MBAM flags WordPad.exe with Trojan.Pass.... malware

[FormerYooper]

I ran a complete scan this morning with MBAM premium.  I have attached a screenshot of the settings I used for the Custom Scan.  The results of the scan flagged malware in Wordpad.exe.  I have attached a screenshot of these results.  The results did not list the entire name of the Trojan, but only listed Trojan.Pass....  I did a search and find that this might be a password stealer.  I quarantined the file.  Before doing so however, I uploaded the file to Virus Total and every AV, including MBAM, said it was clean!  I have attached the Virus Total report in PDF format.   Could some kind soul please advise me as to whether or not this is a false positive?  Thanks in advance for your expert help. 

VirusTotal.pdf

[chloe_]

Same thing is happening on two of our computers running Malwarebytes Endpoint Protection. 

[Bosworth]

Hello dear Chloe!

If it detects as a trojan its probably false positive.

Or it might be a trojan if you haven't downloaded that program from official site of the creators.

[chloe_]

I don't know about the topic starter, but I haven't downloaded it from anywhere. There computers scanned fine yesterday and earlier this morning. 

[FormerYooper]

22 minutes ago, Bosworth said:

Hello dear Chloe!

If it detects as a trojan its probably false positive.

Or it might be a trojan if you haven't downloaded that program from official site of the creators.

I am the original poster/topic starter.  I did not DL WordPad from anywhere else.  The last time I did a full scan, this malware flag did not show up.  I have not added WordPad to my system since then.  Guess this is a false positive.  However, I wanted to post here so MBAM will know that this issue exists & to possibly assist others who might have encountered the same. 

[Bosworth]

So are you trying to say it just downloaded by itself?

[FormerYooper]

Just now, Bosworth said:

So are you trying to say it just downloaded by itself?

Absolutely not!  I am just saying that since my last full MBAM scan in which this trojan did not show up , I have not downloaded WordPad.  It has always been on my device.  This morning, I did a full MBAM scan & this trojan showed up. 

[Bosworth]

Okay you don't have to worry then just a false positive.

[FormerYooper]

5 minutes ago, Bosworth said:

Okay you don't have to worry then just a false positive.

Great!  Thanks ever so much! 

[Bosworth]

I hope i helped!

Have a nice day/night dear Chloe!

[Neptune]

It appears to be a false positive. Today we got nine detections during the daily scan on our endpoints. Interesting that the detection of wordpad.exe as "Trojan.PasswordStealer" by Malwarebytes involved endpoints having different versions of Windows 10 (it was detected on 1703, 1709, and 1803). The version of the file seems to be same in all three versions, same date stamp. I checked file consistency with both DISM and SFC and the tools found no corruption. Scanning the files with Bitdefender, Zemana, and Hitman Pro didn't result in any detection. As well, we checked the files with various sandboxes and malware analysis tools and most didn't find anything malicious. To note that both ViCheck and one hash from MBA detection copied to VT found the entry suspicious and malicious respectively.

 

Spoiler

 

 

 

[Atribune]

Hey All,

This was indeed a false positive and has been fixed since 2:25pm EST today.

Sorry for the inconvenience.

 

[FormerYooper]

14 minutes ago, Atribune said:

Hey All,

This was indeed a false positive and has been fixed since 2:25pm EST today.

Sorry for the inconvenience.

 

Thanks ever so much for confirming this is a FP and also for the fix! 

[MotoHello]

23 minutes ago, Atribune said:

Hey All,

This was indeed a false positive and has been fixed since 2:25pm EST today.

Sorry for the inconvenience.

 

Good to know it was a FP, thanks for the fix.

MBAM Premium also detected a Wordpad.exe located in C:\Windows in addition to the one in C:\Program Files as the same type of virus. Trojan.Password.Stealer. Was this also a FP as well? I accidentally deleted it from my quarantine and wasn't able to scan it with VirusTotal or other AVs, so am just a little worried about that.

[Atribune]

I would think yes but if you could scan the file at Virustotal and share the url with me I will gladly look to be sure.

Edited August 8, 2018 by Atribune
wording

[Neptune]

Thanks for addressing the issue promptly.

[MotoHello]

1 minute ago, Atribune said:

I would think yes but if you could scan the file at Virustotal and share the url with me I will gladly look to be sure.

Unfortunately I deleted it from the quarantine last night (not restored) so I don't have the file to check anymore.  Was just wondering if this was something also detected as a FP, seeing as my previous scan from yesterday didn't detect anything, but the C:\Windows one was detected with the C:\Program Files one at the same time.

[exile360]

What version of Windows do you have?  I do recall the some older versions like XP did keep wordpad.exe in C:\Windows, but I don't believe that's the case in newer Windows versions (for example, I don't have it here on my 7 x64 system).

[MotoHello]

17 minutes ago, exile360 said:

What version of Windows do you have?  I do recall the some older versions like XP did keep wordpad.exe in C:\Windows, but I don't believe that's the case in newer Windows versions (for example, I don't have it here on my 7 x64 system).

I have Windows 10 Pro 64-Bit. Sorry for the double post, please refer to my post below. I couldn't find where to delete a previous comment, sorry again.

Edited August 8, 2018 by MotoHello

[MotoHello]

53 minutes ago, Atribune said:

I would think yes but if you could scan the file at Virustotal and share the url with me I will gladly look to be sure.

I apologize for the double post. I'm almost sure I deleted instead of restored the file from quarantine, but I checked the scan logs and it said it was replaced? I searched where the file was located and found that it was indeed in there (even though I'm almost sure I deleted it completely). I uploaded it to Virus Total, the url is below. Please take a look for me, thanks!

https://www.virustotal.com/#/file/c7255a338b130fc245ec1b86b952f76c379b374296f7d6759a3c0501de8fc426/detection

Edited August 8, 2018 by MotoHello

[exile360]

OK, good, so you still have the file.  It's likely that Windows File Protection replaced it with a new copy after it was removed by Malwarebytes (a nifty feature in most Windows versions that protects critical system files located in C:\Windows and some of its sub-folders like System32).

As long as Wordpad is still working then you should be fine.  Test it out by opening a file that is supposed to open with Wordpad such as an RTF (Rich Text Format) document, assuming you have those files associated with Wordpad and haven't installed something else to do so such as MS Office Word.

[Atribune]

51 minutes ago, Neptune said:

Thanks for addressing the issue promptly.

When FP's occur we try to fix them as soon as we possibly can.

We really appreciate our amazing customers who understand that from time to time FP's can and do happen.

[Atribune]

1 hour ago, FormerYooper said:

Thanks ever so much for confirming this is a FP and also for the fix! 

You're quite welcome

[MotoHello]

Thanks again for all your work! I right clicked my desktop and created a new RTF and opened it. Seems to be okay. Going to run MBAM again to check everything.

Does the Virus Total look okay? GData and Symantec report it as Win.32.Application.Packed.J@dam and Bloodhound.MalPE respectively.

Edited August 8, 2018 by MotoHello

[exile360]

Excellent, so at least Wordpad is working/isn't broken so that's good news.

We'll have to wait to hear back from Dave (Atribune) on the VT check, but at least we know that nothing is broken in the meantime.