Jump to content
Undread

6to4 Service False Positive

Recommended Posts

I just encounter what I am 100% sure is a false positive. MBAM detected the whole HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 tree to be a trojan. I realize that there are some Trojans that hijack this key, but it is a valid service most of the time. It is a MS service called IPv6 Helper Service, which uses a MS signed dll, 6to4svc.dll, in System32. It is used for IPv6 connectivity on an IPv4 network, both of my work machines have this service installed and running.

Here is the log, don't mind the other three hits. I changed those flags myself.

Malwarebytes' Anti-Malware 1.36Database version: 2026Windows 5.1.2600 Service Pack 2
4/22/2009 1:37:19 PMmbam-log-2009-04-22 (13-37-18).txt
Scan type: Quick ScanObjects scanned: 79269Time elapsed: 5 minute(s), 20 second(s)
Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 3Folders Infected: 0Files Infected: 0
Memory Processes Infected:(No malicious items detected)
Memory Modules Infected:(No malicious items detected)
Registry Keys Infected:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> No action taken. [385753513430414438586445483634456446343641424738615258525338466136868383707985368079858380775270856152708387746870846123858021]
Registry Values Infected:(No malicious items detected)
Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. [5138494534363830414438586445483634456446343641424738615248395356345138614674688380848071856152706886837485900136707985708393347985745574838684377484666777704780857471903018130117]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. [51384945343638304144385864454836344564463436414247386152483953563451386146746883808480718561527068868374859001367079857083933974837088667777377484666777704780857471903018130117]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. [513849453436383041443858644548363445644634364142473861524839535634513861467468838084807185615270688683748590013670798570839354816966857084377484666777704780857471903018130117]
Folders Infected:(No malicious items detected)
Files Infected:(No malicious items detected)

Share this post


Link to post
Share on other sites

Hi, happened to myself, today, and I think is a false positive.

I sacn with Panda, Dr.web and SAS and not found nothing wrong.

Reagards.

Rolo

Share this post


Link to post
Share on other sites

http://www.google.com/search?hl=en&as_...amp;safe=images

I know there are multiple infections that load from this key but I am having trouble finding any cases where it is legit .

Can any of guy identify the legit software that installed it on your system ?

If you are an advanced user please use regedit to export this service key and post the text here . Seeing this service's target will explain a lot .

Share this post


Link to post
Share on other sites

nosirrah, you say that there are multiple infections that load from this key.

Question? Is secure to delete this registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4

Share this post


Link to post
Share on other sites

Here are some MS articles on the service:

http://technet.microsoft.com/en-us/library/cc757805.aspx

http://technet.microsoft.com/en-us/community/cc512740.aspx

I've exported the key, minus this subkey (just because I wasn't sure I should be posting this portion of it):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security]

"Security"= Hex Here

Here is the rest of the key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4]

"Type"=dword:00000020

"Start"=dword:00000002

"ErrorControl"=dword:00000001

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

"DisplayName"="IPv6 Helper Service"

"DependOnService"=hex(7):52,00,70,00,63,00,53,00,53,00,00,00,74,00,63,00,70,00,\

69,00,70,00,36,00,00,00,77,00,69,00,6e,00,6d,00,67,00,6d,00,74,00,00,00,00,\

00

"DependOnGroup"=hex(7):00,00

"ObjectName"="LocalSystem"

"Description"="Provides DDNS name registration and automatic IPv6 connectivity over an IPv4 network. If this service is stopped, other computers may not be able to reach it by name and the machine will only have IPv6 connectivity if it is connected to a native IPv6 network. If this service is disabled, any other services that explicitly depend on this service will fail to start."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Config]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters]

"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\

00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\

36,00,74,00,6f,00,34,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum]

"0"="Root\\LEGACY_6TO4\\0000"

"Count"=dword:00000001

"NextInstance"=dword:00000001

As I said before the dll name loaded for this service is 6to4svc.dll (as you can see in the registry, once you decode the hex). If you look up the dll it is regarded as safe (and signed by MS). All the links I clicked through that regarded this service as an infection were loading a differently named DLL.

Let me know if you want any more info.

Share this post


Link to post
Share on other sites

Um i am not sure if i am allowed to post but just to add on:P

i found this too yesterday (i think XD)

i deleted it and one connection by SVCHOST.exe stopped (witch for me is good since i don't know if it was malware or good but yeah)

i have not had any troubles so far

here's the log

Malwarebytes' Anti-Malware 1.36Database version: 2019Windows 5.1.2600 Service Pack 3
2009-04-21 16:47:41mbam-log-2009-04-21 (16-47-41).txt
Scan type: Full Scan (C:\|)Objects scanned: 80353Time elapsed: 15 minute(s), 54 second(s)
Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0
Memory Processes Infected:(No malicious items detected)
Memory Modules Infected:(No malicious items detected)
Registry Keys Infected:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:(No malicious items detected)
Registry Data Items Infected:(No malicious items detected)
Folders Infected:(No malicious items detected)
Files Infected:(No malicious items detected)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.