dc.exe detected as IM.Worm

[reporter]

I use a command line utility called Display Changer from 12noon.com.

http://12noon.com/?page_id=80

The Display Changer utility has basically two components dc.exe and dccmd.exe.

The dc.exe component is used to set a specific screen resolution. As part of a VB script a test is done to determine a computer’s current screen resolution and if the value differs from the preferred resolution, then a call is made to dc.exe reset the screen resolution to the desired value.

I’ve purposely located the dc.exe component in the C:\Windows folder along with the script which calls dc.exe.

After a scan using Malwarebytes 1.60.0 (1800) and the latest rules JAN-13-2012, a full scan detects dc.exe as IM.Worm.

While looking online I found some information about what I believe to be an actual worm, one commonly referred to as IM-Worm.Win32.VB.

http://www.threatexpert.com/files/dc.exe.html

None of the IM-Worm.Win32.VB worm’s other associated files were found on the target computer.

Is it possible Malwarebytes misidentified the Display Changer (dc.exe) utility as IM.Worm simply because the name and location of the file is the same as the known malware agent?

The detection appears to occur during the final stages of the scan at the point when MB displays the message “Scanning additional items on your system”.

Moving the Display Changer component from C:\Windows\dc.exe to C:\dc.exe and rescanning allows MB to complete the scan with no detections.

I’ve included dc.exe as an attachment (dc.zip).

To produce the log, I started the Malwarebytes scan using the command mbam.exe /developer.

Log:

Malwarebytes Anti-Malware 1.60.0.1800

www.malwarebytes.org

Database version: v2012.01.13.02

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

1/13/2012 10:51:06 AM

mbam-log-2012-01-13 (11-32-34).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 318876

Time elapsed: 35 minute(s), 22 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\dc.exe (IM.Worm) -> No action taken. [d254c66a3a22053148bc40caca3937c9]

(end)

dc.zip

[shadowwar]

This will be fixed in the next update.

Thanks for reporting