Jump to content

dc.exe detected as IM.Worm


Recommended Posts

I use a command line utility called Display Changer from 12noon.com.


The Display Changer utility has basically two components dc.exe and dccmd.exe.

The dc.exe component is used to set a specific screen resolution. As part of a VB script a test is done to determine a computer’s current screen resolution and if the value differs from the preferred resolution, then a call is made to dc.exe reset the screen resolution to the desired value.

I’ve purposely located the dc.exe component in the C:\Windows folder along with the script which calls dc.exe.

After a scan using Malwarebytes 1.60.0 (1800) and the latest rules JAN-13-2012, a full scan detects dc.exe as IM.Worm.

While looking online I found some information about what I believe to be an actual worm, one commonly referred to as IM-Worm.Win32.VB.


None of the IM-Worm.Win32.VB worm’s other associated files were found on the target computer.

Is it possible Malwarebytes misidentified the Display Changer (dc.exe) utility as IM.Worm simply because the name and location of the file is the same as the known malware agent?

The detection appears to occur during the final stages of the scan at the point when MB displays the message “Scanning additional items on your system”.

Moving the Display Changer component from C:\Windows\dc.exe to C:\dc.exe and rescanning allows MB to complete the scan with no detections.

I’ve included dc.exe as an attachment (dc.zip).

To produce the log, I started the Malwarebytes scan using the command mbam.exe /developer.


Malwarebytes Anti-Malware


Database version: v2012.01.13.02

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

1/13/2012 10:51:06 AM

mbam-log-2012-01-13 (11-32-34).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 318876

Time elapsed: 35 minute(s), 22 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\dc.exe (IM.Worm) -> No action taken. [d254c66a3a22053148bc40caca3937c9]



Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.