the setup file files are deleted/quarantined as soon as they are accessed. the files that are falsely being marked as being a virus are: "setup_G.exe", "setup_P.exe", and "setup_W.exe"  the files for the setup program are contained in a .ZIP file and are downloaded from the manufacturer website from the following URL: https://download.msi.com/uti_exe/nb/ap_DragonCenterv2.6.1912.2601_2.6.1912.2601_0xc5b28391.zip . scanning the .zip file returns multiple threats, and when a file extraction is attempted,  the files get removed. THERE IS NO VIRUS  THERE IS NOTHING HARMFUL WITH THESE FILES. THIS IS A FALSE DETECTION!!! this happened once before with a previous version of the software, and I had to wait for a new version to come out before I could install it because of the issue. I tried to raise this issue when It happened before on the MSI support forum, and I was called a liar and told my system was so badly infected I needed to do format and clean install. For the record, my system is not infected and never has been. the software does not suddenly get a certain version being detected as a virus, get several new versions released, and then suddenly get marked as containing a virus once again. the only conclusion I can come to, is that someone is dicking around with the reporting system and making false reports in an attempt to harm MSI's reputation or something. in researching the issue the first time it happened, I came across only one site where virus containing software gets reported, that was reporting the software as containing viruses. URL : https://www.hybrid-analysis.com/sample/1b948a4297783a028ce5fb4a8a0d25e5ebfd576d4ce2fde7fec18700b536eb48?environmentId=100 . virus's being detect are all named generik. followed by some random letters. I have made previous reports inside ESSP program reporting the falsely flagged files, but it is, as I stated, happening again.

Share this post


Link to post
Share on other sites

apologies. in the previous case, I did follow that guide, but when the same issue reoccurs, it looks like nothing was done about the false positive. ESSP is no longer flagging the setup files. thanks and sorry for how I went about reporting the issue this time around.

Share this post


Link to post
Share on other sites

issue is not fixed when running the Dragon Center 2 setup file, a message from ESSP saying that the file setup.exe was infected. it had the following message:

 

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
1/10/2020 7:29:58 PM;Real-time file system protection;file;C:\Users\Cybot\AppData\Local\Temp\{E3E1BF59-57C1-4792-BC38-9C2F0F58204B}\setup.exe;a variant of Win32/GenKryptik.EBBO trojan;cleaned by deleting;MSI\Cybot;Event occurred on a new file created by the application: C:\Users\Cybot\AppData\Local\Temp\{686B90F5-2E1E-4F34-BBA4-F8D0F93C66C5}\setup_G.exe (0C7B66731131D984E5AE95ADD4D757355994E17E).;F10C1F5A7B954F5D2293F02B23250CDFFD81ABC2;12/26/2019 12:24:25 AM
1/10/2020 7:30:21 PM;Real-time file system protection;file;C:\Users\Cybot\AppData\Local\Temp\{436D8C86-4FCF-482E-8308-9DFE3FBCA482}\setup.exe;a variant of Win32/GenKryptik.EBBO trojan;cleaned by deleting;MSI\Cybot;Event occurred on a new file created by the application: C:\Users\Cybot\AppData\Local\Temp\{F382F35F-1B93-4A33-AC2B-D25F03D842DA}\setup_G.exe (0C7B66731131D984E5AE95ADD4D757355994E17E).;F10C1F5A7B954F5D2293F02B23250CDFFD81ABC2;12/26/2019 12:24:25 AM
1/10/2020 7:30:37 PM;Real-time file system protection;file;C:\Users\Cybot\AppData\Local\Temp\{D85B2B46-78E3-47A2-868E-AF8CEBA0E5B0}\setup.exe;a variant of Win32/GenKryptik.EBBO trojan;cleaned by deleting;MSI\Cybot;Event occurred on a new file created by the application: C:\Users\Cybot\AppData\Local\Temp\{5338A8ED-DF72-46AC-B796-5127C29B9014}\setup_G.exe (0C7B66731131D984E5AE95ADD4D757355994E17E).;F10C1F5A7B954F5D2293F02B23250CDFFD81ABC2;12/26/2019 12:24:25 AM

AM
 

 

so the files are no longer blocked from being extracted from the setup .zip file, but I still can not run the setup program.

Share this post


Link to post
Share on other sites

Looks like the installer is possibly infected. The hash, F10C1F5A7B954F5D2293F02B23250CDFFD81ABC2 , shown in the posted Eset log files is detected by multiple other AVs on Virus Total: https://www.virustotal.com/gui/file/687020b6737ccf0879bc7bdd5d550415f5628f3959efc946e56fa0afc88e5844/detection

Of note is neither BitDefender or Kaspersky detects the setup.exe file. My best guess is this software contains code that mimics Kryptik malware. The vendor should be informed of this and revise its code accordingly.

Share this post


Link to post
Share on other sites

Tencent has a detailed analysis on Virus Total of what setup.exe is doing:

Quote

Process

Behaviour: Create process

Detail info: [0x000001b4]ImagePath = C:\WINDOWS\explorer.exe, CmdLine = C:\WINDOWS\explorer.exe

Behaviour: Create process of additional file

Detail info: [0x0000040c]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{96CB3EE7-A119-4384-A05B-C7B5B303EED4}

Behaviour: Set thread context

Detail info: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{96CB3EE7-A119-4384-A05B-C7B5B303EED4}\%temp%\****.exe

Behaviour: Enumerate process

Detail info: N/A

Behaviour: Write data over remote process

Detail info: TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x0007f3c0, Size = 0x00000c35 TargetPID = 0x000001b4

Basically, a new explorer.exe instance is starting up and code is being injected into it remotely. Not what I would call normal program installer behavior.

One possible scenario is the MSI server or proxy has been compromised and instead of downloading legit software is downloading  Kryptik malware.

Share this post


Link to post
Share on other sites

Update - I just rescanned the hash at VT and now both BitDefender and Emsisoft among others are now additionally detecting the setup file.

Update 1/12/2020 - 31 AV engines now detect this on VT. Only AVs of significance not detecting are Windows Defender and Kaspersky. Both these, I believe, do not enable PUA detection by default. 

Interestingly, Windows Defender that originally detected is no longer doing so. So it might be these detections are FPs. If this does turn out to be the case, Eset can't be faulted given the large number of other security product detection's. The real culprit here is MSI for putting suspect code in its software.

I for one am not a big fan of graphic card manufacture optional non-driver software which over the years have shown consistent issues.

Share this post


Link to post
Share on other sites

One other comment.

A lot of the detections for this on VT are for Trojan.GenericKD.xxxxx. This is used by a number of AV vendors for PUA's; i.e. potentially unwanted application:

Quote

Trojan.Generic.KD is a specific detection used by BitDefender Antivirus, BitDefender Internet Security and other antivirus products to indicate and detect a Potentially Unwanted Program. A potentially unwanted application is a program that contains adware, installs toolbars or has other unclear objectives.

Trojan.Generic.KD it’s technically not a virus, but it does exhibit plenty of malicious traits, such as rootkit capabilities to hook deep into the operating system, browser hijacking, and in general just interfering with the user experience. The industry generally refers to it as a “PUP,” or potentially unwanted program.

The Trojan.Generic.KD infection is used to boost advertising revenue, as in the use of blackhat SEO, to inflate a site’s page ranking in search results.

Trojan.Generic.KD is an ad-supported (users may see additional banner, search, pop-up, pop-under, interstitial and in-text link advertisements) cross web browser plugin for Internet Explorer (BHO) and Firefox/Chrome (plugin) and distributed through various monetization platforms during installation. The browser extension includes various features that will modify the default or custom settings of the browser including the home page, search settings and in some cases will modify Internet Explorer’s load time threshold, place a lock file within Firefox to prevent competing software from changing its settings as well as disable the browser’s Content Security Policy in order to allow for cross site scripting of the plugin.

https://malwaretips.com/blogs/trojan-generic-kd-removal/

Share this post


Link to post
Share on other sites

Hum ....... Based on your last MSI forum posting: https://forum-en.msi.com/index.php?topic=330500.0 , you were successful in installing this software.

I assume this means Eset changed its detection to a PUA alert which you overrode. In this case, I wish you luck in the future trouble free operation of your PC build.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...